Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Apache Airflow Spark Provider, Apache Airflow allows an attacker to read arbtrary files in the task execution context, without write access to D…
[tooljet] ToolJet is vulnerable to Denial of Service (DoS)
ToolJet/ToolJet placed no limit on the file size for user avatars. This could cause a denial of service if too many users upload large files. This is fixed in commit 01cd3f0464747973ec329e9fb1ea12743d3235cc in version 1.27.0.
References
https://nvd.ni…
[aliyun-oss-client] Leakage Aliyun KeySecret
Impact
Users of this library will be affected when using this library, the incoming secret will be disclosed unintentionally.
Patches
This have already been solved.
Workarounds
No, It cannot be patched without upgrading
References
No
For more informati…
[rdiffweb] Rdiffweb vulnerable to Missing Authentication for Critical Function
Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0a6.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4018
https://github.com/ikus060/rdiffweb/commit/f2a32f2a9f3fb8be1a9432ac3d81d3aacdb13095
https://…
[org.jenkins-ci.plugins:dockerhub-notification] Lack of authentication mechanism for webhook in CloudBees Docker Hub/Registry Notification Plugin
CloudBees Docker Hub/Registry Notification Plugin provides several webhook endpoints that can be used to trigger builds when Docker images used by a job have been rebuilt.
In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier, these en…
[io.jenkins.plugins:cavisson-ns-nd-integration] SSL/TLS certificate validation globally and unconditionally disabled by Jenkins NS-ND Integration Performance Publisher Plugin
NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.
NS-ND Integration Performance Publisher Plugin 4.8.0.146 no lo…
[org.jenkins-ci.plugins:delete-log-plugin] Missing permission check in Jenkins Delete log Plugin
A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs. As of publication of this advisory, there is no fix.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-45394
ht…
[io.loader:loaderio-jenkins-plugin] Missing permission check in Jenkins loader.io Plugin allows enumerating credentials IDs
loader.io Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capt…
[io.jenkins.plugins:cavisson-ns-nd-integration] Plaintext Storage of a Password in Jenkins NS-ND Integration Performance Publisher Plugin
NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These passwords can be viewed by attackers with Item/Extended Read permiss…
[org.jenkins-ci.plugins:support-core] Incorrect permission checks in Jenkins Support Core Plugin
Support Core Plugin defines the permission Support/DownloadBundle that allows users without Overall/Administer permission to create and download support bundles containing a limited set of diagnostic information.
Support Core Plugin 1206.v14049fa_b_d86…