129 matches found
Docker Remote API 未授权访问
介绍 docker 在使用集群管理如:Kubernetes,swarm时,要使用remote api对节点进行管理.remote api无认证时的默认端口是2375需要TLS认证默认登录是2376。 remote api默认是可以不需要认证能直接访问,能直接对docker进行操作,如新建容器,删除容器,查看镜像容器信息等... remote api操作方法见docker官方文档 检测docker remote api 未授权访问可以使用curl或者直接用浏览器访问 http://ip:2375/info 如果返回了json证明漏洞存在,如下图 其他参考链接...
HackerOne: Minimum bounty of a private program is visible for users that were removed from the program
Hello, Privileged information is getting leaked to an unauthorized user in the json response of https://hackerone.com/reports/.json. In a team there can be many members, also roles are defined. But an x-member of the team is getting information which should not be visible to him. As I tested it o...
HackerOne: Internal bounty and swag details disclosed as part of JSON response
Hello Hackerone team !!!! If Some company take option like this : Show minimum bounty on the program page? Do not display the minimum bounty on the program page. for example : https://hackerone.com/███████████ Private bounty details "basebounty":10 https://hackerone.com/████ Private swag details...
HackerOne: Reflected File Download
Info: Reflected File Download is a new web attack vector. It allows an attacker to craft a malicious file and present it to a victim, but there is no file present at the server. It was recently published at the BlackHat Eupore 2014 by Oren Hafif. Link to his presentation is given at the end...
CVE-2013-4758
Double free vulnerability in the writeDataError function in the ElasticSearch plugin omelasticsearch in rsyslog before 7.4.2 and before 7.5.2 devel, when errorfile is set to local logging, allows remote attackers to cause a denial of service crash and possibly execute arbitrary code via a crafted...
CVE-2013-4758
Double free vulnerability in the writeDataError function in the ElasticSearch plugin omelasticsearch in rsyslog before 7.4.2 and before 7.5.2 devel, when errorfile is set to local logging, allows remote attackers to cause a denial of service crash and possibly execute arbitrary code via a crafted...
CVE-2013-4758
CVE-2013-4758 describes a double‑free memory corruption in the rsyslog omelasticsearch plugin (ElasticSearch plugin) within rsyslog when the errorfile parameter is set for local logging. The underlying issue is in writeDataError, affecting rsyslog versions up to 7.4.1 (stable) and up to 7.5.1 (de...
CVE-2013-4758
Double free vulnerability in the writeDataError function in the ElasticSearch plugin omelasticsearch in rsyslog before 7.4.2 and before 7.5.2 devel, when errorfile is set to local logging, allows remote attackers to cause a denial of service crash and possibly execute arbitrary code via a crafted...
Italian team discoveries flaw in Ruzzle protocol, serious menace to privacy
We are in digital era, everything is connected to the large networks and applications benefit of even more complex devices that deeply interact with owner, in this scenario security requirements assume a crucial importance and security of overall architecture also depend on security of single...