Lucene search
K

245 matches found

OSV
OSV
added 2022/05/24 4:45 p.m.3 views

GHSA-FJW4-39PG-VF4F Apache Karaf vulnerable to relative path traversal

Apache Karaf Config service provides a install method via service or MBean that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. Any Apache Karaf version before 4.2.5 is impacted. Use...

4.9CVSS5.9AI score0.01836EPSS
Exploits0References6
Spring Security Advisories
Spring Security Advisories
added 2022/05/24 7:0 a.m.34 views

This Week in Spring - May 24th, 2022

Hi, Spring fans! Im in Spain for business and not just a little pleasure. Yesterday, my partner, her mother, and I went to Formentera, Spain, a little island off of Ibiza, Spain. It was amazing. Were now in Ibiza, Spain, which is a little island not far from Barcelona, Spain, on the mainland of...

Exploits0
ATTACKERKB
ATTACKERKB
added 2022/05/10 9:15 p.m.6 views

CVE-2022-0866

This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the...

5.3CVSS5.9AI score0.00842EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2022/05/01 6:24 p.m.4 views

berkano:bean-displaytag (>=20050615.234814 <=20050616.015551), berkano:berkano-util (>=20050725.114415 <=dev-20050723) +28 more potentially affected by CVE-2007-4556 via opensymphony:xwork (>=1.0.3 <=1.2.2)

opensymphony:xwork MAVEN version =1.0.3, =20050615.234814, =20050725.114415, =2.1.5, =1.1.3, =1.0-alpha-1, =1.1-beta-1, =1.1-beta-1, =1.0-beta-2, =1.0-beta-3 - org.codehaus.jet:jet-web-engine =1.0-beta-2 and more Source cves: CVE-2007-4556 Source advisory: OSV:GHSA-H7MF-QRM9-2848...

6.8CVSS5.4AI score0.25749EPSS
Exploits0
GithubExploit
GithubExploit
added 2022/04/29 9:58 a.m.305 views

Exploit for Code Injection in Vmware Spring_Framework

漏洞简介 最近spring爆出重磅级CVE漏洞,cve信息显示"A Spring MVC or Spring WebFl...

9.8CVSS9.3AI score0.99677EPSS
Exploits108
vulnersOsv
vulnersOsv
added 2022/03/15 1:56 p.m.5 views

ai.h2o:h2o-clustering (>=3.32.1.1 <=3.44.0.2), ai.h2o:h2o-k8s (>=3.30.0.2 <=3.44.0.2) +212 more potentially affected by CVE-2022-21230 via org.nanohttpd:nanohttpd (>=2.2.0 <=2.3.1)

org.nanohttpd:nanohttpd MAVEN version =2.2.0, =3.32.1.1, =3.30.0.2, =3.34.0.3, =1.0.0, =1.0.0, =1.0.0, =3.8, =1.0, =1.1, =0.2.22, =0.2.22, =0.4.15 and more Source cves: CVE-2022-21230 Source advisory: SNYK:JAVA-ORGNANOHTTPD-2422798...

5.5CVSS6AI score0.00289EPSS
Exploits0
OSV
OSV
added 2022/02/10 11:6 p.m.3 views

GHSA-WFJ5-2MQR-7JVV Expression Language Injection in Netflix Conductor

Netflix Conductor uses Java Bean Validation JSR 380 custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being...

9.8CVSS6AI score0.02006EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2022/02/10 11:6 p.m.78 views

Expression Language Injection in Netflix Conductor

Netflix Conductor uses Java Bean Validation JSR 380 custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being...

9.8CVSS8.9AI score0.02006EPSS
Exploits0References4Affected Software1
CNNVD
CNNVD
added 2022/01/06 12:0 a.m.6 views

Apache Pluto 跨站脚本漏洞

A cross-site scripting vulnerability exists in the Apache Pluto Applicant MVCBean CDI portlet, which stems from the Apache Pluto Applicant MVCBean CDI runtime environment. portlet is vulnerable to cross-site scripting XSS attacks in the input fields of the JSP version of the portlet. No details o...

