Vulnerabilities

CVE-2018-100081


Security vulnerability in asset-pipeline and Jetty | OCI Grails Team Blog File reading vulnerability · Issue #11068 · grails/grails-core · GitHub
Asset Pipeline Grails Plugin Asset-pipeline plugin version Prior to 2.14.1.1, 2.15.1 and 3.0.6 contains a Incorrect Access Control vulnerability in Applications deployed in Jetty that can result in Download .class files and any arbitrary file. This attack appear to be exploitable via Specially crafted GET request containing directory traversal from assets-pipeline context. This vulnerability appears to have been fixed in 2.14.1.1 (for Grails 2.x), 2.15.1 (for Grails 3 and Java 7) and 3.0.6 (for

CVE-2018-100084


Lock down JAXB. Don't load remote entities. by swankjesse · Pull Request #2735 · square/retrofit · GitHub
Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.

CVE-2018-100084


Alpine 3.8.1 released | Alpine Linux 301 Moved Permanently Remote Code Execution in Alpine Linux
Alpine Linux version Versions prior to 2.6.10, 2.7.6, and 2.10.1 contains a Other/Unknown vulnerability in apk-tools (Alpine Linux' package manager) that can result in Remote Code Execution. This attack appear to be exploitable via A specially crafted APK-file can cause apk to write arbitrary data to an attacker-specified file, due to bugs in handling long link target name and the way a regular file is extracted.. This vulnerability appears to have been fixed in 2.6.10, 2.7.6, and 2.10.1.

CVE-2018-100085


Widely used open source software contained bitcoin-stealing backdoor | Ars Technica Statement on NPM Package Vulnerability in v5.0.2-5.1.0 of Copay Wallets `event-stream` dependency attack steals wallets from users of copay · Issue #9346 · bitpay/copay · GitHub I don't know what to say. · Issue #116 · dominictarr/event-stream · GitHub
Copay Bitcoin Wallet version 5.01 to 5.1.0 included. contains a Other/Unknown vulnerability in wallet private key storage that can result in Users' private key can be compromised. . This attack appear to be exploitable via Affected version run the malicious code at startup . This vulnerability appears to have been fixed in 5.2.0 and later .

CVE-2018-100085


Advisory 01/2018: Multiple vulnerabilities in GnuPG/dirmngr regarding WKD | SektionEins GmbH Attacks on GnuPG's Web Key Directory (WKD) | SektionEins GmbH
GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060.

CVE-2018-100088


elixir-security-advisories/2017-04-17.yml at master · dependabot/elixir-security-advisories · GitHub Validate cookie headers · elixir-plug/plug@8857f8a · GitHub
Elixir Plug Plug version All contains a Header Injection vulnerability in Connection that can result in Given a cookie value, Headers can be added. This attack appear to be exploitable via Crafting a value to be sent as a cookie. This vulnerability appears to have been fixed in >= 1.3.5 or ~> 1.2.5 or ~> 1.1.9 or ~> 1.0.6.

CVE-2018-100088


Timing attack fix from security experts https://arcturussecurity.com · serghey-rodin/vesta@5f68c1b · GitHub
Vesta CP version Prior to commit f6f6f9cfbbf2979e301956d1c6ab5c44386822c0 -- any release prior to 0.9.8-18 contains a CWE-208 / Information Exposure Through Timing Discrepancy vulnerability in Password reset code -- web/reset/index.php, line 51 that can result in Possible to determine password reset codes, attacker is able to change administrator password. This attack appear to be exploitable via Unauthenticated network connectivity. This vulnerability appears to have been fixed in After commit

CVE-2018-100088


Full Disclosure: Remote-Command-Execution in PHKP | FyhTech
PHKP version including commit 88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b contains a Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in function pgp_exec() phkp.php:98 that can result in It is possible to manipulate gpg-keys or execute commands remotely. This attack appear to be exploitable via HKP-Api: /pks/lookup?search.

