In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the “anonymous” user.
References
https://nvd.nist.gov/vuln/detail/…
Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-12973
https://bitbu…
In PyJWT 1.5.0 and below the invalid_strings check in HMACAlgorithm.prepare_key does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string —–BEGIN RSA PUBLIC K…
When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user’s umask.
When using minitar, files are unpacked with whatever permissions are in the tarball. This is potentia…
Electron version 1.7.0 – 1.7.5 is vulnerable to a URL Spoofing problem when opening PDFs in PDFium resulting loading arbitrary PDFs that a hacker can control.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-1000424
https://github.com/electron/ele…
The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol. User passwords and passphrases for encrypted SSH keys are stored in plaintext in a configuration file.
References
https://nvd.nist.gov/vuln/detail/CVE-20…
In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access r…
DOMUtils.java in org.jboss.ws:jbossws-common does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOC…
It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-12165
https://bugzilla.redhat…
hawtio before versions 2.0-beta-1, 2.0-beta-2, 2.0-m1, 2.0-m2, 2.0-m3, and 1.5 are vulnerable to a path traversal that leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within…
