Skip to content

トピトピニュース

Header Image
Author

GitHub

1143 Posts

Featured

Posted byGitHub
[github.com/crewjam/saml] crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication
Posted byGitHub
[org.keycloak:keycloak-core] Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown
Posted byGitHub
[bitlyshortener] Package discontinued because Bitly lowered the free quota
Posted byGitHub
[baserproject/basercms] baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability

[edu.internet2.middleware:shibboleth-identityprovider] Improper Certificate Validation in vt-ldap

  • Posted inMODERATE
  • Posted byGitHub
  • 05/14/202211/02/2022

DefaultHostnameVerifier in Ldaptive (formerly vt-ldap) does not properly verify that the server hostname matches a domain name in the subject’s Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL serve…

[org.apache.geode:geode-core] Apache Geode gfsh authorization vulnerability

  • Posted inHIGH
  • Posted byGitHub
  • 05/14/202211/08/2022

When an Apache Geode cluster before v1.3.0 is operating in secure mode and an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without CLUSTER:M…

[org.apache.geode:geode-core] Apache Geode OQL bind parameter vulnerability

  • Posted inMODERATE
  • Posted byGitHub
  • 05/14/202211/08/2022

When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries containing a region name as a bind parameter that allow read access to objects within una…

[org.apache.guacamole:guacamole-common] Apache Guacamole Race Condition vulnerability

  • Posted inHIGH
  • Posted byGitHub
  • 05/14/202211/09/2022

A race condition in Guacamole’s terminal emulator in versions 0.9.5 through 0.9.10-incubating could allow writes of blocks of printed data to overlap. Such overlapping writes could cause packet data to be misread as the packet length, resulting in the …

[org.jvnet.hudson.plugins.findbugs:library] XML External Entity Reference in Jenkins FindBugs Plugin

  • Posted inHIGH
  • Posted byGitHub
  • 05/14/202211/04/2022

Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forger…

[org.jvnet.hudson.plugins:swarm-plugin] Jenkins Swarm Plugin Client vulnerable to man-in-the-middle attacks

  • Posted inMODERATE
  • Posted byGitHub
  • 05/14/202211/23/2022

Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks.
References

https://nvd…

[org.apache.nifi:nifi] Apache NiFi host header poisoning issue

  • Posted inHIGH
  • Posted byGitHub
  • 05/14/202211/02/2022

A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1…

[org.jvnet.hudson.plugins:ccm] Jenkins CCM Plugin vulnerable to Improper Restriction of XML External Entity Reference

  • Posted inHIGH
  • Posted byGitHub
  • 05/14/202211/23/2022

Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or …

[org.apache.geode:geode-core] Apache Geode configuration request authorization vulnerability

  • Posted inHIGH
  • Posted byGitHub
  • 05/14/202211/08/2022

When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration …

[org.apache.geode:geode-core] Apache Geode unsafe deserialization of application objects

  • Posted inHIGH
  • Posted byGitHub
  • 05/14/202211/08/2022

In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remo…

Posts navigation

Previous Posts 1 … 89 90 91 92 93 … 115 Next Posts
トピトピニュース
WordPress theme by componentz

Archives

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Hit enter to search or ESC to close