Month: May 2022

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
References

https://nvd.nist.gov/vuln/detail/C…

An issue was discovered in the smallvec crate before 0.6.14 and 1.x before 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-25900
https://rustsec.org/advisories/RUSTSE…

JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).
References

https://nvd.nist.gov/vuln/detail/CVE-2020-36191
https://github.com/jupyte…

Prototype pollution vulnerability in ‘@strikeentco/set’ version 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-28267
https://github.com/strikeentco/set/com…

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.
References

https://nvd…

A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to list global pod template names.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-2308
https://www.jenkins.io/security/advis…

Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access possibly sensitive Jenkins controller environment variables.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-2307
https://www.jenkins.io/security/advisory/2020-11-0…

Jenkins Mercurial Plugin 2.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-2305
https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2115
http…

A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-2306
https://ww…

A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an…