当前节点:cve-famous
时间节点
2020-08-08 17:16:44知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

Apache HTTP Server版本2.4.20至2.4.43。当服务器实际随后尝试对资源进行HTTP / 2推送时,HTTP / 2请求中'Cache-Digest'标头的特制值将导致崩溃。通过“ H2Push off”配置HTTP / 2功能将缓解未修补服务器的此漏洞。
2020-08-08 17:14:43知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

Apache HTTP Server版本2.4.20至2.4.43为HTTP / 2模块和某些流量边缘模式启用跟踪/调试时,在错误的连接上执行了日志记录语句,导致并发使用内存池。在“ info”上方配置mod_http2的LogLevel将减轻未修补服务器的此漏洞。
2020-08-08 17:14:39知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020.

使用mod_remoteip和mod_rewrite进行代理时的IP地址欺骗对于使用mod_remoteip和某些mod_rewrite规则进行代理的配置,攻击者可能会通过欺骗其IP地址来记录日志和PHP脚本。请注意,此问题已在Apache HTTP Server 2.4.24中修复,但在2020年被追溯分配了低严重性CVE。
2020-08-08 17:14:35知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

Apache HTTP服务器2.4.32至2.4.44 mod_proxy_uwsgi信息泄露以及可能的RCE
2020-08-06 17:18:51知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:SVN
USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.

1.0.9之前的USVN(又名用户友好SVN)允许通过SVN日志进行XSS。
2020-08-06 17:15:20知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases.

**已解决**仅当将H2 / MySQL / TiDB用作Apache SkyWalking存储时,通配符查询案例中存在SQL注入漏洞。
2020-08-05 17:04:43知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jira
An issue was discovered in the Gantt-Chart module before 5.5.5 for Jira. Due to missing validation of user input, it is vulnerable to a persistent XSS attack. An attacker can embed the attack vectors in the dashboard of other users. To exploit this vulnerability, an attacker has to be authenticated.

对于Jira,5.5.5之前的Gantt-Chart模块中发现了一个问题。由于缺少用户输入的验证,因此容易受到持续的XSS攻击。攻击者可以将攻击向量嵌入其他用户的仪表板中。要利用此漏洞,必须对攻击者进行身份验证。
2020-08-05 17:04:41知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jira
An issue was discovered in the Gantt-Chart module before 5.5.4 for Jira. Due to a missing privilege check, it is possible to read and write to the module configuration of other users. This can also be used to deliver an XSS payload to other users' dashboards. To exploit this vulnerability, an attacker has to be authenticated.

在Jira的5.5.4之前的Gantt-Chart模块中发现了一个问题。由于缺少特权检查,因此可以读取和写入其他用户的模块配置。这也可以用于将XSS负载交付给其他用户的仪表板。要利用此漏洞,必须对攻击者进行身份验证。
2020-08-04 00:06:58知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:用友
2020-08-04 17:17:10知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:IBM WebSphere
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges. IBM X-Force ID: 182808.

由于对UNC路径的不正确处理,IBM WebSphere Application Server 7.0、8.0、8.5和9.0可能允许经过本地身份验证的攻击者获得系统上提升的特权。通过使用特制的UNC路径调度任务,攻击者可以利用此漏洞执行具有更高特权的任意代码。 IBM X-Force ID:182808。
2020-08-03 00:18:48知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:天融信
2020-08-01 00:10:05知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:用友
2020-08-01 17:10:52知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Nexus Repository Manager
Sonatype Nexus Repository Manager OSS/Pro version before 3.25.1 allows Remote Code Execution.

3.25.1之前的Sonatype Nexus Repository Manager OSS / Pro版本允许远程执行代码。
2020-08-01 17:10:50知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Nexus Repository Manager
Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (Issue 2 of 2).

3.25.1之前的Sonatype Nexus Repository Manager OSS / Pro版本允许XSS(问题2之2)。
2020-08-01 17:10:48知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Nexus Repository Manager
Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (issue 1 of 2).

