Search
Total
49350 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-9486 | 1 Apache | 1 Nifi | 2020-10-05 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache NiFi 1.10.0 to 1.11.4, the NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext. | |||||
| CVE-2020-9487 | 1 Apache | 1 Nifi | 2020-10-05 | 5.0 MEDIUM | 7.5 HIGH |
| In Apache NiFi 1.0.0 to 1.11.4, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens. | |||||
| CVE-2016-11086 | 1 Oauth-ruby Project | 1 Oauth-ruby | 2020-10-05 | 5.8 MEDIUM | 7.4 HIGH |
| lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information. | |||||
| CVE-2019-6731 | 2 Foxitsoftware, Microsoft | 3 Phantompdf, Reader, Windows | 2020-10-05 | 6.8 MEDIUM | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of HTML files to PDF. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7369. | |||||
| CVE-2019-6551 | 1 Pangea-comm | 1 Fax Ata | 2020-10-05 | 7.8 HIGH | 7.5 HIGH |
| Pangea Communications Internet FAX ATA all Versions 3.1.8 and prior allow an attacker to bypass user authentication using a specially crafted URL to cause the device to reboot, which may be used to cause a continual denial-of-service condition. | |||||
| CVE-2019-1664 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2020-10-05 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the hxterm service of Cisco HyperFlex Software could allow an unauthenticated, local attacker to gain root access to all nodes in the cluster. The vulnerability is due to insufficient authentication controls. An attacker could exploit this vulnerability by connecting to the hxterm service as a non-privileged, local user. A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster. This vulnerability affects Cisco HyperFlex Software Releases prior to 3.5(2a). | |||||
| CVE-2019-6541 | 1 We-con | 1 Levistudiou | 2020-10-05 | 6.8 MEDIUM | 7.8 HIGH |
| A memory corruption vulnerability has been identified in WECON LeviStudioU version 1.8.56 and prior, which may allow arbitrary code execution. Mat Powell, Ziad Badawi, and Natnael Samson working with Trend Micro's Zero Day Initiative, reported these vulnerabilities to NCCIC. | |||||
| CVE-2019-6539 | 1 We-con | 1 Levistudiou | 2020-10-05 | 9.3 HIGH | 7.8 HIGH |
| Several heap-based buffer overflow vulnerabilities in WECON LeviStudioU version 1.8.56 and prior have been identified, which may allow arbitrary code execution. Mat Powell, Ziad Badawi, and Natnael Samson working with Trend Micro's Zero Day Initiative, reported these vulnerabilities to NCCIC. | |||||
| CVE-2019-6537 | 1 We-con | 1 Levistudiou | 2020-10-05 | 6.8 MEDIUM | 7.8 HIGH |
| Multiple stack-based buffer overflow vulnerabilities in WECON LeviStudioU version 1.8.56 and prior may be exploited when parsing strings within project files. The process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage these vulnerabilities to execute code under the context of the current process. Mat Powell, Ziad Badawi, and Natnael Samson working with Trend Micro's Zero Day Initiative, reported these vulnerabilities to NCCIC. | |||||
| CVE-2019-6549 | 1 Kunbus | 2 Pr100088 Modbus Gateway, Pr100088 Modbus Gateway Firmware | 2020-10-05 | 4.0 MEDIUM | 7.2 HIGH |
| An attacker could retrieve plain-text credentials stored in a XML file on PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166) through FTP. | |||||
| CVE-2019-1614 | 1 Cisco | 11 Mds 9000, Nexus 2000, Nexus 3000 and 8 more | 2020-10-05 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The vulnerability is due to incorrect input validation of user-supplied data by the NX-API subsystem. An attacker could exploit this vulnerability by sending malicious HTTP or HTTPS packets to the management interface of an affected system that has the NX-API feature enabled. A successful exploit could allow the attacker to perform a command-injection attack and execute arbitrary commands with root privileges. Note: NX-API is disabled by default. MDS 9000 Series Multilayer Switches are affected running software versions prior to 8.1(1b) and 8.2(3). Nexus 3000 Series Switches are affected running software versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 3500 Platform Switches are affected running software versions prior to 7.0(3)I7(4). Nexus 2000, 5500, 5600, and 6000 Series Switches are affected running software versions prior to 7.3(4)N1(1). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected running software versions prior to 7.0(3)I4(9) and 7.0(3)I7(4). Nexus 7000 and 7700 Series Switches are affected running software versions prior to 7.3(3)D1(1) and 8.2(3). | |||||
| CVE-2019-1606 | 1 Cisco | 4 Nexus 3000, Nexus 3500, Nexus 9000 and 1 more | 2020-10-05 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. The vulnerability is due to insufficient validation of arguments passed to certain CLI commands. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with elevated privileges. An attacker would need valid user credentials to exploit this vulnerability. Nexus 3000, 3500, and Nexus 9000 Series Switches in Standalone NX-OS Mode are affected in versions prior to 7.0(3)I7(4). | |||||
