当前节点:cve-famous
时间节点
2021-07-26 21:34:30知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not applied. This issue affects Apache Directory Studio version 2.0.0.v20210213-M16 and prior versions.

在研究 DIRSTUDIO-1219时发现,当使用任何 SASL 身份验证机制(DIGEST-MD5,GSSAPI)时,没有应用配置的 StartTLS 加密。在调查 DIRSTUDIO-1220时,注意到没有应用任何配置的 SASL 保密层。这个问题影响 Apache Directory Studio version 2.0.0.v20210213-M16和以前的版本。
2021-07-25 12:34:29知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:JumpServer
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.

Jumpserver 2.6.2及以下版本中的一个问题允许攻击者通过没有访问控制的 API 创建一个连接令牌,并使用它来访问敏感资产。
2021-07-23 21:46:54知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:OpenAm
ForgeRock AM server 6.x before 7, and OpenAM 14.6.3, has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/Version request to the server. The vulnerability exists due to incorrect usage of Sun ONE Application Framework (JATO).

ForgeRock AM server 6.x before 7和 OpenAM 14.6.3在多个页面上的 jato.pagesesesession 参数中有一个 Java 反序列化漏洞。开发不需要身份验证,并且可以通过向服务器发送一个精心设计的/ccversion/Version 请求来触发远程代码执行。该漏洞的存在是由于不正确地使用了 sunone 应用程序框架(JATO)。
2021-07-23 21:45:39知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring `mod_auth_openidc` to only allow redirection whose destination matches a given regular expression.

Mod _ auth _ openidc 是 Apache 2.x HTTP 服务器的身份验证/授权模块,作为一个 OpenID 连接依赖方,对用户进行针对 OpenID 连接提供商的身份验证。在2.4.9之前的版本中,“ oidc _ validate _ redirect _ url ()”不像大多数浏览器那样解析 url。因此,这个函数可以被绕过,并导致注销功能中的 Open
2021-07-23 21:45:36知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. When mod_auth_openidc versions prior to 2.4.9 are configured to use an unencrypted Redis cache (`OIDCCacheEncrypt off`, `OIDCSessionType server-cache`, `OIDCCacheType redis`), `mod_auth_openidc` wrongly performed argument interpolation before passing Redis requests to `hiredis`, which would perform it again and lead to an uncontrolled format string bug. Initial assessment shows that this bug does not appear to allow gaining arbitrary code execution, but can reliably provoke a denial of service by repeatedly crashing the Apache workers. This bug has been corrected in version 2.4.9 by performing argument interpolation only once, using the `hiredis` API. As a workaround, this vulnerability can be mitigated by setting `OIDCCacheEncrypt` to `on`, as cache keys are cryptographically hashed before 
2021-07-23 21:43:29知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Sentry
有新的漏洞组件被发现啦,组件ID:Apache
Impala sessions use a 16 byte secret to verify that the session is not being hijacked by another user. However, these secrets appear in the Impala logs, therefore Impala users with access to the logs can use another authenticated user's sessions with specially constructed requests. This means the attacker is able to execute statements for which they don't have the necessary privileges otherwise. Impala deployments with Apache Sentry or Apache Ranger authorization enabled may be vulnerable to privilege escalation if an authenticated attacker is able to hijack a session or query from another authenticated user with privileges not assigned to the attacker. Impala deployments with audit logging enabled may be vulnerable to incorrect audit logging as a user could undertake actions that were logged under the name of a different authenticated user. Constructing an attack requires a high degree of technical sophistication and access to the Impala system as an authentica
2021-07-22 17:45:40知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Elasticsearch
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

所有弹性云企业版本在已部署的集群中默认启用了 Elasticsearch & # 8220; anonymous & # 8221; 用户。在默认设置中,匿名用户没有权限,无法成功查询任何 Elasticsearch api,而攻击者可以利用匿名用户获取部署集群的某些细节。
2021-07-22 17:45:39知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Elasticsearch
A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.