3.25.1之前的Sonatype Nexus Repository Manager OSS / Pro版本允许XSS(第1个问题,共2个问题)。
2020-07-31 00:00:51知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:用友
2020-07-30 17:14:07知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Seafile
The seafile-client client 7.0.8 for Seafile is vulnerable to DLL hijacking because it loads exchndl.dll from the current working directory.

Seafile的seafile-client客户端7.0.8容易受到DLL劫持的影响,因为它从当前工作目录中加载exchndl.dll。
2020-07-29 17:39:30知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Kibana
In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization.

在6.8.11和7.8.1之前的Kibana版本中,区域地图可视化包含已存储的XSS缺陷。能够编辑或创建区域地图可视化效果的攻击者可以代表查看区域地图可视化效果的Kibana用户获取敏感信息或执行破坏性操作。
2020-07-29 17:39:28知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Kibana
Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.

6.8.11和7.8.1之前的Kibana版本包含Timelion中的拒绝服务(DoS)漏洞。攻击者可以构造一个URL,当它被Kibana用户查看时,可能导致Kibana进程消耗大量CPU并变得无响应。
2020-07-29 17:35:51知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Nagios XI
Graph Explorer in Nagios XI before 5.7.2 allows XSS via the link url option.

5.7.2之前的Nagios XI中的Graph Explorer允许通过链接URL选项进行XSS。
2020-07-29 17:26:32知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WildFly
有新的漏洞组件被发现啦,组件ID:Jboss
A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable.

在Red Hat JBoss EAP 7随附的Wildfly的Enterprise Java Beans(EJB)版本中发现了一个漏洞,其中在EJB客户端和服务器中收到响应后,从未从远程InvocationTracker中删除SessionOpenInvocations。此缺陷使攻击者可以进行拒绝服务攻击,以使服务不可用。
2020-07-29 17:26:29知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WildFly
有新的漏洞组件被发现啦,组件ID:Jboss
A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable.

Red Hat JBoss EAP 7附带的Wildfly EJB客户端中发现了一个缺陷,其中某些特定的EJB事务对象可能会随着时间的推移而积累,并可能导致服务速度降低并最终不可用。攻击者可以利用并造成拒绝服务攻击,并使服务不可用。
2020-07-29 17:26:21知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Atlassian Confluence
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before 7.5.2.

受影响的Atlassian Confluence服务器和数据中心版本允许远程攻击者通过用户宏参数中的跨站点脚本(XSS)漏洞注入任意HTML或JavaScript。受影响的版本为7.4.2之前的版本,以及7.5.2之前的7.5.0版本。
2020-07-29 17:25:15知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:RTX
An issue was discovered in AvertX Auto focus Night Vision HD Indoor/Outdoor IP Dome Camera HD838 and Night Vision HD Indoor/Outdoor Mini IP Bullet Camera HD438. They do not require users to change the default password for the admin account. They only show a pop-up window suggesting a change but there's no enforcement. An administrator can click Cancel and proceed to use the device without changing the password. Additionally, they disclose the default username within the login.js script. Since many attacks for IoT devices, including malware and exploits, are based on the usage of default credentials, it makes these cameras an easy target for malicious actors.

在AvertX自动对焦夜视高清室内/室外IP球型摄像机HD838和夜视高清室内/室外迷你IP子弹型摄像机HD438中发现了一个问题。他们不需要用户更改管理员帐户的默认密码。它们仅显示一个弹出窗口,提示进行更改,但没有强制执行。管理员可以单击“取消”,然后继续使用设备而不更改密码。此外,他们在login.js脚本中公开了默认用户名。由于对物联网设备的许多攻击(包括恶意软件和漏洞利用)都是基于默认凭据的使用,因此,这些摄像机很容易成为恶意行为者的目标。
2020-07-18 17:24:30知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:IBM WebSphere
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system with a specially-crafted sequence of serialized objects over the SOAP connector. IBM X-Force ID: 181489.

