Total
8185 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10407 | 1 Jenkins | 1 Project Inheritance | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin. | |||||
| CVE-2019-10247 | 4 Debian, Eclipse, Netapp and 1 more | 26 Debian Linux, Jetty, Element and 23 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. | |||||
| CVE-2019-10246 | 4 Eclipse, Microsoft, Netapp and 1 more | 26 Jetty, Windows, Element and 23 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. | |||||
| CVE-2019-10243 | 1 Eclipse | 1 Kura | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Kura versions up to 4.0.0, Kura exposes the underlying Ui Web server version in its replies. This can be used as a hint by an attacker to specifically craft attacks to the web server run by Kura. | |||||
| CVE-2019-10224 | 1 Fedoraproject | 1 389 Directory Server | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information. | |||||
| CVE-2019-10223 | 3 Kubernetes, Linux, Redhat | 3 Kube-state-metrics, Linux Kernel, Openshift Container Platform | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A security issue was discovered in the kube-state-metrics versions v1.7.0 and v1.7.1. An experimental feature was added to the v1.7.0 release that enabled annotations to be exposed as metrics. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default `kubectl` behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics. This feature has been reverted and released as the v1.7.2 release. If you are running the v1.7.0 or v1.7.1 release, please upgrade to the v1.7.2 release as soon as possible. | |||||
| CVE-2019-10217 | 1 Redhat | 1 Ansible | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks. | |||||
| CVE-2019-10183 | 1 Redhat | 2 Enterprise Linux, Virt-manager | 2024-11-21 | 2.1 LOW | 3.2 LOW |
| Virt-install(1) utility used to provision new virtual machines has introduced an option '--unattended' to create VMs without user interaction. This option accepts guest VM password as command line arguments, thus leaking them to others users on the system via process listing. It was introduced recently in the virt-manager v2.2.0 release. | |||||
| CVE-2019-10156 | 2 Debian, Redhat | 3 Debian Linux, Ansible, Openstack | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed. | |||||
| CVE-2019-10109 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An Information Exposure issue (issue 1 of 2) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. EXIF geolocation data were not removed from images when uploaded to GitLab. As a result, anyone with access to the uploaded image could obtain its geolocation, device, and software version data (if present). | |||||
| CVE-2019-10083 | 1 Apache | 1 Nifi | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to. | |||||
| CVE-2019-1010283 | 1 Univention | 1 Univention Corporate Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Univention Corporate Server univention-directory-notifier 12.0.1-3 and earlier is affected by: CWE-213: Intentional Information Exposure. The impact is: Loss of Confidentiality. The component is: function data_on_connection() in src/callback.c. The attack vector is: network connectivity. The fixed version is: 12.0.1-4 and later. | |||||
| CVE-2019-1010024 | 1 Gnu | 1 Glibc | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. | |||||
| CVE-2019-1003021 | 1 Jenkins | 1 Openid Connect Authentication | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret. | |||||
| CVE-2019-1003018 | 1 Jenkins | 1 Github Oauth | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret. | |||||
| CVE-2019-0647 | 1 Microsoft | 1 Team Foundation Server | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team. | |||||
| CVE-2019-0545 | 1 Microsoft | 11 .net Core, .net Framework, Windows 10 and 8 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations, aka ".NET Framework Information Disclosure Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7/4.7.1/4.7.2, .NET Core 2.1, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, .NET Core 2.2, Microsoft .NET Framework 4.7.2. | |||||
| CVE-2019-0405 | 1 Sap | 1 Enable Now | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to construct a list of users, leading to a user enumeration vulnerability and Information Disclosure. | |||||
| CVE-2019-0390 | 1 Sap | 1 Diagnostics Agent | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Under certain conditions SAP Data Hub (corrected in DH_Foundation version 2) allows an attacker to access information which would otherwise be restricted. Connection details that are maintained in Connection Manager are visible to users. | |||||
| CVE-2019-0352 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In SAP Business Objects Business Intelligence Platform, before versions 4.1, 4.2 and 4.3, some dynamic pages (like jsp) are cached, which leads to an attacker can see the sensitive information via cache and can open the dynamic pages even after logout. | |||||