The Pixee Java Code Security Toolkit is a set of security APIs meant to help secure Java code. ZipSecurity#isBelowCurrentDirectory is vulnerable to a partial-path traversal bypass. To be vulnerable to the bypass, the application must use toolkit version <=1.1.1, use ZipSecurity as a guard agains...
5.4CVSS
7AI Score
0.001EPSS
Spring Security OAuth vulnerable to remote code execution (RCE)
Spring Security OAuth versions prior to 2.3.3, prior to 2.2.2, prior to 2.1.2, and prior to 2.0.15 contain a remote code execution vulnerability. An attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded....
9.8CVSS
9.6AI Score
0.047EPSS
Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast service API...
5.4CVSS
5.3AI Score
0.001EPSS
WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter...
5.3CVSS
6.9AI Score
0.001EPSS
A vulnerability in the hardware-based SSL/TLS cryptography functionality of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 2100 Series Appliances could allow an unauthenticated, remote attacker to cause an affected device to...
6.6AI Score
0.001EPSS
Summary IBM Security Guardium has addressed this vulnerability with updates. Vulnerability Details ** CVEID: CVE-2023-5868 DESCRIPTION: **PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when perform certain aggregate function calls. By...
4.3CVSS
6.2AI Score
0.002EPSS
A vulnerability in the DNS inspection handler of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service condition (DoS) on an affected device. This vulnerability is due to a lack of...
1.5AI Score
0.001EPSS
Security Constraint Bypass in Spring Security
Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path...
7.5CVSS
0.2AI Score
0.001EPSS
Open Redirect in Spring Security OAuth
Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the...
5.4CVSS
3.1AI Score
0.003EPSS
A vulnerability in the implementation of SAML 2.0 single sign-on (SSO) for remote access VPN services in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to successfully establish a VPN session on an...
7.2AI Score
0.0004EPSS
Summary The IBM Security Directory Integrator was vulnerable to multiple security vulnerabilities in the Eclipse Jetty component. This was addressed in version 10 of the IBM Security Directory Integrator. Vulnerability Details ** CVEID: CVE-2017-9735 DESCRIPTION: **Jetty could allow a remote...
9.8CVSS
9AI Score
0.802EPSS
When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for...
8.8CVSS
3.9AI Score
0.046EPSS
Summary IBM Security Guardium has addressed these vulnerabilities with updates. Vulnerability Details ** CVEID: CVE-2023-22081 DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity...
5.9CVSS
6.5AI Score
0.001EPSS
A vulnerability in the activation of an access control list (ACL) on Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass the protection that is offered by a configured ACL on an affected...
7.2AI Score
0.0004EPSS
Denial of service in Spring Security OAuth2
Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the...
6.5CVSS
6.5AI Score
0.001EPSS
Improper Privilege Management in github.com/sap/cloud-security-client-go
Impact SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) allows under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. Patches Upgrade to...
9.8CVSS
7.6AI Score
0.001EPSS
Privilege escalation in sap/cloud-security-client-go
SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the...
9.8CVSS
7.4AI Score
0.001EPSS
Privilege escalation in sap/cloud-security-client-go
SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the...
9.8CVSS
7.3AI Score
0.001EPSS
Improper Privilege Management in github.com/sap/cloud-security-client-go
Impact SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) allows under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. Patches Upgrade to...
9.8CVSS
7.4AI Score
0.001EPSS
org.jenkins-ci.plugins: script-security is vulnerable to Improper Access Control. The vulnerability is due to improper permission checks during read access to a Git repository over SSH. This allows attackers with a previously configured SSH public key but lacking Overall/Read permission to access.....
6.7AI Score
0.0004EPSS
Summary IBM Security Verify Governance - Identity Manager ships with IBM Java SDK and IBM WebSphere Application Server traditional. Information about security vulnerabilities affecting these dependencies has been published in security bulletins. Vulnerability Details Refer to the security...
8.4AI Score
Security Bulletin: IBM Security Guardium is affected by multiple Linux Kernel vulnerabilities
Summary IBM Security Guardium has addressed these vulnerabilities with an update. Vulnerability Details ** CVEID: CVE-2023-6679 DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the dpll_pin_parent_pin_set() function in...
7.8CVSS
9.2AI Score
0.008EPSS
Jenkins Script Security Plugin sandbox bypass vulnerability
Jenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call...
7.5AI Score
0.0004EPSS
Escalation of privileges in github.com/sap/cloud-security-client-go
An unauthenticated attacker can obtain arbitrary permissions within the application under certain...
9.8CVSS
7.3AI Score
0.001EPSS
Security Bulletin: IBM QRadar SIEM is not vulnerable to CVE-2023-51767
Summary An authentication bypass vulnerability was found in OpenSSH, however IBM QRadar SIEM is not vulnerable to it. Vulnerability Details ** CVEID: CVE-2023-51767 DESCRIPTION: **OpenSSH could allow a local authenticated attacker to bypass security restrictions, caused by improper...
7CVSS
6AI Score
0.001EPSS
Security Bulletin: IBM Security Guardium is affected by a Kernel vulnerability (CVE-2023-3609)
Summary IBM Security Guardium has addressed this vulnerability in an update. Vulnerability Details ** CVEID: CVE-2023-3609 DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free flaw in the net/sched: cls_u32...
7.8CVSS
6.9AI Score
0.0004EPSS
Summary The Jose4j library is vulnerable to a denial of service, caused by improper input validation. It could also allow a remote attacker to obtain sensitive information using cryptographic attacks. Vulnerability Details ** CVEID: CVE-2023-31582 DESCRIPTION: **Jose4J could allow a remote...
