Security Vulnerabilities - CVEs Published In November 2019
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
CVSS Score
6.5
EPSS Score
0.017
Published
2019-11-08
A flaw was found in the Ceph RGW configuration with Beast as the front end handling client requests. An unauthenticated attacker could crash the Ceph RGW server by sending valid HTTP headers and terminating the connection, resulting in a remote denial of service for Ceph RGW clients.
CVSS Score
7.5
EPSS Score
0.027
Published
2019-11-08
A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-11-08
It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this lack of protection to conduct phishing attacks and further access unauthorized information.
CVSS Score
7.4
EPSS Score
0.003
Published
2019-11-08
An information-exposure vulnerability was discovered where openstack-mistral's undercloud log files containing clear-text information were made world readable. A malicious system user could exploit this flaw to access sensitive user information.
CVSS Score
5.9
EPSS Score
0.001
Published
2019-11-08
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
CVSS Score
4.3
EPSS Score
0.002
Published
2019-11-08
In JON 2.1.x before 2.1.2 SP1, users can obtain unauthorized security information about private resources managed by JBoss ON.
CVSS Score
6.5
EPSS Score
0.003
Published
2019-11-08
FireGPG before 0.6 handle user’s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users’s private key.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-11-08
gri before 2.12.18 generates temporary files in an insecure way.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-11-08
Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.
CVSS Score
9.8
EPSS Score
0.002
Published
2019-11-08