Jenkins SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.
References
https://nvd.nist.gov/vuln/…
A cross-site request forgery (CSRF) vulnerability in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing cred…
Impact
A potential unsafe deserialization issue exists within the autogluon.multimodal module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of untrusted data may allow an unprivileged third party to cause…
Impact
Arbitrary shell execution is possible when using RPM::File#files and RPM::File#extract if the RPM contains a malicious “payload compressor” field.
This vulnerability impacts the extract and files methods of the RPM::File class in the affected ve…
In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentiall…
Impact
It’s possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation.
More specifically, editing a right with the object editor leads to adding a supplementary empty value to groups which is then resolved as a refer…
Impact
A bug in the security cache is storing rules associated to document Page1.Page2 and space Page1.Page2 in the same cache entry.
That means that it’s possible to overwrite the rights of a space or a document by creating the page of the space with …
Impact
Math.random and crypto.getRandomValues methods failed to use sufficiently random values. The initial value to seed the CSPRNG (cryptographically secure pseudorandom number generator) was baked-in to the final WebAssembly module meaning the seque…
Incorrect handling of the supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to …
Those using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may …