在 Elasticsearch 7.10.0-7.13.3错误报告中发现了一个内存泄露漏洞。能够向 Elasticsearch 提交任意查询的用户可以提交格式错误的查询,这将导致返回错误消息,其中包含以前使用的数据缓冲区部分。这个缓冲区可能包含敏感信息,如 Elasticsearch 文档或身份验证详细信息。
2021-07-21 21:53:53知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Oracle Fusion 中间件(组件: 核心) WebLogic 产品的漏洞。受影响的支持版本有10.3.6.0.0、12.1.3.0、12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 HTTP 进行网络访问的未经身份验证的攻击者入侵 WebLogic。成功攻击这个漏洞可能导致未经授权的读取访问 WebLogic 可访问的数据子集。CVSS 3.1基本得分5.3(机密性影响)。CVSS 向量: (CVSS: 3.1/AV: n/AC: l/PR: n/UI: n/s: u/c: l/i: n/a: n)。
2021-07-21 21:53:34知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle Fusion 中间件(组件: 核心) WebLogic 产品的漏洞。受影响的支持版本有10.3.6.0.0、12.1.3.0、12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 t 3,IIOP 进行网络访问的未经身份验证的攻击者入侵 WebLogic。成功攻击这个漏洞可以导致 WebLogic 的被接管。CVSS 3.1基本得分9.8(机密性、完整性和可用性影响)。CVSS 向量: (CVSS: 3.1/AV: n/AC: l/PR: n/UI: n/s: u/c: h/i: h/a: h)。
2021-07-21 21:53:30知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle Fusion 中间件(组件: 核心) WebLogic 产品的漏洞。受影响的支持版本有10.3.6.0.0、12.1.3.0、12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 t 3,IIOP 进行网络访问的未经身份验证的攻击者入侵 WebLogic。成功攻击这个漏洞可以导致 WebLogic 的被接管。CVSS 3.1基本得分9.8(机密性、完整性和可用性影响)。CVSS 向量: (CVSS: 3.1/AV: n/AC: l/PR: n/UI: n/s: u/c: h/i: h/a: h)。
2021-07-21 21:52:39知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle Fusion 中间件 WebLogic 产品中的漏洞(组件: 安全)。受影响的支持版本有10.3.6.0.0、12.1.3.0、12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 t 3,IIOP 进行网络访问的未经身份验证的攻击者入侵 WebLogic。成功攻击这个漏洞可以导致 WebLogic 的被接管。CVSS 3.1基本得分9.8(机密性、完整性和可用性影响)。CVSS 向量: (CVSS: 3.1/AV: n/AC: l/PR: n/UI: n/s: u/c: h/i: h/a: h)。
2021-07-21 21:52:33知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Oracle Fusion 中间件(组件: 核心) WebLogic 产品的漏洞。受影响的支持版本有10.3.6.0.0、12.1.3.0、12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 t 3,IIOP 进行网络访问的未经身份验证的攻击者入侵 WebLogic。此漏洞的成功攻击可能导致未经授权的能力,造成挂起或频繁重复崩溃(完全 DOS)的 WebLogic。CVSS 3.1基本得分7.5(可用性影响)。CVSS 向量: (CVSS: 3.1/AV: n/AC: l/PR: n/UI: n/s: u/c: n/i: n/a: h)。
2021-07-21 21:52:28知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Oracle Fusion 中间件(组件: Web 服务) WebLogic 产品中的漏洞。受影响的支持版本有10.3.6.0.0、12.1.3.0、12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许通过 t 3,IIOP 进行网络访问的未经身份验证的攻击者入侵 WebLogic。此漏洞的成功攻击可能导致未经授权的能力,造成挂起或频繁重复崩溃(完全 DOS)的 WebLogic。CVSS 3.1基本得分7.5(可用性影响)。CVSS 向量: (CVSS: 3.1/AV: n/AC: l/PR: n/UI: n/s: u/c: n/i: n/a: h)。
2021-07-21 11:05:01知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jira
有新的漏洞组件被发现啦,组件ID:Atlassian Jira
Export HTML Report in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.

