RHEL 7 : python (RHSA-2018:3041)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:3041 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with Asset and Service Management

Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life...

Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server bundled with IBM WebSphere Application Server Patterns

Summary WebSphere Application Server is shipped as a component of IBM WebSphere Application Server Patterns. Information about security vulnerabilities affecting WebSphere Application Server have been published in multiple security bulletins. Vulnerability Details Please consult the following...

GHSA-8FX9-5HX8-CRHM Apache Struts 2.0.1 uses an unintentional expression in a Freemarker tag instead of string literal

In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack...

RichFaces: Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit.html.Paint2DResource

JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language EL expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310...

Code injection

Asciidoctor in versions 1.5.8 allows remote attackers to cause a denial of service infinite loop. The loop was caused by the fact that Parser.nextblock was not exhausting all the lines in the reader as the while loop expected it would. This was happening because the regular expression that detect...

UBUNTU-CVE-2018-18385

Asciidoctor in versions 1.5.8 allows remote attackers to cause a denial of service infinite loop. The loop was caused by the fact that Parser.nextblock was not exhausting all the lines in the reader as the while loop expected it would. This was happening because the regular expression that detect...

CVE-2018-18385

Asciidoctor in versions 1.5.8 allows remote attackers to cause a denial of service infinite loop. The loop was caused by the fact that Parser.nextblock was not exhausting all the lines in the reader as the while loop expected it would. This was happening because the regular expression that detect...

ReDoS via long string of semicolons in tough-cookie

Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header. Recommendation Update to version 2.3.0 or later...

Regular Expression Denial of Service in minimatch

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatchpath, pattern. Proof of Concept js var minimatch = require“minimatch”; // utility function for generating long strings var genstr = functio...

GHSA-HXM2-R34F-QMC5 Regular Expression Denial of Service in minimatch

Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatchpath, pattern. Proof of Concept js var minimatch = require“minimatch”; // utility function for generating long strings var genstr = functio...

Regular Expression Denial of Service in negotiator

Affected versions of negotiator are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted Accept-Language header value. Recommendation Update to version 0.6.1 or later...

Denial of Service in protobufjs

Versions of protobufjs before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid .proto files. Recommendation Update to version 5.0.3, 6.8.6 or later...

CVE-2018-17984

An unanchored /a-z2/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code execution. This is exploitable by authenticated users who have local filesystem access...

CVE-2018-17984

CVE-2018-17984 affects ISPConfig prior to 3.1.13, where an unanchored /[a-z]{2}/ regular expression enables arbitrary file inclusion, potentially leading to code execution. The issue is exploitable by authenticated users with local filesystem access, allowing execution in the security context of ...

openSUSE Security Update : zsh (openSUSE-2018-1094)

This update for zsh to version 5.6.2 fixes the following issues : These security issues were fixed : - CVE-2018-0502: The beginning of a ! script file was mishandled, potentially leading to an execve call to a program named on the second line bsc1107296 - CVE-2018-13259: Shebang lines exceeding 6...

Regular Expression Denial Of Service (ReDoS)

truncate is vulnerable to Regular Expression Denial of Service ReDoS. A malicious user can pass a string to truncate that can cause a ReDoS...

Regular Expression Denial Of Service (ReDoS)

ua-parser-js is vulnerable to regular expression denial of service ReDoS. The vulnerability exists because the string parser does not use proper regular expressions to filter out malicious strings passing to it...

List of changes and fixed issues in the .NET Framework 3.5 Service Pack 1

List of changes and fixed issues in the .NET Framework 3.5 Service Pack 1 Summary This article describes the following aspects of the Microsoft .NET Framework 3.5 Service Pack 1 SP1: Hotfixes that are included in this service pack New features and functionalities Note This update also includes...

js-bson vulnerable to REDoS

The MongoDB bson JavaScript module also known as js-bson versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service ReDoS in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString function is called to parse a long untrusted string...