Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This i…
[org.codehaus.mevenide:netbeans] Improper Verification of Cryptographic Signature in Apache Netbeans
The “Apache NetBeans” autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. “Apache NetBeans” versions up to and including 11.2 are affected by this vulnerability. NetBeans r…
[org.apache.struts:struts2-core] Cross-site Scripting in Apache Struts
When the Struts2 debug mode is turned on, under certain conditions an arbitrary script may be executed in the ‘Problem Report’ screen. Also if JSP files are exposed to be accessed directly it’s possible to execute an arbitrary script.
It is generally …
[io.undertow:undertow-core] Undertow vulnerable to Uncontrolled Resource Consumption
A vulnerability was found in the Undertow HTTP server in versions before 2.0.29 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.
References
https://nvd.nist.g…
[Microsoft.AspNetCore.App.Runtime.linux-x64] Denial of service in ASP.NET Core
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka ‘ASP.NET Core Denial of Service Vulnerability’.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-0602
https://access.redhat.com/errata/RHSA-2020:0130
h…
[Microsoft.WindowsDesktop.App.Runtime.win-x86] Remote code execution in Microsoft.WindowsDesktop.App.Ref
A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka ‘.NET F…
[org.keycloak:keycloak-core] keycloak vulnerable to unauthorized login via mail server setup
A flaw was found in keycloack before version 8.0.0. The owner of ‘placeholder.org’ domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name ‘test’ the email address w…
[org.springframework:spring-web] Spring Framework lacks documentation for unsafe deserialization
Pivotal Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication …
[com.yahoo.athenz:athenz] Athenz vulnerable to Open Redirect
Open redirect vulnerability in Athenz v1.8.24 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted page.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-6035
https://git…
[io.alauda.jenkins.plugins:alauda-kubernetes-support] Improper Authorization in Jenkins Alauda Kubernetes Suport Plugin
A missing permission check in Jenkins Alauda Kubernetes Suport Plugin 2.3.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capt…