7.5CVSS
7.6AI Score
0.0005EPSS
org.jenkins-ci.plugins:script-security is vulnerable to Arbitrary Code Execution. The vulnerability is due to crafted constructor bodies that invoke other constructors which can then be used to construct any subclassable type via implicit casts, which bypasses the sandbox protection, resulting in.....
7.2AI Score
0.0004EPSS
Summary The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal and is vulnerable to improper validation of input. Vulnerability Details ** IBM X-Force ID: 177835 DESCRIPTION: **Apache Commons Codec could allow a remote attacker to...
6.4AI Score
Summary Apache Log4j could allow a remote attacker to execute arbitrary code on the system. It is also vulnerable to SQL injection and could lead to a denial of service caused by a flaw when using the Chainsaw or SocketAppender components. Vulnerability Details ** CVEID: CVE-2022-23307 ...
9.8CVSS
9.5AI Score
0.794EPSS
Security Bulletin: An IBM QRadar SIEM JDBC protocol is vulnerable to SQL injection (CVE-2024-1597)
Summary PostgreSQL JDBC Driver (PgJDBC) is vulnerable to SQL injection which could allow a remote attacker to send specially crafted SQL statements enabling the attacker to view, add, modify or delete information. Vulnerability Details ** CVEID: CVE-2024-1597 DESCRIPTION: **PostgreSQL JDBC Driver.....
10CVSS
7.2AI Score
0.001EPSS
Jenkins Script Security Plugin has sandbox bypass vulnerability involving crafted constructor bodies
Jenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call...
7.6AI Score
0.0004EPSS
Summary IBM WebSphere Application Server is shipped with IBM Security Access Manager for Enterprise Single Sign-On. Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security...
7.1AI Score
Summary IBM WebSphere Application Server is shipped with IBM Security Access Manager for Enterprise Single Sign-On. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. See the bulletins listed in the Remediation/Fixes...
9.8CVSS
9.2AI Score
0.003EPSS
Summary A flaw was found in protobuf-java. Google Protocol Buffer (protobuf-java) which allows the interleaving of com.google.protobuf.UnknownFieldSet fields. Vulnerability Details ** CVEID: CVE-2021-22569 DESCRIPTION: **Google Protocol Buffer (protobuf-java) is vulnerable to a denial of service,.....
7.5CVSS
8.2AI Score
0.001EPSS
Summary The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. IBM has addressed these vulnerabilities with an update. Vulnerability Details ** CVEID: CVE-2023-41419 DESCRIPTION: **Gevent could allow a remote attacker to...
9.9CVSS
10AI Score
0.969EPSS
Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities
Summary IBM QRadar SIEM includes vulnerable components (e.g., framework libraries) that could be identified and exploited with automated tools. These have been addressed in the update. Vulnerability Details ** CVEID: CVE-2019-13224 DESCRIPTION: **oniguruma is vulnerable to a denial of service,...
10CVSS
10AI Score
0.05EPSS
Summary The RabbitMQ Java Client is vulnerable to a denial of service, caused by no message size limit in maxBodyLength. Vulnerability Details ** CVEID: CVE-2023-46120 DESCRIPTION: **RabbitMQ Java Client is vulnerable to a denial of service, caused by no message size limit in maxBodyLebgth. By...
7.5CVSS
9.2AI Score
0.002EPSS
Summary IBM WebSphere Application Server, which is shipped with IBM Security Access Manager for Enterprise Single Sign-On, is vulnerable to a denial of service. Apply updates as referenced in the Remediation/Fixes section below. Vulnerability Details Refer to the security bulletin(s) listed in...
5.9CVSS
5.7AI Score
0.0004EPSS
Summary IBM WebSphere Application Server is shipped with IBM Security Access Manager for Enterprise Single Sign-On. Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security...
7.1AI Score
Summary The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. Log Source Management App for IBM QRadar SIEM has addressed the applicable CVEs in an update. Vulnerability Details ** CVEID: CVE-2024-28849 DESCRIPTION:...
7.4CVSS
7AI Score
0.0004EPSS
CVE-2023-38831 PoC (Proof Of Concept) This is an easy to use...
7.8CVSS
8.3AI Score
0.381EPSS
Summary IBM QRadar SIEM on Azure Cloud deployed from Azure Marketplace is vulnerable to a remote code execution issue found within the Microsoft Open Management Infrastructure (OMI). The information below shows how to remove this vulnerable component. Vulnerability Details ** CVEID:...
9.8CVSS
8AI Score
0.001EPSS
Summary Several vulnerabilities were fixed in the IBM Security Verify Directory Suite. Vulnerability Details ** CVEID: CVE-2022-32753 DESCRIPTION: **IBM Security Verify Directory 10.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive...
7.5CVSS
6.3AI Score
0.001EPSS
An issue was discovered in the LDAP component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE:.....
9.8CVSS
7.5AI Score
0.006EPSS
Symphony Denial of Service Via Overlong Usernames
The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers....
7.5CVSS
6.7AI Score
0.01EPSS
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the _failure_path input field of login forms, an attacker can work around the redirection target...
6.1CVSS
6.5AI Score
0.008EPSS
The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.303.x prior to 2.303.30.0.16, or 2.x prior to 2.346.4.1. It is, therefore, affected by multiple vulnerabilities, including the following: Loading specially-crafted yaml with the Kubernetes Java...
6.7CVSS
6.6AI Score
0.001EPSS
The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.277.x prior to 2.277.43.0.8, 2.303.x prior to 2.303.30.0.7, or 2.x prior to 2.332.1.5. It is, therefore, affected by multiple vulnerabilities, including the following: A cross-site request...
8.8CVSS
6.3AI Score
0.001EPSS
A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.....