ゴッサム・シティを舞台にした新作オープンワールドアクションRPG「ゴッサム・ナイツ」当初は2021年…
[VladTheEnterprising] VladTheEnterprising allows local users to write to arbitrary files via a symlink attack
lib/vlad/dba/mysql.rb in the VladTheEnterprising gem 0.2 for Ruby allows local users to write to arbitrary files via a symlink attack on /tmp/my.cnf.#{target_host}.
References
https://nvd.nist.gov/vuln/detail/CVE-2014-4996
https://exchange.xforce.ibmc…
[VladTheEnterprising] VladTheEnterprising allows local users to obtain sensitive information by reading MySQL root password from temporary file
Race condition in lib/vlad/dba/mysql.rb in the VladTheEnterprising gem 0.2 for Ruby allows local users to obtain sensitive information by reading the MySQL root password from a temporary file before it is removed.
References
https://nvd.nist.gov/vuln/…
[backup_checksum] backup-agoddard and backup_checksum have Information Exposure vulnerability
(1) lib/backup/cli/utility.rb in the backup-agoddard gem 3.0.28 and (2) lib/backup/cli/utility.rb in the backup_checksum gem 3.0.23 for Ruby place credentials on the openssl command line, which allows local users to obtain sensitive information by list…
[point-cli] point-cli allows local users to obtain sensitive information by listing the process
lib/commands/setup.rb in the point-cli gem 0.0.1 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process.
References
https://nvd.nist.gov/vuln/detail/CVE-2014-4997
http://ww…
[kajam] kajam allows local users to obtain sensitive information by listing the process
vendor/plugins/dataset/lib/dataset/database/mysql.rb in the kajam gem 1.0.3.rc2 for Ruby places the mysql user password on the (1) mysqldump command line in the capture function and (2) mysql command line in the restore function, which allows local use…
[lean-ruport] lean-ruport allows local users to obtain sensitive information by listing the process
test/tc_database.rb in the lean-ruport gem 0.3.8 for Ruby places the mysql user password on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.
References
https://nvd.nist.gov/vuln/detail/CVE-20…
[se.diabol.jenkins.pipeline:delivery-pipeline-plugin] Jenkins Delivery Pipeline Plugin Cross-site Scripting vulnerability
The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used the unescaped content of the query parameter ‘fullscreen’ in its JavaScript, resulting in a cross-site scripting vulnerability through specially crafted URLs. Version 1.0.8 of the plug…
[ldap_fluff] ldap_fluff authentication bypass
The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when using Active Directory for authentication, allows remote attackers to bypass authentication via unspecified vectors.
References
https://nvd.nist.gov/vuln/detail/CVE-2012-5604
https:/…
[org.jenkins-ci.plugins:cucumber-living-documentation] Jenkins Cucumber Living Documentation Plugin Cross-site Scripting vulnerability
A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing att…