CVE-2024-23898

CVE-2024-23898 affects Jenkins CLI WebSocket endpoint. Jenkins versions 2.217–2.441 and LTS 2.222.1–2.426.2 do not perform origin validation on WebSocket requests, enabling cross-site WebSocket hijacking (CSWSH) and allowing an attacker to execute CLI commands on the Jenkins controller. Connected...

CVE-2024-23898

Jenkins 2.217 through 2.441 both inclusive, LTS 2.222.1 through 2.426.2 both inclusive does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking CSWSH vulnerability, allowing attackers to execute CLI commands on the Jenki...

CVE-2024-23898

Jenkins 2.217 through 2.441 both inclusive, LTS 2.222.1 through 2.426.2 both inclusive does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking CSWSH vulnerability, allowing attackers to execute CLI commands on the Jenki...

Jenkins Security Vulnerabilities

Jenkins is a Jenkins open source application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying and automating any project. A security vulnerability exists in Jenkins versions 2.217 through 2.441, and LTS versions 2.222.1 through 2.426.2, which...

PT-2024-1303 · Jenkins +1 · Jenkins +1

Name of the Vulnerable Software and Affected Versions: Jenkins versions 2.217 through 2.441 Jenkins LTS versions 2.222.1 through 2.426.2 Description: The issue is related to the built-in command line interface CLI of the Jenkins server, which has a weakness in its authentication procedure. This...

Jenkins LTS < 2.426.3 / Jenkins weekly < 2.442 Multiple Vulnerabilities

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.426.3 or Jenkins weekly prior to 2.442. It is, therefore, affected by multiple vulnerabilities: - Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disabl...

jenkins -- multiple vulnerabilities

Jenkins Security Advisory: Description Critical SECURITY-3314 / CVE-2024-23897 Arbitrary file read vulnerability through the CLI can lead to RCE Description High SECURITY-3315 / CVE-2024-23898 Cross-site WebSocket hijacking vulnerability in the CLI...

SurrealDB vulnerable to Uncontrolled CPU Consumption via WebSocket Interface

SurrealDB depends on the tungstenite and tokio-tungstenite crates used by the axum crate, which handles connections to the SurrealDB WebSocket interface. On versions before 0.20.1, the tungstenite crate presented an issue which allowed the parsing of HTTP headers during the client handshake to...

GHSA-58J9-J2FJ-V8F4 SurrealDB vulnerable to Uncontrolled CPU Consumption via WebSocket Interface

SurrealDB depends on the tungstenite and tokio-tungstenite crates used by the axum crate, which handles connections to the SurrealDB WebSocket interface. On versions before 0.20.1, the tungstenite crate presented an issue which allowed the parsing of HTTP headers during the client handshake to...

Fedora: Security Advisory for python-aiohttp (FEDORA-2023-a04cc349e1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora: Security Advisory for python-aiohttp (FEDORA-2023-1f06098c71)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2023-5253

A missing authentication check in the WebSocket channel used for the Check Point IoT integration in Nozomi Networks Guardian and CMC, may allow an unauthenticated attacker to obtain assets data without authentication. Malicious unauthenticated users with knowledge on the underlying system may be...

Authentication flaw

A missing authentication check in the WebSocket channel used for the Check Point IoT integration in Nozomi Networks Guardian and CMC, may allow an unauthenticated attacker to obtain assets data without authentication. Malicious unauthenticated users with knowledge on the underlying system may be...

CVE-2023-5253 Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0

A missing authentication check in the WebSocket channel used for the Check Point IoT integration in Nozomi Networks Guardian and CMC, may allow an unauthenticated attacker to obtain assets data without authentication. Malicious unauthenticated users with knowledge on the underlying system may be...

CVE-2023-5253

CVE-2023-5253 affects Nozomi Networks Guardian/CMC: a missing authentication check in the WebSocket channel used for the Check Point IoT integration can allow an unauthenticated attacker to obtain assets data. The vulnerability impacts the WebSocket handling that exposes asset information without...

PT-2024-1414 · Nozomi Networks +1 · Nozomi Networks Guardian +2

Name of the Vulnerable Software and Affected Versions: Nozomi Networks Guardian and CMC affected versions not specified Description: A missing authentication check in the WebSocket channel used for the Check Point IoT integration may allow an unauthenticated attacker to obtain assets data without...

Nozomi Networks Guardian/CMC Access Control Error Vulnerability

Nozomi Networks Guardian/CMC is a centralized management console from Nozomi Networks, Inc. in the United States. An access control error vulnerability exists in Nozomi Networks Guardian/CMC prior to version v23.3.0 that stems from a lack of authentication checks in the WebSocket channel, allowin...

Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0

Summary A missing authentication check in the WebSocket channel used for the Check Point IoT integration in Nozomi Networks Guardian and CMC, may allow an unauthenticated attacker to obtain assets data without authentication. Impact Malicious unauthenticated users with knowledge on the underlying...

[SECURITY] Fedora 38 Update: python-aiohttp-3.9.1-1.fc38

Python HTTP client/server for asyncio which supports both the client and the server side of the HTTP protocol, client and server websocket, and webservers with middlewares and pluggable routing...

[SECURITY] Fedora 39 Update: python-aiohttp-3.9.1-1.fc39

Python HTTP client/server for asyncio which supports both the client and the server side of the HTTP protocol, client and server websocket, and webservers with middlewares and pluggable routing...