Security Vulnerabilities - CVEs Published In November 2019
Cloudera CDH before 5.9 has Potentially Sensitive Information in Diagnostic Support Bundles.
CVSS Score
7.5
EPSS Score
0.004
Published
2019-11-26
Cloudera Search in CDH before 5.7.0 allows unauthorized document access because Solr Queries by document id can bypass Sentry document-level security via the RealTimeGetHandler.
CVSS Score
6.5
EPSS Score
0.002
Published
2019-11-26
ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None
CVSS Score
6.4
EPSS Score
0.003
Published
2019-11-26
There is Sensitive Information in Cloudera Manager before 5.4.6 Diagnostic Support Bundles.
CVSS Score
7.5
EPSS Score
0.004
Published
2019-11-26
An error-handling flaw was found in python-ecdsa before version 0.13.3. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service.
CVSS Score
3.7
EPSS Score
0.001
Published
2019-11-26
A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in mod_auth_mellon.
CVSS Score
5.8
EPSS Score
0.002
Published
2019-11-26
A vulnerability was found in Ansible Tower before 3.6.1 where an attacker with low privilege could retrieve usernames and passwords credentials from the new RHSM saved in plain text into the database at '/api/v2/config' when applying the Ansible Tower license.
CVSS Score
8.4
EPSS Score
0.001
Published
2019-11-26
Yaws 1.91 has a directory traversal vulnerability in the way certain URLs are processed. A remote authenticated user could use this flaw to obtain content of arbitrary local files via specially-crafted URL request.
CVSS Score
6.5
EPSS Score
0.259
Published
2019-11-26
Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass' PAM configuration option was not used and the module was configured as 'sufficient' in the PAM configuration. A remote attacker could use this flaw to circumvent common authentication process and obtain access to the account in question by providing a NULL value (pressing Ctrl-D keyboard sequence) as the password string.
CVSS Score
9.8
EPSS Score
0.015
Published
2019-11-26
The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. A remote attacker could use this flaw to bypass or corrupt integrity of services, depending on strong private RSA keys generation mechanism.
CVSS Score
9.8
EPSS Score
0.001
Published
2019-11-26