Total
4661 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10175 | 1 Kubevirt | 1 Containerized-data-importer | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was found in the containerized-data-importer in virt-cdi-cloner, version 1.4, where the host-assisted cloning feature does not determine whether the requesting user has permission to access the Persistent Volume Claim (PVC) in the source namespace. This could allow users to clone any PVC in the cluster into their own namespace, effectively allowing access to other user's data. | |||||
| CVE-2019-10167 | 1 Redhat | 9 Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Server and 6 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges. | |||||
| CVE-2019-10161 | 2 Canonical, Redhat | 5 Ubuntu Linux, Enterprise Linux, Libvirt and 2 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs. | |||||
| CVE-2019-10147 | 1 Redhat | 1 Rkt | 2024-11-21 | 6.9 MEDIUM | 7.7 HIGH |
| rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` are not limited by cgroups during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources. | |||||
| CVE-2019-10145 | 1 Redhat | 1 Rkt | 2024-11-21 | 6.9 MEDIUM | 7.7 HIGH |
| rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` do not have seccomp filtering during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources. | |||||
| CVE-2019-1010304 | 1 Mirumee | 1 Saleor | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop's revenue data. The fixed version is: 2.3.1. | |||||
| CVE-2019-1010246 | 1 Mailcleaner | 1 Mailcleaner | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| MailCleaner before c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9 is affected by: Unauthenticated MySQL database password information disclosure. The impact is: MySQL database content disclosure (e.g. username, password). The component is: The API call in the function allowAction() in NewslettersController.php. The attack vector is: HTTP Get request. The fixed version is: c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9. | |||||
| CVE-2019-1010152 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| zzcms 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: getshell. The component is: user/manage.php line 31-80. | |||||
| CVE-2019-1010150 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| zzcms 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: getshell. The component is: /user/zssave.php. | |||||
| CVE-2019-1010149 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| zzcms version 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: zzcms File Delete to Code Execution. The component is: user/licence_save.php. | |||||
| CVE-2019-1010066 | 1 Llnl | 1 Model Specific Registers-safe | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Lawrence Livermore National Laboratory msr-safe v1.1.0 is affected by: Incorrect Access Control. The impact is: An attacker could modify model specific registers. The component is: ioctl handling. The attack vector is: An attacker could exploit a bug in ioctl interface whitelist checking, in order to write to model specific registers, normally a function reserved for the root user. The fixed version is: v1.2.0. | |||||
| CVE-2019-1003099 | 1 Jenkins | 1 Openid | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003093 | 1 Jenkins | 1 Nomad | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003091 | 1 Jenkins | 1 Soasta Cloudtest | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003087 | 1 Jenkins | 1 Chef Sinatra | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003085 | 1 Jenkins | 1 Zephyr Enterprise Test Management | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003083 | 1 Jenkins | 1 Gearman | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003081 | 1 Jenkins | 1 Openshift Deployer | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003079 | 1 Jenkins | 1 Vmware Lab Manager Slaves | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-1003077 | 1 Jenkins | 1 Audit To Database | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||