tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources

The URL pattern of "" the empty string which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It...

tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources

The URL pattern of "" the empty string which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It...

tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources

The URL pattern of "" the empty string which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It...

Red Hat 389 Directory Server Denial of Service Vulnerability (CNVD-2018-09155)

Red Hat 389 Directory Server formerly known as Fedora Directory Server is an enterprise-class Linux directory server from Red Hat. The server fully supports the LDAPv3 specification and features scalability, multi-master replication, and more. A security vulnerability exists in Red Hat 389...

UBUNTU-CVE-2011-0704

389 Directory Server 1.2.7.5, when built with mozldap, allows remote attackers to cause a denial of service replica crash by sending an empty modify request...

Meross MSS110 TELNET listener unauthorized access vulnerability

Meross MSS110 is a smart WiFi socket device from Meross Technologies, China.TELNET listenerhi one of the TELNET listening components. A security vulnerability exists in the TELNET listener in Meross MSS110 versions prior to 1.1.24. The vulnerability can be exploited by an attacker to access the...

tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources

The URL pattern of "" the empty string which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It...

php: Invalid read when wddx decodes empty boolean element

The phpwddxpushelement function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service out-of-bounds read and memory corruption or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document...

puppet-tripleo unauthorized access vulnerability

puppet-tripleo is an open source tool for installing, upgrading and operating on OpenStack. A security vulnerability exists in puppet-tripleo versions prior to 5.5.0 and prior to 6.2.0. The vulnerability can be exploited by an attacker to create TCP/UDP rules with the help of empty port values to...

CVE-2016-9599

puppet-tripleo before versions 5.5.0, 6.2.0 is vulnerable to an access-control flaw in the IPtables rules management, which allowed the creation of TCP/UDP rules with empty port values. If SSL is enabled, a malicious user could use these open ports to gain access to unauthorized resources...

kernel: Null pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() when empty TargetInfo is returned in NTLMSSP setup negotiation response allowing to crash client's kernel

A flaw was found in the Linux kernel's client-side implementation of the cifs protocol. This flaw allows an attacker controlling the server to kernel panic a client which has the CIFS server mounted...

PT-2018-9372

Name of the Vulnerable Software and Affected Versions Linux Kernel versions 3.18 through 4.16 Description The Linux Kernel incorrectly handles an SG IO ioctl on /dev/sg0 with dxfer direction=SG DXFER FROM DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the...

Ruby Directory Traversal Vulnerability

Ruby is a simple and fast object-oriented object-oriented programming scripting language. Ruby suffers from a directory traversal vulnerability. The vulnerability occurs because the Dir.open, Dir.new, Dir.entries, and Dir.empty? methods do not check for null characters. An attacker can exploit th...

Amazon Linux AMI : tomcat80 (ALAS-2018-973)

Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration : As part of the fix for bug 61201, the documentation for Apache Tomcat included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not...

Fedora 26 : zsh (2018-9cdf18a850)

avoid crash when copying empty hash table CVE-2018-7549 - avoid NULL dereference when using $PA... on an empty array CVE-2018-7548 - fix buffer overrun in xsymlinks CVE-2017-18206 - fix NULL dereference in cd CVE-2017-18205 Note that Tenable Network Security has extracted the preceding...

UnboundID LDAP SDK Authentication Bypass Vulnerability

UnboundID LDAP SDK is a software development kit for LDAP directory servers that communicate with Java. An authentication bypass vulnerability exists in the SimpleBindRequest handler function in the UnboundID LDAP SDK commit. An attacker can exploit this vulnerability by providing a valid usernam...

CVE-2018-1000134

UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't check for empty...

Improper access control

UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't check for empty...

CVE-2018-1000134

UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't check for empty...

User Profile Management: Default Exclusion List not working. Error: "HDX policy DefaultSyncExclusionListDir disabled. Using an empty list"

If you enable "Enable Default Exclusion List - directories " policy from Citrix Studio, it might not work as expected. Following entry isrecorded in User Profile Management UPM logs: 2018-03-16;19:09:25.611;INFORMATION;;;;1756;ReadPolicy: HDX policy DefaultSyncExclusionListDir disabled. Using an...