Total
324357 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-2607 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs. | ||||
| CVE-2017-2606 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction. | ||||
| CVE-2017-2604 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371). | ||||
| CVE-2017-2603 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362). | ||||
| CVE-2017-2602 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358). | ||||
| CVE-2017-2601 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 5.4 Medium |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions. | ||||
| CVE-2017-2600 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| In jenkins before versions 2.44, 2.32.2 node monitor data could be viewed by low privilege users via the remote API. These included system configuration and runtime information of these nodes (SECURITY-343). | ||||
| CVE-2017-2599 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 5.4 Medium |
| Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321). | ||||
| CVE-2017-2598 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks (SECURITY-304). | ||||
| CVE-2017-2595 | 1 Redhat | 2 Enterprise Linux, Jboss Enterprise Application Platform | 2024-11-21 | N/A |
| It was found that the log file viewer in Red Hat JBoss Enterprise Application 6 and 7 allows arbitrary file read to authenticated user via path traversal. | ||||
| CVE-2017-2594 | 2 Hawt, Redhat | 3 Hawtio, Jboss Amq, Jboss Fuse | 2024-11-21 | N/A |
| hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, and 1.5 is vulnerable to a path traversal that leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. | ||||
| CVE-2017-2592 | 3 Canonical, Openstack, Redhat | 3 Ubuntu Linux, Oslo.middleware, Openstack | 2024-11-21 | N/A |
| python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulnerable to an information disclosure. Software using the CatchError class could include sensitive values in a traceback's error message. System users could exploit this flaw to obtain sensitive information from OpenStack component error logs (for example, keystone tokens). | ||||
| CVE-2017-2591 | 2 Fedoraproject, Redhat | 2 389 Directory Server, Enterprise Linux | 2024-11-21 | N/A |
| 389-ds-base before version 1.3.6 is vulnerable to an improperly NULL terminated array in the uniqueness_entry_to_config() function in the "attribute uniqueness" plugin of 389 Directory Server. An authenticated, or possibly unauthenticated, attacker could use this flaw to force an out-of-bound heap memory read, possibly triggering a crash of the LDAP service. | ||||
| CVE-2017-2590 | 2 Freeipa, Redhat | 7 Freeipa, Enterprise Linux, Enterprise Linux Desktop and 4 more | 2024-11-21 | N/A |
| A vulnerability was found in ipa before 4.4. IdM's ca-del, ca-disable, and ca-enable commands did not properly check the user's permissions while modifying CAs in Dogtag. An authenticated, unauthorized attacker could use this flaw to delete, disable, or enable CAs causing various denial of service problems with certificate issuance, OCSP signing, and deletion of secret keys. | ||||
| CVE-2017-2589 | 2 Hawt, Redhat | 3 Hawtio, Jboss Amq, Jboss Fuse | 2024-11-21 | N/A |
| It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. | ||||
| CVE-2017-2587 | 1 Netpbm Project | 1 Netpbm | 2024-11-21 | N/A |
| A memory allocation vulnerability was found in netpbm before 10.61. A maliciously crafted SVG file could cause the application to crash. | ||||
| CVE-2017-2586 | 1 Netpbm Project | 1 Netpbm | 2024-11-21 | N/A |
| A null pointer dereference vulnerability was found in netpbm before 10.61. A maliciously crafted SVG file could cause the application to crash. | ||||
| CVE-2017-2585 | 1 Redhat | 5 Enterprise Linux Server, Jboss Single Sign On, Keycloak and 2 more | 2024-11-21 | N/A |
| Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks. | ||||
| CVE-2017-2582 | 1 Redhat | 3 Enterprise Linux, Jboss Enterprise Application Platform, Keycloak | 2024-11-21 | N/A |
| It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. | ||||
| CVE-2017-2581 | 1 Netpbm Project | 1 Netpbm | 2024-11-21 | N/A |
| An out-of-bounds write vulnerability was found in netpbm before 10.61. A maliciously crafted file could cause the application to crash or possibly allow code execution. | ||||