Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10296 | 1 Jenkins | 1 Serena Sra Deploy | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10297 | 1 Jenkins | 1 Sametime | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Sametime Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10298 | 1 Jenkins | 1 Koji | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Koji Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2018-7340 | 1 Cisco | 1 Duo Network Gateway | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Duo Network Gateway 1.2.9 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers. | |||||
| CVE-2019-10299 | 1 Jenkins | 1 Cloudcoreo Deploytime | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins CloudCoreo DeployTime Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10947 | 1 Deltaww | 1 Cncsoft Screeneditor | 2020-10-02 | 6.8 MEDIUM | 7.8 HIGH |
| Delta Industrial Automation CNCSoft, CNCSoft ScreenEditor Version 1.00.88 and prior. Multiple stack-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, allowing an attacker to remotely execute arbitrary code. This may occur because CNCSoft lacks user input validation before copying data from project files onto the stack. | |||||
| CVE-2019-10302 | 1 Jenkins | 1 Jira-ext | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins jira-ext Plugin 0.8 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. | |||||
| CVE-2019-10951 | 1 Deltaww | 1 Cncsoft Screeneditor | 2020-10-02 | 6.8 MEDIUM | 7.8 HIGH |
| Delta Industrial Automation CNCSoft, CNCSoft ScreenEditor Version 1.00.88 and prior. Multiple heap-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, allowing an attacker to remotely execute arbitrary code. There is a lack of user input validation before copying data from project files onto the heap. | |||||
| CVE-2019-10303 | 1 Jenkins | 1 Azure Publishersettings Credentials | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Azure PublisherSettings Credentials Plugin 1.2 and earlier stored credentials unencrypted in the credentials.xml file on the Jenkins master where they could be viewed by users with access to the master file system. | |||||
| CVE-2019-10305 | 1 Jenkins | 1 Xebialabs Xl Deploy | 2020-10-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. | |||||
| CVE-2019-10306 | 1 Jenkins | 1 Ontrack | 2020-10-02 | 6.5 MEDIUM | 9.9 CRITICAL |
| A sandbox bypass vulnerability in Jenkins ontrack Plugin 3.4 and earlier allowed attackers with control over ontrack DSL definitions to execute arbitrary code on the Jenkins master JVM. | |||||
| CVE-2019-10308 | 1 Jenkins | 1 Static Analysis Utilities | 2020-10-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| A missing permission check in Jenkins Static Analysis Utilities Plugin 1.95 and earlier in the DefaultGraphConfigurationView#doSave form handler method allowed attackers with Overall/Read permission to change the per-job default graph configuration for all users. | |||||
| CVE-2019-10316 | 1 Jenkins | 1 Aqua Microscanner | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Aqua MicroScanner Plugin 1.0.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. | |||||
| CVE-2019-10318 | 1 Jenkins | 1 Azure Ad | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system. | |||||
| CVE-2019-10950 | 1 Fujifilm | 6 Cr-ir 357 Fcr Capsula X, Cr-ir 357 Fcr Capsula X Firmware, Cr-ir 357 Fcr Carbon X and 3 more | 2020-10-02 | 10.0 HIGH | 9.8 CRITICAL |
| Fujifilm FCR Capsula X/ Carbon X/ FCR XC-2, model versions CR-IR 357 FCR Carbon X, CR-IR 357 FCR XC-2, FCR-IR 357 FCR Capsula X provide insecure telnet services that lack authentication requirements. An attacker who successfully exploits this vulnerability may be able to access the underlying operating system. | |||||
| CVE-2019-10249 | 1 Eclipse | 2 Xtend, Xtext | 2020-10-02 | 6.8 MEDIUM | 8.1 HIGH |
| All Xtext & Xtend versions prior to 2.18.0 were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised. | |||||
| CVE-2019-10952 | 1 Rockwellautomation | 8 Armor Compact Guardlogix 5370, Armor Compact Guardlogix 5370 Firmware, Compactlogix 5370 L1 and 5 more | 2020-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer overflow vulnerability. A cold restart is required for recovering CompactLogix 5370 L1, L2, and L3 Controllers, Compact GuardLogix 5370 controllers, and Armor Compact GuardLogix 5370 Controllers Versions 20 to 30.014 and earlier systems. | |||||
| CVE-2019-10319 | 1 Jenkins | 1 Pluggable Authentication Module | 2020-10-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as. | |||||
| CVE-2019-10922 | 1 Siemens | 2 Simatic Pcs 7, Simatic Wincc | 2020-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 and newer (All versions), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 and newer (All versions). An attacker with network access to affected installations, which are configured without "Encrypted Communication", can execute arbitrary code. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected installation. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the device. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-10145 | 1 Redhat | 1 Rkt | 2020-10-02 | 6.9 MEDIUM | 7.7 HIGH |
| rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` do not have seccomp filtering during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources. | |||||
