Lucene search
K

222 matches found

OSV
OSV
added 2018/10/17 4:32 p.m.1 views

GHSA-R4X2-3CQ5-HQVP The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their...

9.8CVSS7AI score0.21979EPSS
Exploits0References64
OSV
OSV
added 2018/10/05 2:29 p.m.3 views

CVE-2018-15386

A vulnerability in Cisco Digital Network Architecture DNA Center could allow an unauthenticated, remote attacker to bypass authentication and have direct unauthorized access to critical management functions. The vulnerability is due to an insecure default configuration of the affected system. An...

9.8CVSS5.8AI score0.03441EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2018/08/17 12:0 a.m.58 views

RHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 4 (RHSA-2018:2469)

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2469 advisory. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the...

9.8CVSS7.8AI score0.21979EPSS
Exploits0References10
RedHat Linux
RedHat Linux
added 2018/08/16 3:1 p.m.3 views

tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their...

9.8CVSS7.3AI score0.21979EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 2018/08/16 2:50 p.m.4 views

tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their...

9.8CVSS7.3AI score0.21979EPSS
Exploits0References8
Veracode
Veracode
added 2018/07/30 9:32 a.m.9 views

Insecure Defaults

apache-airflow is vulnerable to insecure defaults. The library uses a default SECRETKEY parameter that is the same for all installations, allowing a malicious user to create an authentic session to the application if the SECRETKEY wasn't changed...

6.7AI score
Exploits0
Veracode
Veracode
added 2018/07/23 5:27 a.m.71 views

Insecure Defaults

tomcat-websocket is vulnerable to missing hostname verification. The application does not verify the hostname with a client when establishing a TLS connection through the websocket, allowing a malicious user to impersonate a different host machine...

7.5CVSS8.4AI score0.213EPSS
Exploits0References45Affected Software85
Packet Storm
Packet Storm
added 2018/07/20 12:0 a.m.250 views

Oracle Fusion Middleware 12c (12.2.1.3.0) WebLogic SAML Issues

Oracle WebLogic - Multiple SAML Vulnerabilities CVE-2018-2998/CVE-2018-2933 Release URL: https://pulsesecurity.co.nz/advisories/WebLogic-SAML-Vulnerabilities Date Released: 18/07/2018 CVE: CVE-2018-2998 CVE-2018-2933 Author: Denis Andzakovic Vendor Website: http://www.oracle.com Affected Software...

5.7AI score0.01019EPSS
Exploits2
Veracode
Veracode
added 2018/07/16 5:15 a.m.18 views

XML External Entity (XXE)

phpoffice/common is vulnerable to XML external entity XXE attacks. The vulnerability exists due to the insecure defaults where external entities were allowed, making XXE attacks possible...

9.8CVSS9.2AI score0.02177EPSS
Exploits0References4Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/07/06 12:0 a.m.169 views

Fixed in Apache Tomcat 8.0.53

Low: host name verification missing in WebSocket client CVE-2018-8034 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. This was fixed in revision 1833759. This issue was reported publicly on 11 June 2018 and formally announced as a...

9.8CVSS8.8AI score0.21979EPSS
Exploits0Affected Software1
Veracode
Veracode
added 2018/05/17 4:40 a.m.41 views

Insecure Defaults

Apache Tomcat is vulnerable to insecure defaults. The CORS filter provided by default is insecure as it enables supportsCredentials for all origins. This can allow a malicious user unauthorized access to sensitive resources...

9.8CVSS9.1AI score0.21979EPSS
Exploits0References52Affected Software1
Veracode
Veracode
added 2018/05/08 5:55 a.m.44 views

Insecure Defaults

Apache Derby is vulnerable to insecure defaults. An attacker can send network packets to a Derby Network Server to maliciously boot a database under their control control. The attack is only possible when the Java Security Manager policy file permits the reading of database locations, which is th...

5.3CVSS6.8AI score0.04504EPSS
Exploits0References17Affected Software1
Veracode
Veracode
added 2017/12/19 5:55 p.m.21 views

Information Disclosure Through Insecure Defaults

github.com/heketi/heketi is vulnerable to information disclosure through insecure defaults. The application by default sets the /etc/heketi/heketi.json as world readable, allowing a malicious user to access sensitive information contained in it such as passwords...

7.8CVSS7.5AI score0.00428EPSS
Exploits0References4Affected Software2
Veracode
Veracode
added 2017/08/23 1:52 a.m.10 views

XML External Entity (XXE) Injection Through Insecure Defaults

dom4j is vulnerable to XML External Entity Injection. The library by default uses the SAXReader to parse documents without using the setFeature function in it to disable doctype and entities, allowing a malicious user to pass a document to execute an XML Injection attack...

7.3AI score
Exploits0
Veracode
Veracode
added 2017/07/17 4:39 p.m.18 views

Insecure Defaults

akka-actor has insecure defaults. An attacker can leverage an ActorSystem exposed over TCP to perform Java deserialization attacks. By default Java deserialization is enabled and the documentation wasn't complete on how to disable the function.These attacks can be performed if the ActorSystem has...

9.3CVSS8.2AI score0.05666EPSS
Exploits0References1Affected Software2
Veracode
Veracode
added 2017/05/31 7:37 a.m.26 views

Insecure Defaults

Moodle is vulnerable to insecure defaults. The library itself uses a hardcoded key for the rc4encrypt and rc4decrypt functions, making it easier for a malicious user to decrypt sensitive information by reading Moodle's sourcecode. The hardcoded password was set to nfgjeingjk...

5CVSS6AI score0.014EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2017/05/29 3:23 a.m.9 views

Insecure Defaults

chef is vulnerable to arbitrary code execution. The library has a local socket mode on port 8889 that is open by default. This can allow a malicious user to connect to that socket and upload an arbitrary file such as the rootkit cookbook...

7.3AI score
Exploits0
Veracode
Veracode
added 2017/05/03 5:26 a.m.14 views

Insecure Defaults

sosreport is vulnerable to insecure defaults. The library creates temporary archive files with world-readable permissions, allowing a malicious user to extract these files and read their contents. This vulnerability exists due to a regression in the default behavior of sosreport...

5.5CVSS5.3AI score0.00342EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2017/02/27 10:35 a.m.9 views

Insecure Defaults

Netty Handler is insecure by default. Netty doesn't set the HTTP endpointIdentificationAlgorithm by default which means that the hostname verification is not enabled unless specifically turned on by the application...

6.7AI score
Exploits0
RustSec
RustSec
added 2016/11/05 12:0 p.m.27 views

SSL/TLS MitM vulnerability due to insecure defaults

All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults including off-by-default certificate verification and no API to perform hostname verification. Unless configured correctly by a developer, these defaults could allow an attacker to perform man-in-the-middle attacks...

8.1CVSS2.6AI score0.00745EPSS
Exploits0Affected Software1
Rows per page
Query Builder