Improper input validation in CNCF Cortex

The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth passwordfile can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack...

CVE-2021-21669

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

CVE-2021-21669

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

Xxe

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

CVE-2021-21669

CVE-2021-21669 affects the Jenkins Generic Webhook Trigger Plugin (versions 1.72 and earlier). The root cause is an XML parser that does not disable external entity resolution, enabling XML External Entity (XXE) attacks. Exploitation could allow a crafted webhook payload to cause leakage of file ...

CVE-2021-21669

Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

Jenkins 代码问题漏洞

Jenkins is a Jenkins open source application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying and automating any project. A code issue vulnerability exists in Jenkins Generic Webhook Trigger Plugin 1.72 and earlier versions that stems from not...

PT-2021-14712 · Jenkins · Jenkins Generic Webhook Trigger Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Generic Webhook Trigger Plugin versions 1.72 and earlier Description: The issue allows attackers to have Jenkins parse a crafted XML request body that uses external entities for extraction of secrets from the Jenkins controller or...

GitLab 代码问题漏洞

GitLab is a Ruby on Rails-developed, self-hosted, Git version control system project repository application from the American company GitLab. The program can be used to access a project's file contents, commit history, bug lists, and more. A security vulnerability exists in GitLab CE EE that stem...

Denial Of Service (DoS)

@worker-tools/stripe-webhook is vulnerable to denial of service. The verifyHeader is not an async function in the webhook and causes an error to be thrown after the request has finished...

GHSA-G42G-737J-QX6J Access Restriction Bypass in kube-apiserver

A vulnerability in Kubernetes kube-apiserver could allow node updates to bypass a Validating Admission Webhook and allow unauthorized node updates. The information that is provided to the admission controller could contain old configurations that overwrite values used for validation. Since the...

Access Restriction Bypass in kube-apiserver

A vulnerability in Kubernetes kube-apiserver could allow node updates to bypass a Validating Admission Webhook and allow unauthorized node updates. The information that is provided to the admission controller could contain old configurations that overwrite values used for validation. Since the...

constructEvent does not verify header

Impact Anyone verifying a Stripe webhook request via this library's constructEvent function. Patches Upgrade to 1.1.4. Workarounds Use await verifyHeader... directly instead of constructEvent. References https://github.com/worker-tools/stripe-webhook/issues/1...

GHSA-4G53-VP7Q-GFJV constructEvent does not verify header

Impact Anyone verifying a Stripe webhook request via this library's constructEvent function. Patches Upgrade to 1.1.4. Workarounds Use await verifyHeader... directly instead of constructEvent. References https://github.com/worker-tools/stripe-webhook/issues/1...

CVE-2021-25737

A security issue was discovered in Kubernetes where an authorized user may be able to redirect traffic to private networks on a Node. An untrusted user could exploit this by creating or modifying EndpointSlices to point to localhost or link-local addresses. Mitigation Prevent untrusted users from...

CVE-2021-22139

Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all...

CVE-2021-22139

Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all...

Denial of service

Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all...

CVE-2021-22139

Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all...

Zulip server access control error vulnerability

Zulip server is an open source team chat application from the American company Zulip. An access control error vulnerability exists in versions of Zulip Server prior to 3.4, which stems from a bug in the implementation of replies to messages that send a webhook to a private stream.No details of th...