| CVE-2019-1605 | 1 Cisco | 13 Mds 9000, Nexus 2000, Nexus 3000 and 10 more | 2020-10-05 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary code as root. The vulnerability is due to incorrect input validation in the NX-API feature. An attacker could exploit this vulnerability by sending a crafted HTTP or HTTPS request to an internal service on an affected device that has the NX-API feature enabled. A successful exploit could allow the attacker to cause a buffer overflow and execute arbitrary code as root. Note: The NX-API feature is disabled by default. MDS 9000 Series Multilayer Switches are affected in versions prior to 8.1(1). Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I4(8) and 7.0(3)I7(1). Nexus 3500 Platform Switches are affected in versions prior to 6.0(2)A8(8). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 2000, 5500, 5600, and 6000 Series Switches are affected in versions prior to 7.3(2)N1(1). Nexus 7000 and 7700 Series Switches are affected in versions prior to 7.3(3)D1(1). Nexus 9000 Series Switches in Standalone NX-OS Mode are affected in versions prior to 7.0(3)I4(8) and 7.0(3)I7(1). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5). | |||||
| CVE-2019-1618 | 1 Cisco | 2 Nexus 9000, Nx-os | 2020-10-05 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the Tetration Analytics agent for Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an authenticated, local attacker to execute arbitrary code as root. The vulnerability is due to an incorrect permissions setting. An attacker could exploit this vulnerability by replacing valid agent files with malicious code. A successful exploit could result in the execution of code supplied by the attacker. Nexus 9000 Series Switches in Standalone NX-OS Mode are affected running versions prior to 7.0(3)I7(5). | |||||
| CVE-2019-1604 | 1 Cisco | 8 Nexus 3000, Nexus 3500, Nexus 3600 and 5 more | 2020-10-05 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the user account management interface of Cisco NX-OS Software could allow an authenticated, local attacker to gain elevated privileges on an affected device. The vulnerability is due to an incorrect authorization check of user accounts and their associated Group ID (GID). An attacker could exploit this vulnerability by taking advantage of a logic error that will permit the use of higher privileged commands than what is necessarily assigned. A successful exploit could allow an attacker to execute commands with elevated privileges on the underlying Linux shell of an affected device. Nexus 7000 and 7700 Series Switches are affected in versions prior to 6.2(22), 8.2(3), and 8.3(2). Nexus 3000 Series Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3500 Platform Switches are affected in versions prior to 7.0(3)I7(4). Nexus 3600 Platform Switches are affected in versions prior to 7.0(3)F3(5). Nexus 9000 Series Switches-Standalone are affected in versions prior to 7.0(3)I7(4). Nexus 9500 R-Series Line Cards and Fabric Modules are affected in versions prior to 7.0(3)F3(5). | |||||
| CVE-2019-1653 | 1 Cisco | 4 Rv320, Rv320 Firmware, Rv325 and 1 more | 2020-10-05 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability. | |||||
| CVE-2019-1652 | 1 Cisco | 4 Rv320, Rv320 Firmware, Rv325 and 1 more | 2020-10-05 | 9.0 HIGH | 7.2 HIGH |
| A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability. | |||||
| CVE-2019-1650 | 1 Cisco | 12 Sd-wan, Vbond Orchestrator, Vedge 100 and 9 more | 2020-10-05 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to overwrite arbitrary files on the underlying operating system of an affected device. The vulnerability is due to improper input validation of the save command in the CLI of the affected software. An attacker could exploit this vulnerability by modifying the save command in the CLI of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the underlying operating system of an affected device and escalate their privileges to the root user. | |||||
| CVE-2019-1648 | 1 Cisco | 12 Sd-wan, Vbond Orchestrator, Vedge 100 and 9 more | 2020-10-05 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the user group configuration of the Cisco SD-WAN Solution could allow an authenticated, local attacker to gain elevated privileges on an affected device. The vulnerability is due to a failure to properly validate certain parameters included within the group configuration. An attacker could exploit this vulnerability by writing a crafted file to the directory where the user group configuration is located in the underlying operating system. A successful exploit could allow the attacker to gain root-level privileges and take full control of the device. | |||||