| CVE-2019-10329 | 1 Eficode | 1 Influxdb | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins InfluxDB Plugin 1.21 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10330 | 1 Gitea | 1 Gitea | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted. | |||||
| CVE-2019-10333 | 1 Jenkins | 1 Electricflow | 2020-10-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| Missing permission checks in Jenkins ElectricFlow Plugin 1.1.5 and earlier in various HTTP endpoints allowed users with Overall/Read access to obtain information about the Jenkins ElectricFlow Plugin configuration and configuration of connected ElectricFlow instances. | |||||
| CVE-2019-10164 | 4 Fedoraproject, Opensuse, Postgresql and 1 more | 4 Fedora, Leap, Postgresql and 1 more | 2020-10-02 | 9.0 HIGH | 8.8 HIGH |
| PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account. | |||||
| CVE-2019-10962 | 1 Bd | 2 Alaris Gateway Workstation, Alaris Gateway Workstation Firmware | 2020-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| BD Alaris Gateway versions, 1.0.13,1.1.3 Build 10,1.1.3 MR Build 11,1.1.5, and 1.1.6, The web browser user interface on the Alaris Gateway Workstation does not prevent an attacker with knowledge of the IP address of the Alaris Gateway Workstation terminal to gain access to the status and configuration information of the device. | |||||
| CVE-2019-10966 | 1 Ge | 8 Aespire 7100, Aespire 7100 Firmware, Aespire 7900 and 5 more | 2020-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| In GE Aestiva and Aespire versions 7100 and 7900, a vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms. | |||||
| CVE-2019-10347 | 1 Jenkins | 1 Mashup Portlets | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Mashup Portlets Plugin stored credentials unencrypted on the Jenkins master where they can be viewed by users with access to the master file system. | |||||
| CVE-2019-10350 | 1 Jenkins | 1 Port Allocator | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10351 | 1 Jenkins | 1 Caliper Ci | 2020-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| Jenkins Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||||
| CVE-2019-10354 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2020-10-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information. | |||||
| CVE-2019-10915 | 1 Siemens | 2 Sinetplan, Tia Administrator | 2020-10-02 | 4.6 MEDIUM | 7.8 HIGH |
| A vulnerability has been identified in TIA Administrator (All versions < V1.0 SP1 Upd1). The integrated configuration web application (TIA Administrator) allows to execute certain application commands without proper authentication. The vulnerability could be exploited by an attacker with local access to the affected system. Successful exploitation requires no privileges and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-10162 | 2 Opensuse, Powerdns | 2 Leap, Authoritative | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The issue is due to the fact that the Authoritative Server will exit when it runs into a parsing error while looking up the NS/A/AAAA records it is about to use for an outgoing notify. | |||||
| CVE-2019-10165 | 1 Redhat | 1 Openshift Container Platform | 2020-10-02 | 2.1 LOW | 2.3 LOW |
| OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources. | |||||
| CVE-2019-10344 | 1 Jenkins | 1 Configuration As Code | 2020-10-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| Missing permission checks in Jenkins Configuration as Code Plugin 1.24 and earlier in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins. | |||||
| CVE-2019-10345 | 1 Jenkins | 1 Configuration As Code | 2020-10-02 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export. | |||||
| CVE-2019-10355 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2020-10-02 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts. | |||||
| CVE-2019-10356 | 2 Jenkins, Redhat | 2 Script Security, Openshift Container Platform | 2020-10-02 | 6.5 MEDIUM | 8.8 HIGH |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts. | |||||
| CVE-2019-10357 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift Container Platform | 2020-10-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries. | |||||
| CVE-2019-10361 | 1 Jenkins | 1 M2release | 2020-10-02 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system. | |||||
| CVE-2019-10363 | 1 Jenkins | 1 Configuration As Code | 2020-10-02 | 4.0 MEDIUM | 4.9 MEDIUM |
| Jenkins Configuration as Code Plugin 1.24 and earlier did not reliably identify sensitive values expected to be exported in their encrypted form. | |||||
| CVE-2019-10364 | 1 Jenkins | 1 Ec2 | 2020-10-02 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log. | |||||
| CVE-2019-10391 | 1 Jenkins | 1 Ibm Application Security On Cloud | 2020-10-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure. | |||||
| CVE-2019-10417 | 1 Jenkins | 1 Kubernetes Pipeline | 2020-10-02 | 6.5 MEDIUM | 9.9 CRITICAL |
| Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin provides a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection. | |||||
| CVE-2019-10980 | 1 Laquisscada | 1 Scada | 2020-10-02 | 6.8 MEDIUM | 7.8 HIGH |
| A type confusion vulnerability may be exploited when LAquis SCADA 4.3.1.71 processes a specially crafted project file. This may allow an attacker to execute remote code. The attacker must have local access to the system. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). | |||||