传统的IBM WebSphere Application Server 7.0、8.0、8.5和9.0可以允许远程攻击者在具有通过SOAP连接器的特制序列化对象序列的系统上执行任意代码。 IBM X-Force ID:181489。
2020-07-18 17:23:03知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jupyter
In jupyterhub-kubespawner before 0.12, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames. This has been fixed in 0.12.

在0.12之前的jupyterhub-kubespawner中,某些用户名将能够制作特定的服务器名称,这将授予他们访问具有相同用户名的其他用户的默认服务器的权限。此问题已在0.12中修复。
2020-07-18 17:22:47知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

Ruby 2.3.0之前的kramdown gem默认情况下会处理Kramdown文档中的template选项,这允许意外的读取访问(例如template =“ / etc / passwd”)或意外的嵌入式Ruby代码执行(例如以开头的字符串) template =“ string:// <%=`)。注意:在Jekyll,GitLab页面,GitHub页面和Thredded论坛中使用了kramdown。
2020-07-17 17:16:10知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI.

在Apache Airflow 1.10.10及更低版本中发现了一个问题。在“经典” UI的“图表”页面中发现了一个存储的XSS漏洞。
2020-07-17 17:13:34知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Zabbix
Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget.

3.0.32rc1之前的Zabbix,4.0.22rc1之前的4.x,4.4.10rc1之前的4.1.x至4.4.x和5.0.2rc1之前的5.x允许在URL窗口小部件中存储XSS。
2020-07-17 17:13:08知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.

在Apache Airflow 1.10.10及更低版本中发现了一个问题。人们发现,新的/ RBAC UI中的许多管理管理屏幕都无法正确转义,从而允许具有适当权限的已认证用户创建存储的XSS攻击。
2020-07-17 17:13:06知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.

在Apache Airflow 1.10.10及更低版本中发现了一个问题。使用CeleryExecutor时,如果攻击可以直接连接到代理(Redis,RabbitMQ),则有可能直接向代理插入恶意有效负载,这可能导致对Worker进行反序列化攻击(并因此导致远程执行代码)。
2020-07-17 17:13:03知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.

在Apache Airflow 1.10.10及更低版本中发现了一个问题。使用CeleryExecutor时,如果攻击者可以直接连接到代理(Redis,RabbitMQ),则可以注入命令,从而使celery worker运行任意命令。
2020-07-17 17:13:01知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.

在Apache Airflow 1.10.10及更低版本中发现了一个问题。在Airflow附带的示例DAG中发现了一个远程代码/命令注入漏洞,该漏洞将允许任何经过身份验证的用户在运行airflow worker / scheduler的用户中运行任意命令(取决于使用的执行程序)。如果您已经通过在配置中设置load_examples = False来禁用示例,那么您就不会受到攻击。
2020-07-16 00:05:19知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:泛微
2020-07-16 00:05:23知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:泛微
2020-07-16 17:05:26知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
IDOR vulnerability in the order processing feature from ecommerce component of Apache OFBiz before 17.12.04

04年12月17日之前Apache OFBiz电子商务组件的订单处理功能中的IDOR漏洞
2020-07-16 17:05:24知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Harbor
Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.

2.0.1之前版本的Harbor允许SSRF具有此限制:具有编辑项目能力的攻击者可以扫描可在Harbor服务器的Intranet上访问的主机的端口。
2020-07-16 17:25:00知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03

XML-RPC请求容易受到Apache OFBiz 17.12.03中不安全的反序列化和跨站点脚本问题的攻击
2020-07-16 17:23:42知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Oracle融合中间件的Oracle WebLogic Server产品(组件:Web服务)中的漏洞。受影响的受支持版本为10.3.6.0.0、12.1.3.0.0、12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许未经身份验证的攻击者通过IIOP T3进行网络访问,从而危害Oracle WebLogic Server。对该漏洞的成功攻击可能导致对关键数据的未授权访问或对所有Oracle WebLogic Server可访问数据的完全访问。 CVSS 3.1基本分数7.5(机密性影响)。 CVSS向量:(CVSS:3.1 / AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:N / A:N)
2020-07-16 17:23:34知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).

