Filtered by vendor Linuxfoundation
Subscribe
Search
Total
70 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19026 | 2 Linuxfoundation, Pivotal | 2 Harbor, Vmware Harbor Registry | 2021-05-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform. | |||||
| CVE-2021-29136 | 2 Linuxfoundation, Sylabs | 2 Umoci, Singularity | 2021-05-20 | 2.1 LOW | 5.5 MEDIUM |
| Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used. | |||||
| CVE-2021-26921 | 1 Linuxfoundation | 1 Argo Continuous Delivery | 2021-03-22 | 5.0 MEDIUM | 6.5 MEDIUM |
| In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled. | |||||
| CVE-2021-26924 | 1 Linuxfoundation | 1 Argo-cd | 2021-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Argo CD before 1.8.4. Browser XSS protection is not activated due to the missing XSS protection header. | |||||
| CVE-2021-21369 | 1 Linuxfoundation | 1 Besu | 2021-03-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| Hyperledger Besu is an open-source, MainNet compatible, Ethereum client written in Java. In Besu before version 1.5.1 there is a denial-of-service vulnerability involving the HTTP JSON-RPC API service. If username and password authentication is enabled for the HTTP JSON-RPC API service, then prior to making any requests to an API endpoint the requestor must use the login endpoint to obtain a JSON web token (JWT) using their credentials. A single user can readily overload the login endpoint with invalid requests (incorrect password). As the supplied password is checked for validity on the main vertx event loop and takes a relatively long time this can cause the processing of other valid requests to fail. A valid username is required for this vulnerability to be exposed. This has been fixed in version 1.5.1. | |||||
| CVE-2021-23347 | 1 Linuxfoundation | 1 Argo Continuous Delivery | 2021-03-09 | 3.5 LOW | 4.8 MEDIUM |
| The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user. | |||||
| CVE-2020-29662 | 1 Linuxfoundation | 1 Harbor | 2021-02-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path. | |||||
| CVE-2020-26273 | 1 Linuxfoundation | 1 Osquery | 2020-12-18 | 3.6 LOW | 5.2 MEDIUM |
| osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. In osquery before version 4.6.0, by using sqlite's ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This _does_ allow arbitrary files to be created, but they will be sqlite databases. It does not appear to allow existing non-sqlite files to be overwritten. This has been patched in osquery 4.6.0. There are several mitigating factors and possible workarounds. In some deployments, the people with access to these interfaces may be considered administrators. In some deployments, configuration is managed by a central tool. This tool can filter for the `ATTACH` keyword. osquery can be run as non-root user. Because this also limits the desired access levels, this requires deployment specific testing and configuration. | |||||
| CVE-2019-3990 | 1 Linuxfoundation | 1 Harbor | 2020-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| A User Enumeration flaw exists in Harbor. The issue is present in the "/users" API endpoint. This endpoint is supposed to be restricted to administrators. This restriction is able to be bypassed and information can be obtained about registered users can be obtained via the "search" functionality. | |||||
| CVE-2019-16097 | 1 Linuxfoundation | 1 Harbor | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP. | |||||
| CVE-2020-13788 | 1 Linuxfoundation | 1 Harbor | 2020-07-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet. | |||||
| CVE-2020-10750 | 1 Linuxfoundation | 1 Jaeger | 2020-06-24 | 2.1 LOW | 5.5 MEDIUM |
| Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials. | |||||
| CVE-2018-21034 | 1 Linuxfoundation | 1 Argo Continuous Delivery | 2020-04-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git. | |||||
| CVE-2019-10785 | 2 Debian, Linuxfoundation | 2 Debian Linux, Dojox | 2020-04-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them. | |||||
| CVE-2020-6173 | 1 Linuxfoundation | 1 The Update Framework | 2020-01-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| TUF (aka The Update Framework) 0.7.2 through 0.12.1 allows Uncontrolled Resource Consumption. | |||||
| CVE-2011-2924 | 3 Debian, Fedoraproject, Linuxfoundation | 3 Debian Linux, Fedora, Foomatic-filters | 2019-11-25 | 3.3 LOW | 5.5 MEDIUM |
| foomatic-rip filter v4.0.12 and prior used insecurely creates temporary files for storage of PostScript data by rendering the data when the debug mode was enabled. This flaw may be exploited by a local attacker to conduct symlink attacks by overwriting arbitrary files accessible with the privileges of the user running the foomatic-rip universal print filter. | |||||
| CVE-2011-2923 | 2 Debian, Linuxfoundation | 2 Debian Linux, Foomatic-filters | 2019-11-25 | 3.3 LOW | 5.5 MEDIUM |
| foomatic-rip filter, all versions, used insecurely creates temporary files for storage of PostScript data by rendering the data when the debug mode was enabled. This flaw may be exploited by a local attacker to conduct symlink attacks by overwriting arbitrary files accessible with the privileges of the user running the foomatic-rip universal print filter. | |||||
| CVE-2019-1010252 | 1 Linuxfoundation | 1 Open Network Operating System | 2019-07-29 | 5.5 MEDIUM | 4.9 MEDIUM |
| The Linux Foundation ONOS 2.0.0 and earlier is affected by: Poor Input-validation. The impact is: A network administrator (or attacker) can install unintended flow rules in the switch by mistake. The component is: applyFlowRules() and apply() functions in FlowRuleManager.java. The attack vector is: network management and connectivity. | |||||
| CVE-2019-1010250 | 1 Linuxfoundation | 1 Open Network Operating System | 2019-07-25 | 5.5 MEDIUM | 4.9 MEDIUM |
| The Linux Foundation ONOS 2.0.0 and earlier is affected by: Poor Input-validation. The impact is: A network administrator (or attacker) can install unintended flow rules in the switch by mistake. The component is: createFlow() and createFlows() functions in FlowWebResource.java (RESTful service). The attack vector is: network management and connectivity. | |||||
| CVE-2019-1010249 | 1 Linuxfoundation | 1 Open Network Operating System | 2019-07-24 | 5.5 MEDIUM | 4.9 MEDIUM |
| The Linux Foundation ONOS 2.0.0 and earlier is affected by: Integer Overflow. The impact is: A network administrator (or attacker) can install unintended flow rules in the switch by mistake. The component is: createFlow() and createFlows() functions in FlowWebResource.java (RESTful service). The attack vector is: network management and connectivity. | |||||