| CVE-2019-10201 | 1 Redhat | 2 Keycloak, Single Sign-on | 2020-10-02 | 5.5 MEDIUM | 8.1 HIGH |
| It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information. | |||||
| CVE-2019-10943 | 1 Siemens | 22 Simatic Et 200sp Open Controller Cpu 1515sp Pc, Simatic Et 200sp Open Controller Cpu 1515sp Pc2, Simatic Et 200sp Open Controller Cpu 1515sp Pc2 Firmware and 19 more | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions <= 20.8), SIMATIC ET200SP (incl. SIPLUS variants) Open Controller CPU 1515SP PC (All versions), SIMATIC ET200SP (incl. SIPLUS variants) Open Controller CPU 1515SP PC2 (All versions), SIMATIC S7 PLCSIM Advanced (All versions <= V3.0), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions <= V4.4), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants), excluding CPU 1518 MFP (and related SIPLUS variant) (All versions <= V2.8.1), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants), excluding CPU 1518-4 PN/DP and CPU 1518 MFP (and related SIPLUS variant) (All versions <= V2.8.1), SIMATIC S7-1500 Software Controller (All versions <= V20.8). An attacker with network access to port 102/tcp could potentially modify the user program on the PLC in a way that the running code is different from the source code which is stored on the device. An attacker must have network access to affected devices and must be able to perform changes to the user program. The vulnerability could impact the perceived integrity of the user program stored on the CPU. An engineer that tries to obtain the code of the user program running on the device, can receive different source code that is not actually running on the device. No public exploitation of the vulnerability was known at the time of advisory publication. | |||||
| CVE-2019-10960 | 1 Zebra | 16 220xi4, 220xi4 Firmware, Zt220 and 13 more | 2020-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Zebra Industrial Printers All Versions, Zebra printers are shipped with unrestricted end-user access to front panel options. If the option to use a passcode to limit the functionality of the front panel is applied, specially crafted packets could be sent over the same network to a port on the printer and the printer will respond with an array of information that includes the front panel passcode for the printer. Once the passcode is retrieved, an attacker must have physical access to the front panel of the printer to enter the passcode to access the full functionality of the front panel. | |||||
| CVE-2019-10928 | 1 Siemens | 2 Scalance Sc-600, Scalance Sc-600 Firmware | 2020-10-02 | 4.6 MEDIUM | 6.6 MEDIUM |
| A vulnerability has been identified in SCALANCE SC-600 (V2.0). An authenticated attacker with access to port 22/tcp as well as physical access to an affected device may trigger the device to allow execution of arbitrary commands. The security vulnerability could be exploited by an authenticated attacker with physical access to the affected device. No user interaction is required to exploit this vulnerability. The vulnerability impacts the confidentiality, integrity and availability of the affected device. | |||||
| CVE-2019-10929 | 1 Siemens | 33 Simatic Cp 1626, Simatic Cp 1626 Firmware, Simatic Et 200sp Open Controller Cpu 1515sp Pc and 30 more | 2020-10-02 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability has been identified in SIMATIC CP 1626 (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions <= 20.8), SIMATIC ET200SP (incl. SIPLUS variants) Open Controller CPU 1515SP PC (All versions), SIMATIC ET200SP (incl. SIPLUS variants) Open Controller CPU 1515SP PC2 (All versions), SIMATIC HMI Panel (incl. SIPLUS variants) (All versions), SIMATIC NET PC Software (All versions), SIMATIC S7 PLCSIM Advanced (All versions <= V3.0), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions <= V4.4), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants), excluding CPU 1518 MFP (and related SIPLUS variant) (All versions <= V2.8.1), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants), excluding CPU 1518-4 PN/DP and CPU 1518 MFP (and related SIPLUS variant) (All versions <= V2.8.1), SIMATIC S7-1500 Software Controller (All versions <= V20.8), SIMATIC STEP 7 (TIA Portal) (All versions < V16), SIMATIC WinCC (TIA Portal) (All versions < V16), SIMATIC WinCC OA (All versions <= 3.15), SIMATIC WinCC Runtime Advanced (All versions), SIMATIC WinCC Runtime Professional (All versions), TIM 1531 IRC (incl. SIPLUS variant) (All versions). An attacker in a Man-in-the-Middle position could potentially modify network traffic exchanged on port 102/tcp to PLCs of the SIMATIC S7-1200, SIMATIC S7-1500 and SIMATIC SoftwareController CPU families, due to certain properties in the calculation used for integrity protection. In order to exploit the vulnerability, an attacker must be able to perform a Man-in-the-Middle attack. The vulnerability could impact the integrity of the communication. No public exploitation of the vulnerability was known at the time of advisory publication. | |||||
| CVE-2019-10370 | 1 Jenkins | 1 Mask Passwords | 2020-10-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| Jenkins Mask Passwords Plugin 2.12.0 and earlier transmits globally configured passwords in plain text as part of the configuration form, potentially resulting in their exposure. | |||||