Oracle Fusion Middleware(组件:控制台)的Oracle WebLogic Server产品中的漏洞。受影响的受支持版本是10.3.6.0.0、12.1.3.0.0、12.2.1.3.0和12.2.1.4.0。易于利用的漏洞使未经身份验证的攻击者可以通过HTTP访问网络,从而破坏Oracle WebLogic Server。成功的攻击需要攻击者以外的其他人与人进行交互。对该漏洞的成功攻击可能导致对某些Oracle WebLogic Server可访问数据的未授权更新,插入或删除访问,以及对Oracle WebLogic Server可访问数据的子集的未授权读取访问。 CVSS 3.1基本分数5.4(机密性和完整性影响)。 CVSS向量:(CVSS:3.1 / AV:N / AC:L / PR:N / UI:R / S:U / C:L / I:L / A:N)
2020-07-16 17:23:17知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
有新的漏洞组件被发现啦,组件ID:GitLab
Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability.

Jenkins Gitlab身份验证插件1.5及更早版本无法正确执行组授权检查,从而导致特权升级漏洞。
2020-07-16 17:23:15知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page, resulting in a stored cross-site scripting vulnerability.

Jenkins Deployer Framework Plugin 1.2和更早的版本无法转义构建主页中显示的URL,从而导致存储跨站点脚本漏洞。
2020-07-16 17:23:12知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability.

Jenkins Matrix授权策略插件2.6.1和更早版本无法转义配置中显示的用户名,从而导致存储跨站点脚本漏洞。
2020-07-16 17:23:09知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes, resulting in a stored cross-site scripting vulnerability.

Jenkins Matrix Project插件1.16和更早版本无法转义具有多个轴的构建的概述页面上的工具提示中显示的轴名称,从而导致存储的跨站点脚本漏洞。
2020-07-16 17:23:04知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Matrix Project Plugin 1.16 and earlier does not escape the node names shown in tooltips on the overview page of builds with a single axis, resulting in a stored cross-site scripting vulnerability.

Jenkins Matrix Project插件1.16和更早的版本无法通过单轴构建的概述页面上的工具提示中显示的节点名称,不会导致出现存储的跨站点脚本漏洞。
2020-07-16 17:22:59知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability.

Jenkins 2.244及更早版本,LTS 2.235.1及更早版本无法正确转义构建控制台页面中显示的指向下游作业的链接的'href'属性,从而导致存储跨站点脚本漏洞。
2020-07-16 17:22:50知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.

Jenkins 2.244和更早的版本,LTS 2.235.1和更早的版本不会在“永久保留此构建”徽章工具提示中转义作业名称,从而导致存储跨站点脚本漏洞。
2020-07-16 17:22:46知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability.

Jenkins 2.244和更早版本,LTS 2.235.1和更早版本无法逃避作为生成原因一部分显示的上游作业的显示名称,从而导致存储跨站点脚本漏洞。
2020-07-16 17:22:43知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.

Jenkins 2.244及更早版本,LTS 2.235.1及更早版本无法在构建时间趋势页面中转义代理名称,从而导致存储跨站点脚本漏洞。
2020-07-16 17:17:57知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle Fusion Middleware(组件:Core)的Oracle WebLogic Server产品中的漏洞。受影响的受支持版本是12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许未经身份验证的攻击者通过IIOP T3进行网络访问,从而危害Oracle WebLogic Server。成功攻击此漏洞可能导致Oracle WebLogic Server的接管。 CVSS 3.1基本分数9.8(机密性,完整性和可用性影响)。 CVSS向量:(CVSS:3.1 / AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H)。
2020-07-16 17:15:23知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

