Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-f7fq-wp2x-jc25: Jenkins WildFly Deployer Plugin vulnerable to path traversal

Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

ghsa
Open in Source
#git
GHSA-f546-v666-559x: Craft CMS Cross-site Scripting vulnerability

Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line `label: elementInfo.label`.

GHSA-52v4-wxrx-gjjm: Jenkins Apprenda Plugin has Missing Authorization vulnerability

A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

GHSA-q9j5-2mjx-8x28: Jenkins SCM HttpClient Plugin Missing Authorization

A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

GHSA-6cvr-rvpm-9wx4: Jenkins SCM HttpClient Plugin vulnerable to Cross-Site Request Forgery

A cross-site request forgery (CSRF) vulnerability in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

GHSA-cpm5-cqr9-7p79: Jenkins BigPanda Notifier Plugin Missing Password Field Masking

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.

GHSA-fv7x-v67w-cvqv: Spring Data REST can expose hidden entity attributes

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.6, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes.

GHSA-m748-hjqg-rpp8: rdiffweb has insecure HTTP cookies

In rdiffweb prior to version 2.4.6, the `cookie` session_id does not have a secure attribute when the URL is invalid. Version 2.4.6 contains a fix for the issue.

GHSA-9vxf-mcm6-5m42: rdiffweb CSRF could lead to disabling notifications in user profile

rdiffweb prior to 2.4.6 is vulnerable to Cross-Site Request Forgery (CSRF), which could lead to disabling notifications in a user's profile.

GHSA-6h2x-4gjf-jc5w: autogluon.multimodal vulnerable to unsafe YAML deserialization

### Impact A potential unsafe deserialization issue exists within the `autogluon.multimodal` module, where YAML files are loaded via `yaml.load()` instead of `yaml.safe_load()`. The deserialization of untrusted data may allow an unprivileged third party to cause remote code execution, denial of service, and impact to both confidentiality and integrity. Impacted versions: `>=0.4.0;<0.4.3`, `>=0.5.0;<0.5.2`. ### Patches The patches are included in `autogluon.multimodal==0.4.3`, `autogluon.multimodal==0.5.2` and Deep Learning Containers `0.4.3` and `0.5.2`. ### Workarounds Do not load data which originated from an untrusted source, or that could have been tampered with. **Only load data you trust.** ### References * https://cwe.mitre.org/data/definitions/502.html * https://www.cvedetails.com/cve/CVE-2017-18342/