CVE-2018-100088


New PHP Exploitation Technique Added https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf Bug #23782 :: Prevent phar:// files from being extracted Archive_Tar
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class its

CVE-2018-100088


Prevent XXE when loading circuit files by kvakil · Pull Request #139 · reds-heig/logisim-evolution · GitHub XXE in Logisim 2.7.1 and forks | kvakil
Logisim Evolution version 2.14.3 and earlier contains an XML External Entity (XXE) vulnerability in Circuit file loading functionality (loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java) that can result in information leak, possible RCE depending on system configuration. This attack appears to be exploitable via the victim opening a specially crafted circuit file. This vulnerability appears to have been fixed in 2.14.4.

CVE-2018-100099


https://jenkins.io/security/advisory/2018-10-10/#SECURITY-867
A path traversal vulnerability exists in the Stapler web framework used by Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/org/kohsuke/stapler/Facet.java, groovy/src/main/java/org/kohsuke/stapler/jelly/groovy/GroovyFacet.java, jelly/src/main/java/org/kohsuke/stapler/jelly/JellyFacet.java, jruby/src/main/java/org/kohsuke/stapler/jelly/jruby/JRubyFacet.java, jsp/src/main/java/org/kohsuke/stapler/jsp/JSPFacet.java that allows attackers to render routable objects using any v

CVE-2018-12159


INTEL-SA-00169
Buffer overflow in the command-line interface for Intel(R) PROSet Wireless v20.50 and before may allow an authenticated user to potentially enable denial of service via local access.

CVE-2018-3700


INTEL-SA-00200
Code injection vulnerability in the installer for Intel(R) USB 3.0 eXtensible Host Controller Driver for Microsoft Windows 7 before version 5.0.4.43v2 may allow a user to potentially enable escalation of privilege via local access.

CVE-2019-0101


INTEL-SA-00214
Authentication bypass in the Intel Unite(R) solution versions 3.2 through 3.3 may allow an unauthenticated user to potentially enable escalation of privilege to the Intel Unite(R) Solution administrative portal via network access.

CVE-2019-0102


INTEL-SA-00215
Insufficient session authentication in web server for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

CVE-2019-0103


INTEL-SA-00215
Insufficient file protection in install routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable information disclosure via local access.

CVE-2019-0104


INTEL-SA-00215
Insufficient file protection in uninstall routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable information disclosure via local access.

CVE-2019-0105


INTEL-SA-00215
Insufficient file permissions checking in install routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow authenticated user to potentially enable escalation of privilege via local access.

CVE-2019-0106


INTEL-SA-00215
Insufficient run protection in install routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2019-0107


INTEL-SA-00215
Insufficient user prompt in install routine for Intel(R) Data Center Manager SDK before version 5.0.2 may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2019-0108


INTEL-SA-00215
Improper file permissions for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable disclosure of information via local access.

CVE-2019-0109


INTEL-SA-00215
Improper folder permissions in Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVE-2019-0110


INTEL-SA-00215
Insufficient key management for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable information disclosure via local access.

CVE-2019-0111


INTEL-SA-00215
Improper file permissions for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an authenticated user to potentially enable information disclosure via local access.

CVE-2019-0112


INTEL-SA-00215
Improper flow control in crypto routines for Intel(R) Data Center Manager SDK before version 5.0.2 may allow a privileged user to potentially enable a denial of service via local access.

CVE-2019-0127


INTEL-SA-00222
Logic error in the installer for Intel(R) OpenVINO(TM) 2018 R3 and before for Linux may allow a privileged user to potentially enable information disclosure via local access.

CVE-2019-100000


SECURITY: prevent DeleteFilePost doing arbitrary deletion by zeripath · Pull Request #5631 · go-gitea/gitea · GitHub
Gitea version 1.6.2 and earlier contains a Incorrect Access Control vulnerability in Delete/Edit file functionallity that can result in the attacker deleting files outside the repository he/she has access to. This attack appears to be exploitable via the attacker must get write access to "any" repository including self-created ones.. This vulnerability appears to have been fixed in 1.6.3, 1.7.0-rc2.

