jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message.

A new polymorphic typing flaw was discovered in FasterXML jackson-databind, versions 2.x through 2.9.9. With default typing enabled, an attacker can send a specifically crafted JSON message to the server that allows them to read arbitrary local files...

OpenSSL Information Disclosure Vulnerability (CNVD-2019-38485)

OpenSSL is an open source capable general-purpose cryptographic library from the OpenSSL team that implements the Secure Sockets Layer SSLv2/v3 and Secure Transport Layer TLSv1 protocols. The product supports a variety of cryptographic algorithms , including symmetric ciphers , hash algorithms ,...

PT-2019-17114 · Ibm · Ibm Security Key Lifecycle Manager

Name of the Vulnerable Software and Affected Versions: IBM Security Key Lifecycle Manager versions 2.6 through 3.0.1 Description: The issue discloses sensitive information to unauthorized users, which can be used to mount further attacks on the system. Recommendations: For versions 2.6 through...

CVE-2019-4280

IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 displays sensitive information in HTTP requests which could be used in further attacks against the system. IBM X-Force ID: 160503...

IBM Sterling File Gateway Information Disclosure Vulnerability (CNVD-2019-34605)

IBM Sterling File Gateway is a suite of file transfer software from IBM in the United States. The software integrates different centers of file transfer activity and facilitates the secure exchange of file-based data over the Internet. An information disclosure vulnerability exists in IBM Sterlin...

QEMU: qxl: null pointer dereference while releasing spice resources

interfacereleaseresource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference...

ai.agnos:reactive-sparql_2.12 (>=0.3.0 <=0.3.1), ai.databand:dbnd-agent (>=0.42.1 <=0.80.6) +11468 more potentially affected by CVE-2019-14540 via com.fasterxml.jackson.core:jackson-databind (>=2.7.0 <=2.8.11.4)

com.fasterxml.jackson.core:jackson-databind MAVEN version =2.7.0, =0.3.0, =0.42.1, =0.42.1, =0.40.2, =0.42.1, =0.1.8, =0.2, =0.5, =0.8.0, =2.3.0, =1.5.6, =4.2.1, =4.4.1, =3.3.3, =3.3.8 and more Source cves: CVE-2019-14540 Source advisory: OSV:GHSA-H822-R4R5-V8JG...

status-board-cli (>=1.1.0 <=2.0.51) potentially affected by CVE-2019-15479 via status-board (>=1.1.12 <=1.1.80)

status-board NPM version =1.1.12, =1.1.0, =2.0.51 Source cves: CVE-2019-15479 Source advisory: OSV:GHSA-8864-RHMW-5M6F...

CVE-2019-11663

Clear text credentials are used to access managers app in Tomcat in Micro Focus Service Manager product versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. The vulnerability could be exploited to allow sensitive data exposure...

jolokia: system-wide CSRF that could lead to Remote Code Execution

A flaw was found in Jolokia, versions 1.2 through 1.6.0, where Jolokia did not correctly handle checking for origin and referrer headers when strict checking was enabled. An attacker could use this vulnerability to conduct cross-site request forgery or further attacks...

CVE-2019-5481

Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3...

PT-2019-16927 · Ibm · Ibm Sterling File Gateway

Name of the Vulnerable Software and Affected Versions: IBM Sterling File Gateway versions 2.2.0.0 through 6.0.1.0 Description: The issue allows a remote attacker to send specially-crafted SQL statements, potentially enabling them to view, add, modify, or delete information in the back-end databas...

CVE-2019-5976

Cybozu Garoon 4.0.0 to 4.10.2 allows an attacker with administrative rights to cause a denial of service condition via unspecified vectors...

Google Android System Information Disclosure Vulnerability (CNVD-2019-30317)

Android is a Linux-based open source operating system jointly developed by Google Inc. and the Open Handheld Alliance OHA for short. An information disclosure vulnerability exists in the System component of Google Android 7.1.1, 7.1.2, 8.0, 8.1, and 9. An attacker can exploit the vulnerability to...

GitLab Omnibus Privilege Vulnerability

Omnibus GitLab is a package of different services and tools needed to run GitLab from GitLab USA. GitLab Omnibus An elevation of privilege vulnerability exists in GitLab versions 7.4 through 12.2.1, which can be exploited by an attacker to elevate privileges...

3gtel-frontend-platform (=1.0.0), @achieve-all/v-element (=1.0.0) +1000 more potentially affected by CVE-2019-10747 via set-value (>=0.1.6 <=1.0.0)

set-value NPM version =0.1.6, =5.0.0, =4.0.2, =0.1.1, =1.0.0, =1.0.0, =1.1.0, =1.0.0, =1.0.1, =1.0.0, =1.0.0, =2.0.0, =2.0.16 and more Source cves: CVE-2019-10747 Source advisory: OSV:GHSA-4G88-FPPR-53PP...

PT-2019-17082 · Ibm · Ibm Api Connect

Name of the Vulnerable Software and Affected Versions: IBM API Connect versions 2018.1 through 2018.4.1.6 Description: The issue may cause sensitive details about internal servers and network to be leaked via API swagger. Recommendations: For versions 2018.1 through 2018.4.1.6, consider restricti...

@alexbp-ds/microservice-wrapper (=1.1.8), @apifie/node-microservice (>=0.0.1 <=1.0.3) +94 more potentially affected by CVE-2019-10752 via sequelize (>=4.0.0 <=4.44.2)

sequelize NPM version =4.0.0, =0.0.1, =4.0.2, =1.0.16, =1.0.20, =1.0.18, =1.0.10, =1.0.0, =0.1.0, =0.0.1, =1.0.0, =1.0.6, =5.1.3, =1.6.7, =0.6.3, =0.6.5 and more Source cves: CVE-2019-10752 Source advisory: SNYK:JS-SEQUELIZE-459751...

a3m (=0.1.0), aa-fleet (>=1.0.0 <=1.1.0) +656 more potentially affected by CVE-2019-14234 via django (>=2.2.0 <=2.2.3)

django PYPI version =2.2.0, =1.0.0, =1.1.12, =0.1.0a0, =0.1.0a0, =1.2.0a1, =2.0.0, =0.1.0, =1.1.0, =1.4.1, =1.6.0 - aiida-crystal17 =0.11.0 and more Source cves: CVE-2019-14234 Source advisory: OSV:GHSA-6R97-CJ55-9HRQ...

3CX Phone system (web) management console code issue vulnerability

3CX Phone system web management console is a web-based management console program for the 3CX phone system. A code issue vulnerability exists in 3CX Phone system web management console versions 12.5.44178.1002 through 12.5 SP2. The vulnerability arises from an improperly designed or implemented...