14 matches found
CVE-2024-38821
CVE-2024-38821 affects Spring WebFlux with Spring Security static resource rules. A bypass is possible when a non-permitAll authorization rule is applied to Spring’s static resources and the resources are served by a WebFlux app using Spring’s static resources support. Documents confirm this CVE ...
Security Bulletin: VMware Tanzu Spring Security is vulnerable to CVE-2023-34034 and CVE-2023-34035 used in IBM Maximo Application Suite - Monitor Component
Summary IBM Maximo Application Suite - Monitor Component uses VMware Tanzu Spring Security which is vulnerable to CVE-2023-34034 and CVE-2023-34035. The vulnerabilities in the product component have been addressed. Vulnerability Details CVEID:CVE-2023-34034 DESCRIPTION: VMware Tanzu Spring Securi...
Authorization Rule Misconfiguration
spring-security-config is vulnerable to Authorization Rule Misconfiguration. The vulnerability exists due to the lack of validation in the RequestMatcher of AbstractRequestMatcherRegistry.java when the application uses the requestMatchersString function with multiple servlets, one of them being...
CVE-2023-34035
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchersString and multiple servlets, one of them being Spring MVC’s DispatcherServlet. DispatcherServlet is a Spring...
CVE-2023-34035
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchersString and multiple servlets, one of them being Spring MVC’s DispatcherServlet. DispatcherServlet is a Spring...
Mageia: Security Advisory (MGASA-2019-0214)
The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
EulerOS 2.0 SP3 : gvfs (EulerOS-SA-2019-2039)
According to the version of the gvfs packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket witho...
CVE-2019-12795
daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. Note that the server socket...
CVE-2019-12795
daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. Note that the server socket...
Authorization
daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. Note that the server socket...
CVE-2019-12795
The CVE-2019-12795 vulnerability affects GNOME gvfsd (daemon/gvfsdaemon.c) in gvfs, where before certain releases the private D-Bus server socket was opened without an authorization rule. A local attacker could discover the server, connect to the socket, and issue D-Bus method calls, noting that ...
CVE-2019-12795
daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. Note that the server socket...
CVE-2019-12795
daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. Note that the server socket...
pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access
Dogtag PKI, through version 10.6.1, has a vulnerability in AAclAuthz.java that, under certain configurations, causes the application of ACL allow and deny rules to be reversed. If a server is configured to process allow rules before deny rules authz.evaluateOrder=allow,deny, then allow rules will...