понеделник, 25 ноември 2019 г.

Weekly Update: a new vulnerability is published on the National Vulnerability Database (11 items)


New vulnerabilities from the NVD: CVE-2010-2247 (makepasswd)

makepasswd 1.10 default settings generate insecure passwords
Published at: November 06, 2019 at 07:15PM
View on website

November 13, 2019 at 01:38AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2009-5046 (debian_linux, jetty)

JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.
Published at: November 06, 2019 at 10:15PM
View on website

November 13, 2019 at 05:38PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2009-5045 (debian_linux, jetty)

Dump Servlet information leak in jetty before 6.1.22.
Published at: November 06, 2019 at 10:15PM
View on website

November 13, 2019 at 05:38PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2010-2473 (drupal)

Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked.
Published at: November 07, 2019 at 09:15PM
View on website

November 13, 2019 at 09:18PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2010-2472 (drupal)

Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.
Published at: November 07, 2019 at 09:15PM
View on website

November 13, 2019 at 09:18PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2010-2450 (debian_linux, service_provider)

The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/shibboleth by default) uses OpenSSL to create a DES private key which is placed in sp-key.pm. It relies on the root umask (default 22) instead of chmoding the resulting file itself, so the generated private key is world readable by default.
Published at: November 07, 2019 at 11:15PM
View on website

November 13, 2019 at 11:18PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2007-6745 (clamav, debian_linux)

clamav 0.91.2 suffers from a floating point exception when using ScanOLE2.
Published at: November 08, 2019 at 01:15AM
View on website

November 13, 2019 at 11:18PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2008-3278 (frysk)

frysk packages through 2008-08-05 as shipped in Red Hat Enterprise Linux 5 are built with an insecure RPATH set in the ELF header of multiple binaries in /usr/bin/f* (e.g. fcore, fcatch, fstack, fstep, ...) shipped in the package. A local attacker can exploit this vulnerability by running arbitrary code as another user.
Published at: November 08, 2019 at 01:15AM
View on website

November 14, 2019 at 01:18AM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2008-7272 (firegpg)

FireGPG before 0.6 handle user?s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users?s private key.
Published at: November 08, 2019 at 02:15AM
View on website

November 14, 2019 at 07:19PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2008-5083 (jboss_operations_network)

In JON 2.1.x before 2.1.2 SP1, users can obtain unauthorized security information about private resources managed by JBoss ON.
Published at: November 08, 2019 at 02:15AM
View on website

November 14, 2019 at 09:18PM

via National Vulnerability Database


New vulnerabilities from the NVD: CVE-2009-5047

Jetty 6.x before 6.1.22 suffers from an escape sequence injection vulnerability from two different vectors: 1) "Cookie Dump Servlet" and 2) Http Content-Length header. 1) A POST request to the form at "/test/cookie/" with the "Age" parameter set to a string throws a "java.lang.NumberFormatException" which reflects binary characters including ESC. These characters could be used to execute arbitrary commands or buffer dumps in the terminal. 2) The same attack in 1) can be exploited by requesting a page using an HTTP request "Content-Length" header set to a letteral string.
Published at: November 15, 2019 at 06:15PM
View on website

November 15, 2019 at 09:18PM

via National Vulnerability Database

 

Няма коментари:

Публикуване на коментар