6.1CVSS5.1AI score0.02327EPSS
Exploits0References3
OSV
OSV
added 2021/11/08 4:15 a.m.6 views

CVE-2021-31599

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. A reports .prpt file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code...

8.8CVSS5.9AI score0.02266EPSS
Exploits3References2
CNNVD
CNNVD
added 2021/08/25 12:0 a.m.3 views

Primekey Solutions PrimeKey EJBCA 安全漏洞

Primekey Solutions PrimeKey EJBCA is a full-featured CA system software from PrimeKey Solutions Primekey Solutions, Sweden. The software is used for domain certificate management, enrollment and enrollment-to-certificate validation and other functions to achieve access security. A security...

2.3CVSS5AI score0.00223EPSS
Exploits0References1
Kitploit
Kitploit
added 2021/07/22 12:30 p.m.791 views

Beanshooter - JMX Enumeration And Attacking Tool

Beanshooter is a command line tool written in Java , which helps to identify common vulnerabilities on JMX endpoints. Introduction JMX stands for Java Management Extensions and can be used to monitor and configure the Java Virtual Machine from remote. Applications like tomcat or JBoss are often...

9.8CVSS9.7AI score0.92334EPSS
Exploits1References13
Positive Technologies
Positive Technologies
added 2021/06/26 12:0 a.m.13 views

PT-2021-19956 · Apache · Apache Dubbo

Name of the Vulnerable Software and Affected Versions: Apache Dubbo versions prior to 2.6.10 and 2.7.10 Description: Apache Dubbo is a Java-based, open-source RPC framework. The issue concerns pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main...

9.8CVSS9.8AI score0.02909EPSS
Exploits1References9
OSV
OSV
added 2021/01/15 8:15 p.m.17 views

CVE-2021-21244

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation...

9.8CVSS7.1AI score
Exploits0References2
Prion
Prion
added 2021/01/15 8:15 p.m.19 views

Input validation

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation...

7.5CVSS9.4AI score0.01494EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2021/01/15 8:5 p.m.31 views

CVE-2021-21244 Pre-Auth SSTI via Bean validation message tampering

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation...

10CVSS9.7AI score0.01494EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2021/01/15 12:0 a.m.7 views

PT-2021-14354 · Onedev · Onedev

Name of the Vulnerable Software and Affected Versions: OneDev versions prior to 4.0.3 Description: The issue is related to a pre-auth server side template injection via Bean validation message tampering in OneDev, an all-in-one devops platform. This was fixed in version 4.0.3 by disabling...

10CVSS9.4AI score0.01494EPSS
Exploits0References6
CNNVD
CNNVD
added 2021/01/15 12:0 a.m.6 views

Theonedev Onedev 代码代码注入漏洞

Theonedev Onedev is a JAVA-based all-in-one DevOps platform from the Theonedev team. The platform supports container build, orchestration, CI, Git management, team collaboration and other features to help developers build a simple, powerful development platform. Theonedev An injection vulnerabili...

10CVSS7.3AI score0.01494EPSS
Exploits0References3
OSV
OSV
added 2021/01/14 3:15 p.m.5 views

UBUNTU-CVE-2021-23926

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0...

9.1CVSS6.6AI score0.06215EPSS
Exploits0References4
OSV
OSV
added 2020/12/24 8:49 p.m.24 views

GHSA-WMFG-55F9-J8HQ Server-Side Template Injection

Impact A Server-Side Template Injection was identified in BrowserUp Proxy enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution RCE vulnerability. This has been assigned CVE-2020-26282. Patches Effective Immediately, all users should upgrade ...

10CVSS9.9AI score0.04629EPSS
Exploits1References5
Rows per page
Query Builder