CVE-2019-100000


CSRF in MapSVG Lite could allow an attacker to do almost anything an admin can – dxw advisories MapSVG Lite - Cross-Site Request Forgery (CSRF)
MapSVG MapSVG Lite version 3.2.3 contains a Cross Site Request Forgery (CSRF) vulnerability in REST endpoint /wp-admin/admin-ajax.php?action=mapsvg_save that can result in an attacker can modify post data, including embedding javascript. This attack appears to be exploitable via the victim must be logged in to WordPress as an admin, and click a link. This vulnerability appears to have been fixed in 3.3.0 and later.

CVE-2019-100000


Insecure PHP deserialization through phar:// wrapper. · Issue #949 · mpdf/mpdf · GitHub
mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content . This vulnerability appears to have been fixed in 7.1.8.

CVE-2019-100000


sock_dns: Security issues (including remote code execution) · Issue #10739 · RIOT-OS/RIOT · GitHub
RIOT RIOT-OS version after commit 7af03ab624db0412c727eed9ab7630a5282e2fd3 contains a Buffer Overflow vulnerability in sock_dns, an implementation of the DNS protocol utilizing the RIOT sock API that can result in Remote code executing. This attack appears to be exploitable via network connectivity.

CVE-2019-100000


[CVE-2019-1000007] xso: fix parser error handling by horazont · Pull Request #268 · horazont/aioxmpp · GitHub
aioxmpp version 0.10.2 and earlier contains a Improper Handling of Structural Elements vulnerability in Stanza Parser, rollback during error processing, aioxmpp.xso.model.guard function that can result in Denial of Service, Other. This attack appears to be exploitable via Remote. A crafted stanza can be sent to an application which uses the vulnerable components to either inject data in a different context or cause the application to reconnect (potentially losing data). This vulnerability appear

CVE-2019-100000


Helm Vulnerability: Client Unpacking Chart that Contains Malicious Content [CVE-2019-1000008]
All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The commands `helm fetch --untar` and `helm lint some.tgz` that can result when chart archive files are unpacked a file may be unpacked outside of the target directory. This attack appears to be exploitable via a victim must run a helm command on a specially crafted chart archive. This vulnerability appears to have been fixed in

CVE-2019-100001


Graphql permission  problem with delete mutation · Issue #2364 · api-platform/core · GitHub [GraphQL] Check item resource class in mutation by lukasluecke · Pull Request #2441 · api-platform/core · GitHub
API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6.

CVE-2019-100001


Verify authenticity of signed payload by ericmj · Pull Request #646 · hexpm/hex · GitHub Update to hex_core v0.4.0 by wojtekmach · Pull Request #651 · hexpm/hex · GitHub
Hex package manager version 0.14.0 through 0.18.2 contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 0.19.

CVE-2019-100001


Verify authenticity of signed payload by ericmj · Pull Request #48 · hexpm/hex_core · GitHub Add repo_verify_origin config option by ericmj · Pull Request #51 · hexpm/hex_core · GitHub
Hex package manager hex_core version 0.3.0 and earlier contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 0.4.0.

CVE-2019-100001


Command Execution Vulnerability in rssh with allowscp (CVE-2019-1000018) | esnet-security.github.io
rssh version 2.3.4 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in allowscp permission that can result in Local command execution. This attack appear to be exploitable via An authorized SSH user with the allowscp permission.

CVE-2019-100300


https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

CVE-2019-100300


https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/parser/Converter.groovy that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

CVE-2019-100300


https://jenkins.io/security/advisory/2019-01-16/#SECURITY-868
An improper authorization vulnerability exists in Jenkins 2.158 and earlier, LTS 2.150.1 and earlier in core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java that allows attackers with Overall/RunScripts permission to craft Remember Me cookies that would never expire, allowing e.g. to persist access to temporarily compromised user accounts.

CVE-2019-100301


https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1302
A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's configuration.

CVE-2019-100301


https://jenkins.io/security/advisory/2019-01-28/#SECURITY-602
An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.

