GHSA-F4JH-WW96-9H9J Netflix/Priam: Temporary Directory Information Disclosure

Impact When File.createTempFile creates a file, the permissions on that file are -rw-r--r--. This means that other users can read the contents of these files after they are written, although they can not modify the contents. This allows for local information disclosure if these files contain...

Information Disclosure

cloud-init is vulnerable to Information Disclosure. When a user specified configuration which would generate random passwords for users, cloud-init causes those passwords to be written to the serial console by emitting them on stderr. In the default configuration, any stdout or stderr emitted by...

Medium: cloud-init

Issue Overview: A flaw was found in cloud-init, where it uses the random.choice function when creating sensitive random strings used for generating a random password in new instances. Depending on the instance configuration, a remote or local attacker may abuse this vulnerability to guess the...

Medium: cloud-init

Issue Overview: A vulnerability was discovered in cloud-init which can improperly disclose randomly generated passwords as part of the chpasswd module. The fix prevents the generated password from being written to a world-readable log file on the local disk. CVE-2021-3429 Affected Packages:...

Security Bulletin: IBM Verify Gateway PAM components do not set restricted access permission for debug logs (CVE-2020-4405)

Summary To debug the IBM Verify Gateway IVG PAM components, customers can add "trace-file" parameters in the PAM configuration so that .log files are written to the /tmp directory. These debug logs potentially contain sensitive information, and yet they default to world readable. They should have...

Debian DSA-4850-1 : libzstd - security update

It was discovered that zstd, a compression utility, temporarily exposed a world-readable version of its input even if the original file had restrictive permissions. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Debian Security Advisory...

[SECURITY] [DSA 4850-1] libzstd security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4850-1 [email protected] https://www.debian.org/security/ Sebastien Delafond February 10, 2021 https://www.debian.org/security/faq -...

[SECURITY] Fedora 33 Update: czmq-4.2.1-1.fc33

CZMQ has the following goals: i To wrap the =EF=BF=BD=EF=BF=BDMQ core API in semantics that are natura l and lead to shorter, more readable applications. ii To hide the differences between versions of =EF=BF=BD=EF=BF=BDMQ. iii To provide a space for development of more sophisticated API semantics...

CVE-2021-25275

SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server backend, and stores database credentials to access this backend in a file readable by unprivileged users. As a result, any user having access to the filesystem can read database login...

CVE-2021-25276

In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files that include users' password hashes that is world readable and writable. An unprivileged Windows user having access to the server's filesystem can add an FTP user by copying a valid profile file to thi...

SolarWinds Serv-U FTP Server Authorization Issues Vulnerability

SolarWinds Serv-U FTP Server is a suite of FTP and MFT file transfer software from the US-based SolarWinds Corporation. A security vulnerability exists in SolarWinds Serv-U before 15.2.2 Hotfix 1, which stems from a directory containing a user configuration file which includes a user's password...

Medium: targetcli

Issue Overview: An access flaw was found in targetcli, where the /etc/target and underneath backup directory/files were world-readable. This flaw allows a local attacker to access potentially sensitive information such as authentication credentials from the /etc/target/saveconfig.json and backup...

The vulnerability of the SCADA system MasterSCADA, related to the storage of passwords in a decipherable format, allows a intruder to decrypt the protected control project.

The vulnerability of the SCADA system MasterSCADA relates to the storage of passwords in a readable format. Exploiting this vulnerability could allow an attacker to decrypt the passwords and access the protected project...

targetcli: weak permissions for /etc/target and backup files

An access flaw was found in targetcli, where the /etc/target and underneath backup directory/files were world-readable. This flaw allows a local attacker to access potentially sensitive information such as authentication credentials from the /etc/target/saveconfig.json and backup files. The highe...

CVE-2020-4906

IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4 allows web pages to be stored locally which can be read by another user on the system...

AZL-66000 CVE-2020-8908 affecting package guava20 20.0-5

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir. By default, on unix-like systems, the created directory i...

DEBIAN-CVE-2020-8908

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir. By default, on unix-like systems, the created directory i...

UBUNTU-CVE-2020-8908

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir. By default, on unix-like systems, the created directory i...

SUSE SLES12 Security Update : libzypp (SUSE-SU-2020:0079-2)

This update for libzypp fixes the following issues : Security issue fixed : CVE-2019-18900: Fixed assert cookie file that was world readable bsc1158763. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted...

CVE-2020-26261 user-readable api tokens in systemd units

jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users...