在8.5.14版本之前导出 Atlassian Jira Server 和 Jira 数据中心的 HTML 报告,在8.13.6版本之前导出8.6.0版本,在8.16.1版本之前导出8.14.0版本,允许远程攻击者通过跨网站脚本安全漏洞注入任意的 HTML 或 JavaScript。
2021-07-21 11:04:57知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jira
有新的漏洞组件被发现啦,组件ID:Atlassian Jira
The XML Export in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a stored cross site scripting vulnerability.

Atlassian Jira Server 和 Jira 数据中心的 XML Export 在8.5.14版本之前,8.6.0版本之前,8.13.6版本之前,8.14.0版本之前,8.17.0允许远程攻击者通过存储的跨网站脚本安全漏洞注入任意的 HTML 或 JavaScript。
2021-07-21 11:04:55知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jira
有新的漏洞组件被发现啦,组件ID:Atlassian Jira
REST API in Atlassian Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the `/rest/api/latest/user/avatar/temporary` endpoint.

Atlassian Jira Server 的 REST API 和 Jira Data Center 在8.5.14版本之前,8.13.6版本之前,8.14.0版本之前,8.16.1版本允许远程攻击者通过敏感数据暴露漏洞在‘/REST/API/latest/user/avatar/temporary’端点枚举用户名。
2021-07-21 11:03:04知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:天融信
2021-07-19 08:52:47知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:天融信
2021-07-18 06:16:52知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft SharePoint
Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34468, CVE-2021-34520.

SharePoint 服务器远程代码执行漏洞这个 CVE ID 是唯一的 CVE-2021-34468,CVE-2021-34520。
2021-07-18 06:15:24知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:天融信
2021-07-18 06:15:23知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:天融信
2021-07-18 06:15:23知名组件CVE监控
2021-07-17 10:20:37知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Elasticsearch
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add, modify and delete information there. If credentials with more permissions are in use, this increases the impact accordingly. Starting with the 2.1
2021-07-17 10:19:37知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 could allow a user to impersonate another user on the system. IBM X-Force ID: 201483.

IBM Security Verify Access Docker 10.0.0允许用户模拟系统上的另一个用户。201483.
2021-07-17 10:19:34知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 could allow a remote priviled user to upload arbitrary files with a dangerous file type that could be excuted by an user. IBM X-Force ID: 200600.

IBM Security Verify Access Docker 10.0.0可以允许远程隐私用户上传具有危险文件类型的任意文件,用户可以执行这些文件。200600.
2021-07-17 10:19:17知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID:198918

IBM Security Verify Access Docker 10.0.0包含硬编码的凭据,比如密码或单密钥,它使用这些凭据进行自己的入站身份验证、与外部组件的出站通信或内部数据加密。198918
2021-07-17 10:19:02知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 198814

IBM Security Verify Access Docker 10.0.0允许远程攻击者使用开放重定向攻击进行网络钓鱼攻击。通过说服受害者访问一个特制的网站,远程攻击者可以利用这个漏洞欺骗显示的 URL,将用户重定向到一个看起来可信的恶意网站。这可能使攻击者获得高度敏感的信息,或对受害者进行进一步的攻击。198814
2021-07-17 10:19:00知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 198813

IBM Security Verify Access Docker 10.0.0可以允许经过身份验证的远程攻击者通过发送特制的请求在系统上执行任意命令。198813
2021-07-17 10:18:42知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 198661.