CVE-2019-100302


https://jenkins.io/security/advisory/2019-01-28/#SECURITY-818
A server-side request forgery vulnerability exists in Jenkins Kanboard Plugin 1.5.10 and earlier in KanboardGlobalConfiguration.java that allows attackers with Overall/Read permission to submit a GET request to an attacker-specified URL.

CVE-2019-100302


https://jenkins.io/security/advisory/2019-01-28/#SECURITY-886
An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.

CVE-2019-6453


GitHub - proofofcalc/cve-2019-6453-poc: Proof of calc for CVE-2019-6453 https://proofofcalc.com/advisories/20190218.txt https://proofofcalc.com/cve-2019-6453-mIRC/ mIRC: Latest News
mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on browser-specific URI handling (Chrome is not exploitable).

CVE-2019-7629


TinTin++ 2.01.7 (beta) - TinTin++ Forum TinTin++ Changes CVE-2019-7629: RCE in an Open Source MUD Client - TrustFoundry
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.

CVE-2019-8372


CVE-2019-8372: Local Privilege Elevation in LG Kernel Driver - @Jackson_T LG Security Bulletins Jackson T. on Twitter: "CVE-2019-8372: Local Privilege Elevation in LG Device Manager. This post details a driver-based LPE with an in-depth tutorial on discovery to root and details on two new tools. https://t.co/9jO6FDbeIH… https://t.co/QdBH2MuYRf"
The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes functionality that allows low-privileged users to read and write arbitrary physical memory via specially crafted IOCTL requests and elevate system privileges. This occurs because the device object has an associated symbolic link and an open DACL.

CVE-2019-8902


A CSRF vulnerability exists in iCMS 7.0 · Issue #56 · idreamsoft/iCMS · GitHub
An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI.

CVE-2019-8903


Improved security. · totaljs/framework@c37cafb · GitHub Fixed again a critical bug with path travel... · totaljs/framework@de16238 · GitHub
index.js in Total.js Platform before 3.2.3 allows path traversal.

CVE-2019-8904


0000062: Stack buffer overflow - MantisBT
do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf.

CVE-2019-8905


0000063: Stack buffer overflow 2 - MantisBT
do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360.

CVE-2019-8906


0000064: ASAN: memcpy-param-overlap - MantisBT Avoid OOB read (found by ASAN reported by F. Alonso) · file/file@2858eaf · GitHub
do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused.

CVE-2019-8907


0000065: Possible stack corruption - MantisBT
do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact.

CVE-2019-8908


An issue was discovered in WTcms. there is an Backstage editor getshell Vulnerability · Issue #3 · taosir/wtcms · GitHub
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/gif" header.

CVE-2019-8909


The background verification code size can be controlled to cause a denial of service attack. · Issue #6 · taosir/wtcms · GitHub
An issue was discovered in WTCMS 1.0. It allows remote attackers to cause a denial of service (resource consumption) via crafted dimensions for the verification code image.

CVE-2019-8910


Csrf + Xss combination Can be obtained administrator cookie · Issue #5 · taosir/wtcms · GitHub
An issue was discovered in WTCMS 1.0. It allows index.php?g=admin&m=setting&a=site_post CSRF.

CVE-2019-8911


Csrf + Xss combination Can be obtained administrator cookie · Issue #5 · taosir/wtcms · GitHub
An issue was discovered in WTCMS 1.0. It has stored XSS via the third text box (for the website statistics code).

CVE-2019-8912


[net-next] net: crypto set sk to NULL when af_alg_release. - Patchwork
In the Linux kernel through 4.20.10, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.

CVE-2019-8917


research/VS-2019-001.md at master · VerSprite/research · GitHub
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may be abused by an attacker to execute commands as the SYSTEM user.

CVE-2019-8919


IV should be randomness and unpredictable · Issue #789 · haiwen/seadroid · GitHub
The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.

CVE-2019-8933


dedecms V5.7SP2 formal edition Background getshell - qq_36093477的博客 - CSDN博客
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on New Template, and modifying the filename from ../index.html to ../index.php.

Techno

The comic's Strip