jenkins-2-plugins/subversion: XML parser is not preventing XML external entity (XXE) attacks

A flaw was found in the subversion Jenkins plugin. The XML parser is not properly configured to prevent XML external entity XXE attacks allowing an attacker the ability to control an agent process and have Jenkins parse a crafted changelog file that uses external entities for extraction of secret...

RHEL 7 / 8 : OpenShift Container Platform 4.6.12 (RHSA-2021:0038)

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0038 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or...

CVE-2021-23926

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0...

CVE-2021-23926

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0...

Code injection

A vulnerability has been identified in JT2Go All versions V13.1.0, Teamcenter Visualization All versions V13.1.0. When opening a specially crafted xml file, the application could disclose arbitrary files to remote attackers. This is because of the passing of specially crafted content to the...

IBM HTTP Server 7.0.0.0 <= 7.0.0.45 / 8.0.0.0 <= 8.0.0.15 / 8.5.0.0 < 8.5.5.17 / 9.0.0.0 < 9.0.5.1 Multiple Vulnerabilities (964768)

The version of IBM HTTP Server running on the remote host is affected by multiple vulnerabilities as follows: - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while...

XML External Entity (XXE)

ploneappdexterity is vulnerable to XML External Entity XXE. An attacker with manager role is able to submit requests on behalf of the server and gain access to internal resources. The vulnerability exist when XML input containing a reference to an external entity is processed by a weakly configur...

XML External Entity (XXE)

Nokogiri is vulnerable to XML external entity XXE attack. The vulnerability exist as the external DTDs are enabled by default in the XML parser, which would allow an attacker to submit requests on behalf of the server and gain access to internal and local resources...

CVE-2020-26247 XXE in Nokogiri

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the...

Debian: Security Advisory (DLA-2498-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian DSA-4814-1 : xerces-c - security update

It was discovered that xerces-c, a validating XML parser library for C++, did not correctly scan DTDs. The use-after-free vulnerability resulting from this issue would allow a remote attacker to leverage a specially crafted XML file in order to crash the application or potentially execute arbitra...

Debian DLA-2498-1 : xerces-c security update

The UK's National Cyber Security Centre NCSC discovered that Xerces-C, a validating XML parser library for C++, contains a use-after-free error triggered during the scanning of external DTDs. An attacker could cause a Denial of Service DoS and possibly achieve remote code execution. This flaw has...

[SECURITY] [DLA 2498-1] xerces-c security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-2498-1 [email protected] https://www.debian.org/lts/security/ December 17, 2020 https://wiki.debian.org/LTS - -------------------------------------------------------------------------...

[SECURITY] [DSA 4814-1] xerces-c security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4814-1 [email protected] https://www.debian.org/security/ Sebastien Delafond December 17, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4814-1] xerces-c security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4814-1 [email protected] https://www.debian.org/security/ Sebastien Delafond December 17, 2020 https://www.debian.org/security/faq -...

NewStart CGSL CORE 5.05 / MAIN 5.05 : expat Vulnerability (NS-SA-2020-0116)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has expat packages installed that are affected by a vulnerability: - Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute...

NewStart CGSL CORE 5.05 / MAIN 5.05 : xerces-c Vulnerability (NS-SA-2020-0114)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has xerces-c packages installed that are affected by a vulnerability: - The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been...

Arcserve D2D getNews XML External Entity Processing Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of CA Arcserve D2D. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getNews method. Due to the improper restriction of XML External Entity XXE...

CVE-2020-2324

Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

CVE-2020-2324

Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...