GHSA-362X-34H3-H6H6 Downloads Resources over HTTP in box2d-native

Affected versions of box2d-native insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

Downloads Resources over HTTP in box2d-native

Affected versions of box2d-native insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

GHSA-7XVG-M3VX-2HHV Downloads Resources over HTTP in webrtc-native

Affected versions of webrtc-native insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

headq-rtc (=1.0.0), kittyswarm (>=1.1.0 <=1.1.1) +1 more potentially affected by CVE-2016-10600 via webrtc-native (=1.4.0)

webrtc-native NPM version =1.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on webrtc-native and may be impacted: - headq-rtc =1.0.0 - kittyswarm =1.1.0, =1.1.1 - peeracle =0.0.3 Source cves: CVE-2016-10600 Source advisory: OSV:GHSA-7XVG-M3VX-2HHV...

Downloads Resources over HTTP in webrtc-native

Affected versions of webrtc-native insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

native-ui-toolkit (>=0.0.1 <=0.0.4), nodehotkey (>=1.0.5 <=2.0.15) +2 more potentially affected by CVE-2016-10608 via robot-js (=2.0.0)

robot-js NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on robot-js and may be impacted: - native-ui-toolkit =0.0.1, =1.0.5, =1.1.0, =1.0.0, =1.0.3 Source cves: CVE-2016-10608 Source advisory: OSV:GHSA-6V7P-J23V-4XMW...

GHSA-MPWW-J7XJ-CJ35 Downloads Resources over HTTP in native-opencv

Affected versions of native-opencv insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...

Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions

A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 latest at the time of this writing while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following or similar crash: --- cut --- $ bin/java -cp . DisplaySfntFont...

Eclipse OpenJ9 Buffer Overflow Vulnerability (CNVD-2019-39191)

Eclipse OpenJ9 is a Java application engine from the Eclipse Foundation. The product is primarily used to run Java applications. A security vulnerability exists in the OpenJDK + Eclipse OpenJ9 0.11.0 builds. An attacker can exploit the vulnerability to accept pointer values that are dereferenced ...

Code injection

In Eclipse OpenJ9, prior to the 0.12.0 release, the jiosnprintf and jiovsnprintf native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code...

CVE-2018-12547

In Eclipse OpenJ9, prior to the 0.12.0 release, the jiosnprintf and jiovsnprintf native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code...

CVE-2018-12547

In Eclipse OpenJ9, prior to the 0.12.0 release, the jiosnprintf and jiovsnprintf native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code...

Security Bulletin: IBM i2 Enterprise Insight Analysis. CVE-2018-12539

Summary IBM i2 Enterprise Insight Analysis is delivered with the IBM Java Runtime. A vulnerability was discovered in the IBM Java Runtime that can leave the product vulnerable to attacks allowing arbitrary code to be injected. Vulnerability Details CVEID: CVE-2018-12539 DESCRIPTION: Eclipse OpenJ...

Code injection

In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code...

CVE-2018-12548

In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code...

Partner Perspectives: Beyond SIEM: Carbon Black + JASK Connected

Oren Arar is the Head of Alliances for JASK. The real-time integration of JASK & Carbon Black provides high-value alerts and extended contextual investigation insights to our joint customers, all within a cloud-native environment. Background The JASK Autonomous Security Operations Center ASOC...

Arbitrary Code Execution

IBM JDK is vulnerable to arbitrary code execution. An insecure access restriction to the Attach API allows an attacker to connect to the affected resource and execute untrusted native code...

Microsoft Windows - DSSVC CheckFilePermission Arbitrary File Deletion

Windows: DSSVC CheckFilePermission Arbitrary File Delete EoP Platform: Windows 10 1803 and 1809. Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary NOTE: This is one of multiple issues I’m reporting in the same service. While I’ve tried to ensure...

CVE-2018-17244

Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; wh...

Cross site request forgery (csrf)

Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; wh...