Apache Solr’s Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider…
[org.apache.tomcat:tomcat] Inconsistent documentation in Apache Tomcat
As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script t…
[jquery] jQuery vulnerable to Cross-Site Scripting (XSS)
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
References
https://nvd.nist.gov/vuln/detail/CVE-2011-4969
h…
[org.jenkins-ci.main:jenkins-core] Cross-site Scripting in Jenkins Core
A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaSc…
[org.jboss.resteasy:resteasy-jaxrs] Denial of service in JBoss resteasy
RESTEasy enables GZIPInterceptor, which allows remote attackers to cause a denial of service via unspecified vectors.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-6346
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
http://www.securityfocu…
[org.jvnet.hudson.plugins:favorite] Jenkins Favorite Plugin vulnerable to Cross-Site Request Forgery
Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF resulting in data modification.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-1000244
https://jenkins.io/security/advisory/2017-06-06/
https://github.com/advisories/GHSA-jqwh…
[org.apache.camel:camel-hessian] Apache Camel camel-hessian component vulnerable to Java object deserialization
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
References
https://nvd.nist.gov/vuln/detail/C…
[org.biouno:uno-choice] Cross-site Scripting in Jenkins Active Choices plugin
Jenkins Active Choices plugin version 1.5.3 and earlier allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the ‘Build With Parameters’ page through the ‘Active Choices Reactive Reference Parameter’ type. This could inc…
[com.googlecode.wicket-jquery-ui:wicket-jquery-ui-parent] Cross-site Scripting in wicket-jquery-ui
In wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-1325
https://markmail.org/message/6bxjyaolehhq7jrl
https://github.com…
[com.googlecode.wicket-jquery-ui:wicket-jquery-ui-parent] Cross-site Scripting in wicket-jquery-ui
In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor.
References
https://nvd.nist.gov/vuln…