Security Vulnerabilities - CVEs Published In December 2020
A flaw was found in ImageMagick in coders/hdr.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char`. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to ImageMagick 7.0.8-68.
CVSS Score
5.5
EPSS Score
0.001
Published
2020-12-03
A flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.8-68.
CVSS Score
3.3
EPSS Score
0.001
Published
2020-12-03
A use-after-free vulnerability exists in a way Pixar OpenUSD 20.08 processes reference paths textual USD files. A specially crafted file can trigger the reuse of a freed memory which can result in further memory corruption and arbitrary code execution. To trigger this vulnerability, the victim needs to open an attacker-provided malformed file.
CVSS Score
8.8
EPSS Score
0.01
Published
2020-12-03
A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker.
CVSS Score
4.3
EPSS Score
0.002
Published
2020-12-03
OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request for the /tests/ URI.
CVSS Score
7.5
EPSS Score
0.006
Published
2020-12-03
OpenClinic version 0.8.2 is affected by a stored XSS vulnerability in lib/Check.php that allows users of the application to force actions on behalf of other users.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-12-03
OpenClinic version 0.8.2 is affected by a medical/test_new.php insecure file upload vulnerability. This vulnerability allows authenticated users (with substantial privileges) to upload malicious files, such as PHP web shells, which can lead to arbitrary code execution on the application server.
CVSS Score
7.2
EPSS Score
0.023
Published
2020-12-03
Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.
CVSS Score
9.8
EPSS Score
0.005
Published
2020-12-03
A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.
CVSS Score
8.1
EPSS Score
0.001
Published
2020-12-03
Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-12-03