Total
55 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-30103 | 1 Microsoft | 4 365 Apps, Office, Office Long Term Servicing Channel and 1 more | 2024-08-14 | 8.8 High |
| Microsoft Outlook Remote Code Execution Vulnerability | ||||
| CVE-2014-7230 | 3 Canonical, Openstack, Redhat | 5 Ubuntu Linux, Cinder, Nova and 2 more | 2024-08-06 | N/A |
| The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log. | ||||
| CVE-2014-7231 | 2 Openstack, Redhat | 4 Cinder, Nova, Trove and 1 more | 2024-08-06 | N/A |
| The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log. | ||||
| CVE-2014-3472 | 1 Redhat | 5 Jboss Bpms, Jboss Brms, Jboss Enterprise Application Platform and 2 more | 2024-08-06 | N/A |
| The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors. | ||||
| CVE-2015-5946 | 1 Sugarcrm | 1 Sugarcrm | 2024-08-06 | N/A |
| Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension. | ||||
| CVE-2016-7076 | 2 Redhat, Sudo Project | 2 Enterprise Linux, Sudo | 2024-08-06 | N/A |
| sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges. | ||||
| CVE-2016-7032 | 2 Redhat, Todd Miller | 2 Enterprise Linux, Sudo | 2024-08-06 | N/A |
| sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass intended noexec command restrictions via an application that calls the (1) system or (2) popen function. | ||||
| CVE-2016-6189 | 1 Alinto | 1 Sogo | 2024-08-06 | 4.3 Medium |
| Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds. | ||||
| CVE-2016-0793 | 2 Microsoft, Redhat | 2 Windows, Jboss Wildfly Application Server | 2024-08-05 | N/A |
| Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 10.0.0.Final on Windows allows remote attackers to read the sensitive files in the (1) WEB-INF or (2) META-INF directory via a request that contains (a) lowercase or (b) "meaningless" characters. | ||||
| CVE-2017-1000096 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift | 2024-08-05 | N/A |
| Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles. | ||||
| CVE-2017-1000095 | 2 Jenkins, Redhat | 2 Script Security, Openshift | 2024-08-05 | N/A |
| The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object). | ||||
| CVE-2017-7540 | 1 Safemode Project | 1 Safemode | 2024-08-05 | N/A |
| rubygem-safemode, as used in Foreman, versions 1.3.2 and earlier are vulnerable to bypassing safe mode limitations via special Ruby syntax. This can lead to deletion of objects for which the user does not have delete permissions or possibly to privilege escalation. | ||||
| CVE-2017-2602 | 1 Jenkins | 1 Jenkins | 2024-08-05 | N/A |
| jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358). | ||||
| CVE-2018-16863 | 2 Artifex, Redhat | 8 Ghostscript, Enterprise Linux, Enterprise Linux Desktop and 5 more | 2024-08-05 | N/A |
| It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509. An attacker could possibly exploit another variant of the flaw and bypass the -dSAFER protection to, for example, execute arbitrary shell commands via a specially crafted PostScript document. This only affects ghostscript 9.07 as shipped with Red Hat Enterprise Linux 7. | ||||
| CVE-2018-15746 | 2 Qemu, Redhat | 4 Qemu, Enterprise Linux, Openstack and 1 more | 2024-08-05 | 5.5 Medium |
| qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread. | ||||
| CVE-2018-7489 | 4 Debian, Fasterxml, Oracle and 1 more | 10 Debian Linux, Jackson-databind, Communications Billing And Revenue Management and 7 more | 2024-08-05 | N/A |
| FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. | ||||
| CVE-2018-6383 | 1 Monstra | 1 Monstra | 2024-08-05 | 8.8 High |
| Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048. | ||||
| CVE-2018-5968 | 4 Debian, Fasterxml, Netapp and 1 more | 12 Debian Linux, Jackson-databind, E-series Santricity Os Controller and 9 more | 2024-08-05 | 8.1 High |
| FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. | ||||
| CVE-2019-10328 | 2 Jenkins, Redhat | 2 Pipeline Remote Loader, Openshift | 2024-08-04 | N/A |
| Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection. | ||||
| CVE-2019-9212 | 1 Antfin | 1 Sofa-hessian | 2024-08-04 | N/A |
| SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn’t consider this issue a vulnerability because the blacklist is being misused. SOFA Hessian supports custom blacklist and a disclaimer was posted encouraging users to update the blacklist or to use the whitelist feature for their specific needs since the blacklist is not being actively updated | ||||