10.0.0是易受跨网站脚本攻击的。这个漏洞允许用户在 Web UI 中嵌入任意的 JavaScript 代码,从而改变了预期的功能,可能导致在可信任的会话中披露凭据。198661.
2021-07-17 10:17:45知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 198660

IBM Security Verify Access Docker 10.0.0允许远程攻击者在浏览器中返回详细的技术错误消息时获取敏感信息。这些信息可以用来对系统进行进一步的攻击。198660
2021-07-17 10:17:42知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 198300.

IBM Security Verify Access Docker 10.0.0允许远程攻击者遍历系统上的目录。攻击者可以发送一个特制的包含“点点”序列的 URL 请求(/。./)查看系统上的任意文件。198300.
2021-07-17 10:17:40知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 198299

IBM Security Verify Access Docker 10.0.0以纯明文形式存储用户凭据,本地用户可以读取这些凭据。198299
2021-07-17 10:17:38知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 could reveal highly sensitive information to a local privileged user. IBM X-Force ID: 197980.

10.0.0可以向本地特权用户透露高度敏感的信息。 IBM X-Force ID: 197980。
2021-07-17 10:17:35知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 197973

IBM Security Verify Access Docker 10.0.0允许远程攻击者在浏览器中返回详细的技术错误消息时获取敏感信息。这些信息可以用来对系统进行进一步的攻击。197973
2021-07-17 10:17:32知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 reveals version information in HTTP requets that could be used in further attacks against the system. IBM X-Force ID: 197972.

IBM Security Verify Access Docker 10.0.0揭示了 HTTP 请求中的版本信息,这些信息可用于对系统的进一步攻击。197972.
2021-07-17 10:17:31知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 197969

IBM Security Verify Access Docker 10.0.0使用了弱于预期的加密算法,该算法允许攻击者解密高度敏感的信息。197969
2021-07-17 10:17:28知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Verify Access Docker 10.0.0 could allow an authenticated user to bypass input due to improper input validation. IBM X-Force ID: 197966.

10.0.0可以允许经过身份验证的用户绕过不正确的输入验证的输入。197966.
2021-07-17 10:17:27知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
IBM Security Access Manager 9.0 and IBM Security Verify Access Docker 10.0.0 stores user credentials in plain clear text which can be read by an unauthorized user.

IBM Security Access Manager 9.0和 IBM Security Verify Access Docker 10.0.0以明文形式存储用户凭据,未经授权的用户可以读取这些凭据。
2021-07-17 10:15:22知名组件CVE监控
2021-07-16 14:33:21知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft Exchange
Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34470.

Microsoftexchangeserverelevation of Privilege Vulnerability 此 CVE ID 是 CVE-2021-33768,CVE-2021-34470中唯一的。
2021-07-16 14:33:00知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft SharePoint
Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34467, CVE-2021-34468.

SharePoint 服务器远程代码执行漏洞这个 CVE ID 是唯一的 CVE-2021-34467,CVE-2021-34468。
2021-07-16 14:32:54知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft SharePoint
Microsoft SharePoint Server Information Disclosure Vulnerability

SharePoint 服务器信息披露漏洞
2021-07-16 14:32:45知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft SharePoint
Microsoft SharePoint Server Spoofing Vulnerability

SharePoint 服务器欺骗漏洞
2021-07-16 14:29:33知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft Exchange
Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.

Microsoft Exchange Server 远程代码执行漏洞此 CVE ID 是 CVE-2021-31196、 CVE-2021-31206中唯一的。
2021-07-16 14:29:29知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft Exchange
Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34523.

Microsoftexchangeserverelevation of Privilege Vulnerability 此 CVE ID 是 CVE-2021-33768,CVE-2021-34523中唯一的。
2021-07-16 14:29:04知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft SharePoint
Microsoft SharePoint Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34467, CVE-2021-34520.

SharePoint 服务器远程代码执行漏洞这个 CVE ID 是唯一的 CVE-2021-34467,CVE-2021-34520。
2021-07-16 14:27:01知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft Exchange
Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-34470, CVE-2021-34523.

