CVE-2021-23259

Crafter CMS vulnerability CVE-2021-23259 allows authenticated users with Administrator or Developer roles to execute OS commands via a Groovy Script that renders pages. The root cause is Groovy script execution without security restrictions, enabling remote command execution (RCE). This is descri...

PT-2021-15419

Name of the Vulnerable Software and Affected Versions Atlassian Confluence versions prior to 7.4.11 Atlassian Confluence versions 7.3.0 through 7.3.6 Atlassian Confluence versions 7.0.0 through 7.0.14 Atlassian Confluence versions 6.13.0 through 6.15.9 Description The issue allows authenticated...

OpenIAM Remote Code Execution Vulnerability

OpenIAM is a fully integrated identity and access management platform. A remote code execution vulnerability exists in OpenIAM versions prior to 4.2.0.3. An attacker can exploit this vulnerability to execute arbitrary code via Groovy Script...

CVE-2020-13420

OpenIAM before 4.2.0.3 allows remote attackers to execute arbitrary code via Groovy Script...

CVE-2020-13420

OpenIAM before 4.2.0.3 allows remote attackers to execute arbitrary code via Groovy Script...

Code injection

OpenIAM before 4.2.0.3 allows remote attackers to execute arbitrary code via Groovy Script...

CVE-2020-13420

OpenIAM prior to 4.2.0.3 is affected by CVE-2020-13420, described as remote code execution via Groovy Script. The available sources consistently identify the affected software as OpenIAM and indicate remediation by upgrading to 4.2.0.3 or later. The initial documents do not provide explicit root-...

CVE-2020-13420

OpenIAM before 4.2.0.3 allows remote attackers to execute arbitrary code via Groovy Script...

OpenIAM 安全漏洞

OpenIAM is a fully integrated identity and access management platform. A remote code execution vulnerability exists in OpenIAM versions prior to 4.2.0.3. An attacker can exploit this vulnerability to execute arbitrary code via Groovy Script...

CVE-2021-21248 Post-Auth Arbitrary Code execution via Groovy script injection

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job paramete...

CVE-2019-12180

An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy "Load Script" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code Java scripting language on the victim machine by inducing it ...

PT-2019-11784 · Jenkins · Jenkins Splunk Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Splunk Plugin versions 1.7.4 and earlier Description: A sandbox bypass issue allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM by providing a Groovy script to an HTTP endpoint. This is...

CVE-2019-11444

An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a command.execute call, as demonstrated by "def cmd =" in the ServerAdminPortletscript value to group/controlpanel/manage. Valid...

CVE-2019-11444

An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a command.execute call, as demonstrated by "def cmd =" in the ServerAdminPortletscript value to group/controlpanel/manage. Valid...

Input validation

DISPUTED An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a command.execute call, as demonstrated by "def cmd =" in the ServerAdminPortletscript value to group/controlpanel/manage. Vali...

CVE-2019-11444

An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a command.execute call, as demonstrated by "def cmd =" in the ServerAdminPortletscript value to group/controlpanel/manage. Valid...

PT-2019-12309 · Liferay · Liferay Portal

Name of the Vulnerable Software and Affected Versions: Liferay Portal CE version 7.1.2 GA3 Description: An issue in Liferay Portal CE allows an attacker to execute OS commands using the Groovy script console. This can be achieved via a command.execute call. The attacker needs valid credentials fo...

jenkins-job-dsl-plugin: Script security sandbox bypass in Job DSL Plugin (SECURITY-1342)

A flaw was found in the Jenkins Job DSL plugin. Parsing, compilation, and script instantiations provided by a crafted Groovy script could escape the sandbox allowing users to execute arbitrary code on the Jenkins master. The highest risk from this vulnerability is to data confidentiality and...

jenkins-plugin-workflow-cps: Sandbox bypass in Pipeline: Groovy Plugin (SECURITY-1336(2))

A flaw was found in the Jenkins Workflow CPS plugin. Parsing, compilation, and script instantiations provided by a crafted Groovy script could escape the sandbox allowing users to execute arbitrary code on the Jenkins master. The highest risk from this vulnerability is to data confidentiality and...

jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1292)

A flaw was found in the Jenkins Script Security plugin through version 1.50. The fix for CVE-2019-1003000 was found to be incomplete. Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code...