| CVE-2019-1646 | 1 Cisco | 12 Sd-wan, Vbond Orchestrator, Vedge 100 and 9 more | 2020-10-05 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the local CLI of the Cisco SD-WAN Solution could allow an authenticated, local attacker to escalate privileges and modify device configuration files. The vulnerability exists because user input is not properly sanitized for certain commands at the CLI. An attacker could exploit this vulnerability by sending crafted commands to the CLI of an affected device. A successful exploit could allow the attacker to establish an interactive session with elevated privileges. The attacker could then use the elevated privileges to further compromise the device or obtain additional configuration data from the device. | |||||
| CVE-2019-1644 | 1 Cisco | 1 Iot Field Network Director | 2020-10-05 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the UDP protocol implementation for Cisco IoT Field Network Director (IoT-FND) could allow an unauthenticated, remote attacker to exhaust system resources, resulting in a denial of service (DoS) condition. The vulnerability is due to improper resource management for UDP ingress packets. An attacker could exploit this vulnerability by sending a high rate of UDP packets to an affected system within a short period of time. A successful exploit could allow the attacker to exhaust available system resources, resulting in a DoS condition. | |||||
| CVE-2020-24621 | 1 Openmrs | 1 Htmlformentry | 2020-10-05 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution (RCE) vulnerability was discovered in the htmlformentry (aka HTML Form Entry) module before 3.11.0 for OpenMRS. By leveraging path traversal, a malicious Velocity Template Language file could be written to a directory. This file could then be accessed and executed. | |||||
| CVE-2020-15223 | 1 Ory | 1 Fosite | 2020-10-05 | 4.0 MEDIUM | 8.0 HIGH |
| In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.34.0, the `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store. This is fixed in version 0.34.0 | |||||
| CVE-2019-16019 | 1 Cisco | 20 Asr 9000, Asr 9010, Asr 9904 and 17 more | 2020-10-05 | 5.0 MEDIUM | 8.6 HIGH |
| Multiple vulnerabilities in the implementation of Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerabilities are due to incorrect processing of BGP update messages that contain crafted EVPN attributes. An attacker could exploit these vulnerabilities by sending BGP EVPN update messages with malformed attributes to be processed by an affected system. A successful exploit could allow the attacker to cause the BGP process to restart unexpectedly, resulting in a DoS condition. The Cisco implementation of BGP accepts incoming BGP traffic only from explicitly defined peers. To exploit these vulnerabilities, the malicious BGP update message would need to come from a configured, valid BGP peer, or would need to be injected by the attacker into the victim's BGP network on an existing, valid TCP connection to a BGP peer. | |||||
| CVE-2020-3143 | 1 Cisco | 42 Ex60, Ex60 Firmware, Ex90 and 39 more | 2020-10-05 | 9.0 HIGH | 7.2 HIGH |
| A vulnerability in the video endpoint API (xAPI) of Cisco TelePresence Collaboration Endpoint (CE) Software, Cisco TelePresence Codec (TC) Software, and Cisco RoomOS Software could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the xAPI of the affected software. An attacker could exploit this vulnerability by sending a crafted request to the xAPI. A successful exploit could allow the attacker to read and write arbitrary files in the system. To exploit this vulnerability, an attacker would need either an In-Room Control or administrator account. | |||||
| CVE-2019-11248 | 1 Kubernetes | 1 Kubernetes | 2020-10-05 | 6.4 MEDIUM | 8.2 HIGH |
| The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. This debugging endpoint can potentially leak sensitive information such as internal Kubelet memory addresses and configuration, or for limited denial of service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration. | |||||
| CVE-2020-11031 | 1 Glpi-project | 1 Glpi | 2020-10-05 | 5.0 MEDIUM | 7.5 HIGH |
| In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium. | |||||
| CVE-2019-6729 | 2 Foxitsoftware, Microsoft | 3 Phantompdf, Reader, Windows | 2020-10-05 | 6.8 MEDIUM | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7423. | |||||
| CVE-2019-11278 | 1 Cloudfoundry | 1 User Account And Authentication | 2020-10-05 | 6.5 MEDIUM | 8.8 HIGH |
| CF UAA versions prior to 74.1.0, allow external input to be directly queried against. A remote malicious user with 'client.write' and 'groups.update' can craft a SCIM query, which leaks information that allows an escalation of privileges, ultimately allowing the malicious user to gain control of UAA scopes they should not have. | |||||
| CVE-2019-11279 | 1 Cloudfoundry | 1 Uaa Release | 2020-10-05 | 6.5 MEDIUM | 8.8 HIGH |
| CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn't be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any scope, allowing them to take control of UAA and the resources it controls. | |||||