Microsoftexchangeserverelevation of Privilege Vulnerability 这个 CVE ID 是 CVE-2021-34470,CVE-2021-34523中唯一的。
2021-07-16 14:26:57知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Microsoft Exchange
Microsoft Exchange Information Disclosure Vulnerability

Microsoftexchange 信息披露漏洞
2021-07-16 14:24:19知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:SAP NetWeaver
When user with insufficient privileges tries to access any application in SAP NetWeaver Administrator (Administrator applications), version - 7.50, no security audit log is created. Therefore, security audit log Integrity is impacted.

当特权不足的用户试图访问 SAP NetWeaver 管理员(管理员应用程序)版本-7.50中的任何应用程序时,不会创建安全审计日志。因此,安全审计日志的完整性受到影响。
2021-07-16 14:23:49知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:SAP NetWeaver
SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP requests, an attacker can use this in conjunction with other attacks such as XSS to steal this information.

7.10,7.20,7.30,7.31,7.40,7.50版本在一个 HTTP 请求中揭示了敏感信息,攻击者可以结合其他攻击如 XSS 来盗取这些信息。
2021-07-16 14:23:47知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:SAP NetWeaver
SAP NetWeaver AS ABAP and ABAP Platform, versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84, allows an attacker to send overlong content in the RFC request type thereby crashing the corresponding work process because of memory corruption vulnerability. The work process will attempt to restart itself after the crash and hence the impact on the availability is low.

7.21 EXT,7.22,7.22 EXT,KRNL32UC 7.21,7.21 EXT,7.22 EXT,7.21 EXT,7.21 EXT,7.22 EXT,7.21 EXT,7.22,7.22 EXT,7,7.21 EXT,7.22,7.22 EXT,7.49,KRNL64UC 8.04,7.21,7.21 EXT,7.22,7.22 EXT,8.04,7.21,7.21 EXT,7.22,7.22 EXT,7.49,7.53,7.77、7.81、7.84允许攻击者在 RFC 请求类型中发送过长的内容,从而由于内存损坏漏洞而导致相应的工作进程崩溃。工作流程将在崩溃后尝试重新启动自己,因此对可用性的影响很小。
2021-07-16 14:22:53知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:SAP NetWeaver
A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.

SAP NetWeaver AS ABAP (Reconciliation Framework)的一个功能模块——700,701,702,710,711,730,731,740,750,751,752,75A,75B,75B,75C,75D,75E,75F ——允许高特权的攻击者注入代码,以便应用程序执行。攻击者可以因此删除一些关键信息,从而使 SAP 系统完全不可用。
2021-07-16 14:22:42知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:SAP NetWeaver
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead to information disclosure.

SAP NetWeaver ABAP 服务器和 ABAP 平台,版本-700,702,730,731,804,740,750,784,将功能暴露给外部可能导致信息披露。
2021-07-16 14:22:38知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:SAP NetWeaver
SAP NetWeaver Guided Procedures (Administration Workset), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. The impact of missing authorization could result to abuse of functionality restricted to a particular user group, and could allow unauthorized users to read, modify or delete restricted data.

SAP NetWeaver 指导过程(Administration Workset) ,版本-7.10、7.20、7.30、7.31、7.40、7.50,不为经过身份验证的用户执行必要的授权检查,导致权限升级。缺少授权的影响可能导致滥用仅限于特定用户组的功能,并可能允许未经授权的用户读取、修改或删除受限制的数据。
2021-07-16 14:22:35知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:SAP NetWeaver
SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send multiple HTTP requests with different method types thereby crashing the filter and making the HTTP server unavailable to other legitimate users leading to denial of service vulnerability.

7.10,7.11,7.20,7.30,7.31,7.40,7.50,允许攻击者使用不同的方法类型发送多个 HTTP 请求,从而破坏了过滤器,使得 HTTP 服务器无法供其他合法用户使用,导致分布式拒绝服务攻击安全漏洞。