Debian: Security Advisory (DLA-1068-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Code injection

Larry Wall's patch; patch in FreeBSD 10.2-RC1 before 10.2-RC1-p1, 10.2 before 10.2-BETA2-p2, and 10.1 before 10.1-RELEASE-p16; Bitrig; GNU patch before 2.2.5; and possibly other patch variants allow remote attackers to execute arbitrary shell commands via a crafted patch file...

CVE-2015-1416

Larry Wall's patch; patch in FreeBSD 10.2-RC1 before 10.2-RC1-p1, 10.2 before 10.2-BETA2-p2, and 10.1 before 10.1-RELEASE-p16; Bitrig; GNU patch before 2.2.5; and possibly other patch variants allow remote attackers to execute arbitrary shell commands via a crafted patch file...

CVE-2015-1416

Larry Wall's patch; patch in FreeBSD 10.2-RC1 before 10.2-RC1-p1, 10.2 before 10.2-BETA2-p2, and 10.1 before 10.1-RELEASE-p16; Bitrig; GNU patch before 2.2.5; and possibly other patch variants allow remote attackers to execute arbitrary shell commands via a crafted patch file...

New Western Digital My Cloud Bugs Give Local Attackers Root on NAS Devices

Researchers disclosed two new vulnerabilities in Western Digital My Cloud network storage devices on Thursday that could allow a local attacker to delete files stored on devices or allow them to execute shell commands as root. Researchers at Trustwave disclosed the vulnerabilities, which come on...

CVE-2017-1000393

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was suppose...

CVE-2017-1000393

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was suppose...

CVE-2017-1000393

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was suppose...

CloudBees Jenkins EC2 Plugin Arbitrary Command Execution Vulnerability

CloudBees Jenkins formerly known as Hudson Labs is the United States CloudBees company's set of Java-based development of continuous integration tools , it is mainly used to monitor the continuous software version of the release/testing project and some of the timed execution of the task . An...

CVE-2017-1000502

Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission typically only...

Design/Logic Flaw

Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission typically only...

CVE-2017-1000502

Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission typically only...

The vulnerability of the CouchDB database management system stems from differences in how JSON parsers based on Erlang and JavaScript operate. This allows a hacker to execute arbitrary shell commands on the server with administrator privileges.

The vulnerability of the CouchDB database management system is related to differences in how JSON-based parsers running on Erlang and JavaScript operate. Exploiting this vulnerability allows a malicious actor, who operates remotely and is not an administrator of the system, to gain access to...

Debian DLA-1252-1 : couchdb security update

CVE-2017-12635 Prevent non-admin users to give themselves admin privileges. CVE-2017-12636 Blacklist some configuration options to prevent execution of arbitrary shell commands as the CouchDB user For Debian 7 'Wheezy', these problems have been fixed in version 1.2.0-5+deb7u1. We recommend that y...

[SECURITY] [DLA 1252-1] couchdb security update

Package : couchdb Version : 1.2.0-5+deb7u1 CVE ID : CVE-2017-12635 CVE-2017-12636 CVE-2017-12635 Prevent non-admin users to give themselves admin privileges. CVE-2017-12636 Blacklist some configuration options to prevent execution of arbitrary shell commands as the CouchDB user For Debian 7...

OTRS 5.0.x/6.0.x - Remote Command Execution (1)

Exploit Title: OTRS 5.0.x/6.0.x - Remote Command Execution 1 Date: 21-01-2018 Exploit Author: Bæln0rn Vendor Homepage: https://www.otrs.com/ Software Link: http://ftp.otrs.org/pub/otrs/ Version: 4.0.1 - 4.0.26, 5.0.0 - 5.0.24, 6.0.0 - 6.0.1 Tested on: OTRS 5.0.2/CentOS 7.2.1511 CVE : CVE-2017-169...

GLSA-201801-18 : Newsbeuter: User-assisted execution of arbitrary code

The remote host is affected by the vulnerability described in GLSA-201801-18 Newsbeuter: User-assisted execution of arbitrary code Newsbeuter does not properly escape shell meta-characters in the title and description of RSS feeds when bookmarking. Impact : A remote attacker, by enticing a user t...

Newsbeuter: User-assisted execution of arbitrary code

Background Newsbeuter is a RSS/Atom feed reader for the text console. Description Newsbeuter does not properly escape shell meta-characters in the title and description of RSS feeds when bookmarking. Impact A remote attacker, by enticing a user to open a feed with specially crafted URLs, could...

[SECURITY] [DLA 1237-1] plexus-utils2 security update

Package : plexus-utils2 Version : 2.0.5-1+deb7u1 CVE ID : CVE-2017-1000487 Charles Duffy discovered that the Commandline class in plexus-utils2, a collection of components used by Apache Maven, does not correctly quote the contents of double-quoted strings. An attacker may use this flaw to inject...

[SECURITY] [DLA 1236-1] plexus-utils security update

Package : plexus-utils Version : 1:1.5.15-4+deb7u1 CVE ID : CVE-2017-1000487 Charles Duffy discovered that the Commandline class in plexus-utils, a collection of components used by Apache Maven, does not correctly quote the contents of double-quoted strings. An attacker may use this flaw to injec...