| CVE-2019-15043 | 1 Grafana | 1 Grafana | 2020-10-04 | 5.0 MEDIUM | 7.5 HIGH |
| In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. | |||||
| CVE-2020-15669 | 1 Mozilla | 2 Firefox Esr, Thunderbird | 2020-10-02 | 6.8 MEDIUM | 8.8 HIGH |
| When aborting an operation, such as a fetch, an abort signal may be deleted while alerting the objects to be notified. This results in a use-after-free and we presume that with enough effort it could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.12 and Thunderbird < 68.12. | |||||
| CVE-2020-25773 | 2 Microsoft, Trendmicro | 2 Windows, Apex One | 2020-10-02 | 6.8 MEDIUM | 7.8 HIGH |
| A vulnerability in the Trend Micro Apex One ServerMigrationTool component could allow an attacker to execute arbitrary code on affected products. User interaction is required to exploit this vulnerability in that the target must import a corrupted configuration file. | |||||
| CVE-2020-13296 | 1 Gitlab | 1 Gitlab | 2020-10-02 | 7.5 HIGH | 8.8 HIGH |
| An issue has been discovered in GitLab affecting versions >=10.7 <13.0.14, >=13.1.0 <13.1.8, >=13.2.0 <13.2.6. Improper Access Control for Deploy Tokens | |||||
| CVE-2020-13321 | 1 Gitlab | 1 Gitlab | 2020-10-02 | 6.5 MEDIUM | 8.3 HIGH |
| A vulnerability was discovered in GitLab versions prior to 13.1. Username format restrictions could be bypassed allowing for html tags to be added. | |||||
| CVE-2020-13322 | 1 Gitlab | 1 Gitlab | 2020-10-02 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability was discovered in GitLab versions after 12.9. Due to improper verification of permissions, an unauthorized user can create and delete deploy tokens. | |||||
| CVE-2020-13325 | 1 Gitlab | 1 Gitlab | 2020-10-02 | 5.5 MEDIUM | 7.1 HIGH |
| A vulnerability was discovered in GitLab versions prior 13.1. The comment section of the issue page was not restricting the characters properly, potentially resulting in a denial of service. | |||||
| CVE-2019-11253 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift Container Platform | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility. | |||||
| CVE-2019-11247 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift Container Platform | 2020-10-02 | 6.5 MEDIUM | 8.1 HIGH |
| The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace, meaning that a user with access only to a resource in one namespace could create, view update or delete the cluster-scoped resource (according to their namespace role privileges). Kubernetes affected versions include versions prior to 1.13.9, versions prior to 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12. | |||||
| CVE-2019-11060 | 1 Asus | 2 Hg100, Hg100 Firmware | 2020-10-02 | 7.8 HIGH | 7.5 HIGH |
| The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service (DoS) by sending headers very slowly to keep HTTP or HTTPS connections and associated resources alive for a long period of time. CVSS 3.0 Base score 7.4 (Availability impacts). CVSS vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). | |||||
| CVE-2017-11321 | 1 Ucopia | 1 Wireless Appliance | 2020-10-02 | 6.5 MEDIUM | 7.2 HIGH |
| The restricted shell interface in UCOPIA Wireless Appliance before 5.1.8 allows remote authenticated users to gain 'admin' privileges via shell metacharacters in the less command. | |||||
| CVE-2018-7514 | 1 Omron | 7 Cx-flnet, Cx-one, Cx-programmer and 4 more | 2020-10-02 | 4.6 MEDIUM | 7.8 HIGH |
| Parsing malformed project files in Omron CX-One versions 4.42 and prior, including the following applications: CX-FLnet versions 1.00 and prior, CX-Protocol versions 1.992 and prior, CX-Programmer versions 9.65 and prior, CX-Server versions 5.0.22 and prior, Network Configurator versions 3.63 and prior, and Switch Box Utility versions 1.68 and prior, may cause a stack-based buffer overflow. | |||||
| CVE-2019-10277 | 1 Jenkins | 1 Starteam | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins StarTeam Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10280 | 1 Jenkins | 1 Assembla Auth | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Assembla Auth Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10281 | 1 Jenkins | 1 Relution Enterprise Appstore Publisher | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10282 | 1 Jenkins | 1 Klaros-testmanagement | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10291 | 1 Jenkins | 1 Netsparker Cloud Scan | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Netsparker Cloud Scan Plugin 1.1.5 and older stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. | |||||
| CVE-2019-10294 | 1 Jenkins | 1 Kmap | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Kmap Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10295 | 1 Jenkins | 1 Crittercism-dsym | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins crittercism-dsym Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10296 | 1 Jenkins | 1 Serena Sra Deploy | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||