An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previou…
[org.apache.xmlgraphics:batik] Apache Batik vulnerable to Server-Side Request Forgery
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-40146
https://…
[rdiffweb] rdiffweb Cross-Site Request Forgery vulnerability can lead to user email ID being changed
rdiffwen prior to version 2.4.7 is vulnerable to Cross-Site Request Forgery (CSRF). An attacker can change a user’s email ID. Version 2.4.7 has a fix for this issue.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3274
https://github.com/ikus060/…
[icecoder/icecoder] ICEcoder vulnerable to Path Traversal
ICEcoder v8.1 allows attackers to execute a directory traversal.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-34026
https://gist.github.com/enferas/85cdbadf5cba32ec7c8db6ea9e6833bf
https://github.com/icecoder/ICEcoder/blob/master/classes/Setti…
[apache-airflow] Apache Airflow vulnerable to Use of Externally-Controlled Format String
In Apache Airflow 2.3.0 through 2.3.4, part of a url was unnecessarily formatted, allowing for possible information extraction.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-40604
https://github.com/apache/airflow/pull/26337
https://github.com/…
[OctoPrint] OctoPrint Improper Privilege Management vulnerability
OctoPrint prior to 1.8.3 allows a user with read access only to access a privileged user’s account and functionality. Version 1.8.3 contains a patch for this issue.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3068
https://github.com/octoprint…
[org.jenkins-ci.plugins:view26] Jenkins View26 Test-Reporting Plugin improperly validates hostname
Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.
References
https://nvd.ni…
[org.jenkins-ci.plugins:rundeck] Jenkins Rundeck Plugin Missing Authorization vulnerability
Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck.
References
https://nvd.nist.gov/…
[io.jenkins.plugins:cavisson-ns-nd-integration] Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Cross-Site Request Forgery
A cross-site request forgery (CSRF) vulnerability in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials. Version 4.8.0.130 req…
[io.jenkins.plugins:cavisson-ns-nd-integration] Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Missing Authorization
A missing permission check in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers with Overall/Read permissions to connect to an attacker-specified webserver using attacker-specified credentials. Version 4.8.0….