Security Vulnerabilities - CVEs Published In June 2017
pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions, which might allow local users to read the generated RSA keys via reading the key files while the installation process is running.
CVSS Score
5.5
EPSS Score
0.0
Published
2017-06-08
client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable, which allows remote authenticated users to obtain the consumer private keys and escalate privileges by reading /etc/pki/pulp/consumer/consumer-cert, and authenticating as a consumer user.
CVSS Score
7.5
EPSS Score
0.004
Published
2017-06-08
The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.
CVSS Score
9.8
EPSS Score
0.019
Published
2017-06-08
CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate.
CVSS Score
7.5
EPSS Score
0.002
Published
2017-06-08
ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code.
CVSS Score
8.8
EPSS Score
0.016
Published
2017-06-08
Curam Universal Access in IBM Curam Social Program Management (SPM) 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.5 iFix5 allows remote attackers to obtain sensitive information about internal caseworker usernames via vectors related to a URL.
CVSS Score
5.3
EPSS Score
0.002
Published
2017-06-08
Buffer overflow in the mcpq daemon in F5 BIG-IP systems 10.x before 10.2.4 HF12, 11.x before 11.2.1 HF15, 11.3.x, 11.4.x before 11.4.1 HF9, 11.5.x before 11.5.2 HF1, and 11.6.0 before HF4, and Enterprise Manager 2.1.0 through 2.3.0 and 3.x before 3.1.1 HF5 allows remote authenticated administrators to cause a denial of service via unspecified vectors.
CVSS Score
4.9
EPSS Score
0.005
Published
2017-06-08
Seagate Business NAS devices with firmware before 2015.00322 allow remote attackers to execute arbitrary code with root privileges by leveraging use of a static encryption key to create session tokens.
CVSS Score
9.8
EPSS Score
0.499
Published
2017-06-08
The DeviceManager in Huawei OceanStor UDS devices with software before V100R002C01SPC102 might allow remote attackers to obtain sensitive information via a crafted UDS patch with JavaScript.
CVSS Score
7.5
EPSS Score
0.001
Published
2017-06-08
Huawei OceanStor UDS devices with software before V100R002C01SPC102 might allow remote attackers to execute arbitrary code with root privileges via a crafted UDS patch with shell scripts.
CVSS Score
8.8
EPSS Score
0.005
Published
2017-06-08