Redhat: Security Vulnerabilities
eDeploy has tmp file race condition flaws
CVSS Score
8.1
EPSS Score
0.005
Published
2019-12-15
rubygem-hammer_cli_foreman: File /etc/hammer/cli.modules.d/foreman.yml world readable
CVSS Score
5.5
EPSS Score
0.001
Published
2019-12-13
mcollective has a default password set at install
CVSS Score
9.8
EPSS Score
0.005
Published
2019-12-13
CFME: CSRF protection vulnerability via permissive check of the referrer header
CVSS Score
8.8
EPSS Score
0.002
Published
2019-12-13
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
CVSS Score
7.7
EPSS Score
0.003
Published
2019-12-13
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
CVSS Score
7.7
EPSS Score
0.009
Published
2019-12-13
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
CVSS Score
7.7
EPSS Score
0.01
Published
2019-12-13
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.
CVSS Score
4.6
EPSS Score
0.003
Published
2019-12-12
Openshift has shell command injection flaws due to unsanitized data being passed into shell commands.
CVSS Score
8.8
EPSS Score
0.014
Published
2019-12-11
katello-headpin is vulnerable to CSRF in REST API
CVSS Score
6.5
EPSS Score
0.002
Published
2019-12-11