Total
316927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-2623 | 2 Redhat, Rpm-ostree | 3 Enterprise Linux, Rpm-ostree, Rpm-ostree-client | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default. | |||||
| CVE-2017-2622 | 1 Redhat | 1 Openstack | 2024-11-21 | 2.1 LOW | 5.9 MEDIUM |
| An accessibility flaw was found in the OpenStack Workflow (mistral) service where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information. | |||||
| CVE-2017-2621 | 2 Openstack, Redhat | 2 Heat, Openstack | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| An access-control flaw was found in the OpenStack Orchestration (heat) service before 8.0.0, 6.1.0 and 7.0.2 where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information. | |||||
| CVE-2017-2620 | 5 Citrix, Debian, Qemu and 2 more | 10 Xenserver, Debian Linux, Qemu and 7 more | 2024-11-21 | 9.0 HIGH | 5.5 MEDIUM |
| Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. | |||||
| CVE-2017-2619 | 3 Debian, Redhat, Samba | 3 Debian Linux, Enterprise Linux, Samba | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
| Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition. | |||||
| CVE-2017-2618 | 3 Debian, Linux, Redhat | 8 Debian Linux, Linux Kernel, Enterprise Linux and 5 more | 2024-11-21 | 4.9 MEDIUM | 5.5 MEDIUM |
| A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files before 4.9.10. An empty (null) write to this file can crash the system by causing the system to attempt to access unmapped kernel memory. | |||||
| CVE-2017-2616 | 3 Debian, Redhat, Util-linux Project | 7 Debian Linux, Enterprise Linux Desktop, Enterprise Linux Server and 4 more | 2024-11-21 | 4.7 MEDIUM | 5.5 MEDIUM |
| A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. | |||||
| CVE-2017-2615 | 5 Citrix, Debian, Qemu and 2 more | 10 Xenserver, Debian Linux, Qemu and 7 more | 2024-11-21 | 9.0 HIGH | 5.5 MEDIUM |
| Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. | |||||
| CVE-2017-2614 | 1 Redhat | 1 Enterprise Virtualization | 2024-11-21 | 2.1 LOW | 6.8 MEDIUM |
| When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1.1.3 fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining access to those accounts. | |||||
| CVE-2017-2613 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation CSRF using GET by admins. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records (SECURITY-406). | |||||
| CVE-2017-2612 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK. | |||||
| CVE-2017-2611 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents. | |||||
| CVE-2017-2610 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388). | |||||
| CVE-2017-2609 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to. | |||||
| CVE-2017-2608 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383). | |||||
| CVE-2017-2607 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 4.2 MEDIUM |
| jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs. | |||||
| CVE-2017-2606 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction. | |||||
| CVE-2017-2604 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371). | |||||
| CVE-2017-2603 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 3.5 LOW | 2.6 LOW |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362). | |||||
| CVE-2017-2602 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 4.0 MEDIUM | 3.1 LOW |
| jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358). | |||||