Total
9115 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10247 | 4 Debian, Eclipse, Netapp and 1 more | 26 Debian Linux, Jetty, Element and 23 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. | |||||
| CVE-2019-10246 | 4 Eclipse, Microsoft, Netapp and 1 more | 26 Jetty, Windows, Element and 23 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. | |||||
| CVE-2019-10243 | 1 Eclipse | 1 Kura | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Kura versions up to 4.0.0, Kura exposes the underlying Ui Web server version in its replies. This can be used as a hint by an attacker to specifically craft attacks to the web server run by Kura. | |||||
| CVE-2019-10224 | 1 Fedoraproject | 1 389 Directory Server | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information. | |||||
| CVE-2019-10223 | 3 Kubernetes, Linux, Redhat | 3 Kube-state-metrics, Linux Kernel, Openshift Container Platform | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A security issue was discovered in the kube-state-metrics versions v1.7.0 and v1.7.1. An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default `kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics. This feature has been reverted and released as the v1.7.2 release. If you are running the v1.7.0 or v1.7.1 release, please upgrade to the v1.7.2 release as soon as possible. | |||||
| CVE-2019-10217 | 1 Redhat | 1 Ansible | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks. | |||||
| CVE-2019-10209 | 1 Postgresql | 1 Postgresql | 2024-11-21 | 3.5 LOW | 2.2 LOW |
| Postgresql, versions 11.x before 11.5, is vulnerable to a memory disclosure in cross-type comparison for hashed subplan. | |||||
| CVE-2019-10195 | 2 Fedoraproject, Freeipa | 2 Fedora, Freeipa | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed. | |||||
| CVE-2019-10183 | 1 Redhat | 2 Enterprise Linux, Virt-manager | 2024-11-21 | 2.1 LOW | 3.2 LOW |
| Virt-install(1) utility used to provision new virtual machines has introduced an option '--unattended' to create VMs without user interaction. This option accepts guest VM password as command line arguments, thus leaking them to others users on the system via process listing. It was introduced recently in the virt-manager v2.2.0 release. | |||||
| CVE-2019-10175 | 1 Kubevirt | 1 Containerized-data-importer | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was found in the containerized-data-importer in virt-cdi-cloner, version 1.4, where the host-assisted cloning feature does not determine whether the requesting user has permission to access the Persistent Volume Claim (PVC) in the source namespace. This could allow users to clone any PVC in the cluster into their own namespace, effectively allowing access to other user's data. | |||||
| CVE-2019-10156 | 2 Debian, Redhat | 3 Debian Linux, Ansible, Openstack | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed. | |||||
| CVE-2019-10109 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An Information Exposure issue (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. EXIF geolocation data were not removed from images when uploaded to GitLab. As a result, anyone with access to the uploaded image could obtain its geolocation, device, and software version data (if present). | |||||
| CVE-2019-10083 | 1 Apache | 1 Nifi | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to. | |||||
| CVE-2019-1010299 | 1 Rust-lang | 1 Rust | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. The impact is: Contents of uninitialized memory could be printed to string or to log file. The component is: Debug trait implementation for std::collections::vec_deque::Iter. The attack vector is: The program needs to invoke debug printing for iterator over an empty VecDeque. The fixed version is: 1.30.0, nightly versions after commit b85e4cc8fadaabd41da5b9645c08c68b8f89908d. | |||||
| CVE-2019-1010283 | 1 Univention | 1 Univention Corporate Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Univention Corporate Server univention-directory-notifier 12.0.1-3 and earlier is affected by: CWE-213: Intentional Information Exposure. The impact is: Loss of Confidentiality. The component is: function data_on_connection() in src/callback.c. The attack vector is: network connectivity. The fixed version is: 12.0.1-4 and later. | |||||
| CVE-2019-1010024 | 1 Gnu | 1 Glibc | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. | |||||
| CVE-2019-1003021 | 1 Jenkins | 1 Openid Connect Authentication | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret. | |||||
| CVE-2019-1003018 | 1 Jenkins | 1 Github Oauth | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret. | |||||
| CVE-2019-0647 | 1 Microsoft | 1 Team Foundation Server | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team. | |||||
| CVE-2019-0545 | 1 Microsoft | 11 .net Core, .net Framework, Windows 10 and 8 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations, aka ".NET Framework Information Disclosure Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7/4.7.1/4.7.2, .NET Core 2.1, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, .NET Core 2.2, Microsoft .NET Framework 4.7.2. | |||||