Total
4343 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-13565 | 7 Apple, Canonical, Debian and 4 more | 9 Mac Os X, Ubuntu Linux, Debian Linux and 6 more | 2024-11-21 | 7.5 High |
| An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user. | ||||
| CVE-2019-13164 | 4 Canonical, Debian, Opensuse and 1 more | 4 Ubuntu Linux, Debian Linux, Leap and 1 more | 2024-11-21 | 7.8 High |
| qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass. | ||||
| CVE-2019-13028 | 1 Minv | 1 Electronic Identification Cards Client | 2024-11-21 | N/A |
| An incorrect implementation of a local web server in eID client (Windows version before 3.1.2, Linux version before 3.0.3) allows remote attackers to execute arbitrary code (.cgi, .pl, or .php) or delete arbitrary files via a crafted HTML page. This is a product from the Ministry of Interior of the Slovak Republic. | ||||
| CVE-2019-12670 | 1 Cisco | 1 Ios | 2024-11-21 | 6.7 Medium |
| A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker within the IOx Guest Shell to modify the namespace container protections on an affected device. The vulnerability is due to insufficient file permissions. An attacker could exploit this vulnerability by modifying files that they should not have access to. A successful exploit could allow the attacker to remove container protections and perform file actions outside the namespace of the container. | ||||
| CVE-2019-12648 | 1 Cisco | 6 807 Industrial Integrated Services Routers, 809 Industrial Integrated Services Routers, 829 Industrial Integrated Services Routers and 3 more | 2024-11-21 | 8.8 High |
| A vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device. The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts. An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials. An exploit could allow the attacker to gain unauthorized access to the Guest OS as a root user. | ||||
| CVE-2019-12627 | 1 Cisco | 29 Amp 7150, Amp 8150, Firepower 7010 and 26 more | 2024-11-21 | 7.5 High |
| A vulnerability in the application policy configuration of the Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data. The vulnerability is due to insufficient application identification. An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to gain unauthorized read access to sensitive data. | ||||
| CVE-2019-12418 | 7 Apache, Canonical, Debian and 4 more | 7 Tomcat, Ubuntu Linux, Debian Linux and 4 more | 2024-11-21 | 7.0 High |
| When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. | ||||
| CVE-2019-11899 | 1 Bosch | 1 Access | 2024-11-21 | 7.5 High |
| An unauthenticated attacker can achieve unauthorized access to sensitive data by exploiting Windows SMB protocol on a client installation. With Bosch Access Professional Edition (APE) 3.8, client installations need to be authorized by the APE administrator. | ||||
| CVE-2019-11896 | 1 Bosch | 2 Smart Home Controller, Smart Home Controller Firmware | 2024-11-21 | 7.1 High |
| A potential incorrect privilege assignment vulnerability exists in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.907 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app, which requires user interaction. | ||||
| CVE-2019-11895 | 1 Bosch | 2 Smart Home Controller, Smart Home Controller Firmware | 2024-11-21 | 5.3 Medium |
| A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a successful denial of service of the SHC and connected sensors and actuators. In order to exploit the vulnerability, the adversary needs to have successfully paired an app or service, which requires user interaction. | ||||
| CVE-2019-11894 | 1 Bosch | 2 Smart Home Controller, Smart Home Controller Firmware | 2024-11-21 | 5.7 Medium |
| A potential improper access control vulnerability exists in the backup mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in unauthorized download of a backup. In order to exploit the vulnerability, the adversary needs to download the backup directly after a backup triggered by a legitimate user has been completed. | ||||
| CVE-2019-11892 | 1 Bosch | 2 Smart Home Controller, Smart Home Controller Firmware | 2024-11-21 | 8.0 High |
| A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in reading or modification of the SHC's configuration or triggering and restoring backups. In order to exploit the vulnerability, the adversary needs to have successfully paired an app or service, which requires user interaction. | ||||
| CVE-2019-11786 | 1 Odoo | 1 Odoo | 2024-11-21 | 4.3 Medium |
| Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification on translatable elements. | ||||
| CVE-2019-11785 | 1 Odoo | 1 Odoo | 2024-11-21 | 4.3 Medium |
| Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages. | ||||
| CVE-2019-11784 | 1 Odoo | 1 Odoo | 2024-11-21 | 6.5 Medium |
| Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to. | ||||
| CVE-2019-11783 | 1 Odoo | 1 Odoo | 2024-11-21 | 6.5 Medium |
| Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited. | ||||
| CVE-2019-11782 | 1 Odoo | 1 Odoo | 2024-11-21 | 6.5 Medium |
| Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation. | ||||
| CVE-2019-11780 | 1 Odoo | 1 Odoo | 2024-11-21 | 8.1 High |
| Improper access control in the computed fields system of the framework of Odoo Community 13.0 and Odoo Enterprise 13.0 allows remote authenticated attackers to access sensitive information via crafted RPC requests, which could lead to privilege escalation. | ||||
| CVE-2019-11248 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 8.2 High |
| The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration. | ||||
| CVE-2019-11247 | 2 Kubernetes, Redhat | 3 Kubernetes, Openshift, Openshift Container Platform | 2024-11-21 | 8.1 High |
| The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12. | ||||