In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present…
[org.apache.ode:ode] Apache ODE Path Traversal vulnerability
The ODE process deployment web service was sensible to deployment messages with forged names. Using a path for the name was allowing directory traversal, resulting in the potential writing of files under unwanted locations, the overwriting of existing …
[org.graylog2:graylog2-server] Cross-site Scripting in Graylog
Graylog before v2.4.4 has an XSS security issue with unescaped text in dashboard names, related to components/dashboard/Dashboard.jsx, components/dashboard/EditDashboardModal.jsx, and pages/ShowDashboardPage.jsx.
References
https://nvd.nist.gov/vuln/d…
[org.graylog2:graylog2-server] Cross-site Scripting in Graylog Server
Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-11650
https://github.com/Graylog2/graylog2-server/pull/4727
http…
[org.apache.struts:struts2-core] Special top object can be used to access Struts’ internals
ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts’ internals or can be used to affect container’s settings. Applying better regex which includes pattern to exclude request parameters t…
[org.apache.struts:struts2-core] Possible DoS attack when using URLValidator
If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
References
https://nvd.nist.gov/vuln/…
[org.csanchez.jenkins.plugins:kubernetes] Exposure of Sensitive Information in Jenkins Kubernetes Plugin
A exposure of sensitive information vulnerability exists in Jenkins Kubernetes Plugin 1.7.0 and older in ContainerExecDecorator.java that results in sensitive variables such as passwords being written to logs.
References
https://nvd.nist.gov/vuln/deta…
[org.jvnet.hudson.plugins:groovy-postbuild] Jenkins Groovy Postbuild Plugin vulnerable to Cross-site Scripting
A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user’s brow…
[net.opentsdb:opentsdb] OpenTSDB Cross-site Scripting vulnerability
An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter json to the /q URI.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-12973
https://github.com/OpenTSDB/opentsdb/issues/1240
https://github.com/advisories/GHSA-r68m-wq3x-2hqw
[io.jenkins:configuration-as-code] Jenkins Configuration as Code Plugin vulnerable to Exposure of Sensitive Information
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in ConfigurationAsCode.java that allows attackers with Overall/Read access to obtain the YAML export of the Jenkins configuration. Ve…