Oracle Fusion Middleware(组件:Core)的Oracle WebLogic Server产品中的漏洞。受影响的受支持版本为10.3.6.0.0、12.1.3.0.0、12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞使未经身份验证的攻击者可以通过HTTP访问网络,从而破坏Oracle WebLogic Server。对该漏洞的成功攻击可能导致对某些Oracle WebLogic Server可访问数据的未授权更新,插入或删除访问,以及对Oracle WebLogic Server可访问数据的子集的未授权读取访问。 CVSS 3.1基本得分6.5(机密性和完整性影响)。 CVSS向量:(CVSS:3.1 / AV:N / AC:L / PR:N / UI:N / S:U / C:L / I:L / A:N)
2020-07-16 17:14:58知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle Fusion Middleware(组件:Core)的Oracle WebLogic Server产品中的漏洞。受影响的受支持版本为10.3.6.0.0、12.1.3.0.0、12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许未经身份验证的攻击者通过IIOP T3进行网络访问,从而危害Oracle WebLogic Server。成功攻击此漏洞可能导致Oracle WebLogic Server的接管。 CVSS 3.1基本分数9.8(机密性,完整性和可用性影响)。 CVSS向量:(CVSS:3.1 / AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H)。
2020-07-16 17:14:53知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle Fusion Middleware(组件:Core)的Oracle WebLogic Server产品中的漏洞。受影响的受支持版本是12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞允许未经身份验证的攻击者通过IIOP T3进行网络访问,从而危害Oracle WebLogic Server。成功攻击此漏洞可能导致Oracle WebLogic Server的接管。 CVSS 3.1基本分数9.8(机密性,完整性和可用性影响)。 CVSS向量:(CVSS:3.1 / AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:H / A:H)。
2020-07-16 17:14:40知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Sample apps). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle Fusion Middleware的Oracle WebLogic Server产品中的漏洞(组件:示例应用程序)。受影响的受支持版本是12.1.3.0.0、12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞使未经身份验证的攻击者可以通过HTTP访问网络,从而破坏Oracle WebLogic Server。成功的攻击需要攻击者以外的其他人进行人为交互,并且该漏洞位于Oracle WebLogic Server中时,攻击可能会严重影响其他产品。对该漏洞的成功攻击可能导致对某些Oracle WebLogic Server可访问数据的未授权更新,插入或删除访问,以及对Oracle WebLogic Server可访问数据的子集的未授权读取访问。 CVSS 3.1基本分数6.1(机密性和完整性影响)。 CVSS向量:(CVSS:3.1 / AV:N / AC:L / PR:N / UI:R / S:C / C:L / I:L / A:N)
2020-07-16 17:14:25知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Sample apps). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Oracle Fusion Middleware的Oracle WebLogic Server产品中的漏洞(组件:示例应用程序)。受影响的受支持版本是12.1.3.0.0、12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞使未经身份验证的攻击者可以通过HTTP访问网络,从而破坏Oracle WebLogic Server。对该漏洞的成功攻击可能导致对关键数据的未授权访问或对所有Oracle WebLogic Server可访问数据的完全访问。 CVSS 3.1基本分数7.5(机密性影响)。 CVSS向量:(CVSS:3.1 / AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:N / A:N)
2020-07-16 17:14:22知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:WebLogic
有新的漏洞组件被发现啦,组件ID:WebLogic
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Sample apps). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle Fusion Middleware的Oracle WebLogic Server产品中的漏洞(组件:示例应用程序)。受影响的受支持版本是12.1.3.0.0、12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。易于利用的漏洞使未经身份验证的攻击者可以通过HTTP访问网络,从而破坏Oracle WebLogic Server。成功的攻击需要攻击者以外的其他人进行人为交互,并且该漏洞位于Oracle WebLogic Server中时,攻击可能会严重影响其他产品。对该漏洞的成功攻击可能导致对某些Oracle WebLogic Server可访问数据的未授权更新,插入或删除访问,以及对Oracle WebLogic Server可访问数据的子集的未授权读取访问。 CVSS 3.1基本分数6.1(机密性和完整性影响)。 CVSS向量:(CVSS:3.1 / AV:N / AC:L / PR:N / UI:R / S:C / C:L / I:L / A:N)