400 matches found
CVE-2024-45106 Apache Ozone: Improper authentication when generating S3 secrets
Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possible if: ozone.s3g.secret.http.enabled is set to true. The default value of this configuration is...
PT-2024-31436 · Apache · Apache Ozone
Name of the Vulnerable Software and Affected Versions: Apache Ozone version 1.4.0 Description: The issue is related to improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone. This allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other...
PT-2024-39634 · Linear · Linear Emerge E3-Series
Name of the Vulnerable Software and Affected Versions: Linear eMerge e3-Series versions 1.00-07 Description: The Linear eMerge e3-Series is vulnerable to an OS command injection issue. A remote and unauthenticated attacker can execute arbitrary OS commands via the login id parameter when invoking...
BIT-JENKINS-2024-43045
Jenkins LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views"...
Improper Access Control
org.jenkins-ci.main, jenkins-core is vulnerable to Improper Access Control. The vulnerability is caused due to a missing permission check in an HTTP end point. This allows attackers with Overall/Read permission to access other users' "My Views" and attackers with global View/Configure and...
CVE-2024-43045
A flaw was found in Jenkins. A missing permission check in an HTTP endpoint allows attackers with Overall/Read permission to access other users' "My Views" or attackers with global View/Configure and View/Delete permissions to change other users' "My Views". Mitigation Mitigation for this issue i...
GHSA-8PV9-QH96-9HC6 Jenkins does not perform a permission check in an HTTP endpoint
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "...
Jenkins does not perform a permission check in an HTTP endpoint
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "...
CVE-2024-43045
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views"...
CVE-2024-43045
Jenkins Core: CVE-2024-43045 affects Jenkins 2.470 and earlier (including LTS 2.452.3 and earlier). It does not perform a permission check on a specific HTTP endpoint, allowing users with Overall/Read (and with some broader permissions) to access other users’ My Views, and potentially to alter th...
Jenkins LTS < 2.452.4 / Jenkins weekly < 2.471 Multiple Vulnerabilities
According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.452.4 or Jenkins weekly prior to 2.471. It is, therefore, affected by multiple vulnerabilities: - Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent...
CVE-2024-39598 [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)
SAP CRM WebClient UI Framework allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the applicati...
CVE-2024-6163
Certain http endpoints of Checkmk in Checkmk 2.3.0p10 2.2.0p31, 2.1.0p46, = 2.0.0p39 allows remote attacker to bypass authentication and access data...
CVE-2024-6163 local IP restriction of internal HTTP endpoints
Certain http endpoints of Checkmk in Checkmk 2.3.0p10 2.2.0p31, 2.1.0p46, = 2.0.0p39 allows remote attacker to bypass authentication and access data...
CVE-2024-6163 local IP restriction of internal HTTP endpoints
Certain http endpoints of Checkmk in Checkmk 2.3.0p10 2.2.0p31, 2.1.0p46, = 2.0.0p39 allows remote attacker to bypass authentication and access data...
CVE-2024-37393
SecurEnvoy MFA has multiple LDAP injection vulnerabilities in versions before 9.4.514. The DESKTOP service at the /secserver HTTP endpoint validates input improperly, enabling unauthenticated remote attackers to exfiltrate Active Directory data (potentially including the cleartext ms-Mcs-AdmPwd u...
Reflected XSS in Metrics Web Page
Reflected XSS in Sidekiq Web UI via the /metrics HTTP end-point and the substr query param: https://host/sidekiq/metrics?substr=foot%22%3E%3Cscript%20src=%22payload%22%20/%3E...
GHSA-8H2M-54WH-GWJ3 Jenkins docker-build-step Plugin missing permission check
A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting futu...
Jenkins docker-build-step Plugin missing permission check
A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting futu...
CVE-2024-2216
A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting futu...