CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1801 CVE-2019-10426 312 2019-09-25 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
1802 CVE-2019-10424 312 2019-09-25 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins elOyente Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
1803 CVE-2019-10423 312 2019-09-25 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins CodeScan Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
1804 CVE-2019-10420 312 2019-09-25 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins Assembla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
1805 CVE-2019-10419 312 2019-09-25 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins vFabric Application Director Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
1806 CVE-2019-10398 522 2019-09-12 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins Beaker Builder Plugin 1.9 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
1807 CVE-2019-10397 522 2019-09-12 2019-10-09
2.6
None Remote High Not required Partial None None
Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.
1808 CVE-2019-10378 522 2019-08-07 2020-10-01
2.1
None Local Low Not required Partial None None
Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
1809 CVE-2019-10367 532 2019-08-07 2019-10-09
2.1
None Local Low Not required Partial None None
Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied.
1810 CVE-2019-10364 532 2019-07-31 2020-10-02
2.1
None Local Low Not required Partial None None
Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log.
1811 CVE-2019-10361 522 2019-07-31 2020-10-02
2.1
None Local Low Not required Partial None None
Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system.
1812 CVE-2019-10345 532 2019-07-31 2020-10-02
2.1
None Local Low Not required Partial None None
Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export.
1813 CVE-2019-10343 532 2019-07-31 2019-10-09
2.1
None Local Low Not required Partial None None
Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied.
1814 CVE-2019-10239 269 2019-04-24 2020-08-24
2.1
None Local Low Not required Partial None None
Robotronic RunAsSpc 3.7.0.0 protects stored credentials insufficiently, which allows locally authenticated attackers (under the same user context) to obtain cleartext credentials of the stored account.
1815 CVE-2019-10224 200 Exec Code +Info 2019-11-25 2019-12-10
2.1
None Local Low Not required Partial None None
A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.
1816 CVE-2019-10207 476 2019-11-25 2020-01-03
2.1
None Local Low Not required None None Partial
A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.
1817 CVE-2019-10194 532 2019-07-11 2020-10-15
2.1
None Local Low Not required Partial None None
Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts.
1818 CVE-2019-10183 200 +Info 2019-07-03 2019-10-09
2.1
None Local Low Not required Partial None None
Virt-install(1) utility used to provision new virtual machines has introduced an option '--unattended' to create VMs without user interaction. This option accepts guest VM password as command line arguments, thus leaking them to others users on the system via process listing. It was introduced recently in the virt-manager v2.2.0 release.
1819 CVE-2019-10165 532 2019-07-30 2020-10-02
2.1
None Local Low Not required Partial None None
OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources.
1820 CVE-2019-10157 287 2019-06-12 2019-10-09
2.1
None Local Low Not required None None Partial
It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.
1821 CVE-2019-10152 22 Dir. Trav. 2019-07-30 2020-09-30
2.6
None Local High Not required Partial Partial None
A path traversal vulnerability has been discovered in podman before version 1.4.0 in the way it handles symlinks inside containers. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container.
1822 CVE-2019-10146 79 XSS 2020-03-18 2020-03-20
2.6
None Remote High Not required None Partial None
A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser.
1823 CVE-2019-10139 311 2019-05-17 2020-09-30
2.1
None Local Low Not required Partial None None
During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.
1824 CVE-2019-9938 200 +Info 2019-03-22 2019-03-25
2.9
None Local Network Medium Not required Partial None None
The SHAREit application before 4.0.42 for Android allows a remote attacker (on the same network or joining public "open" Wi-Fi hotspots created by the application when file transfer is initiated) to download arbitrary files from the device including contacts, photos, videos, sound clips, etc. The attacker must be authenticated as a "recognized device."
1825 CVE-2019-9824 908 2019-06-03 2020-08-24
2.1
None Local Low Not required Partial None None
tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.
1826 CVE-2019-9706 416 DoS 2019-03-12 2019-12-18
2.1
None Local Low Not required None None Partial
Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (use-after-free and daemon crash) because of a force_rescan_user error.
1827 CVE-2019-9705 770 DoS 2019-03-12 2020-08-24
2.1
None Local Low Not required None None Partial
Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (memory consumption) via a large crontab file because an unlimited number of lines is accepted.
1828 CVE-2019-9704 20 DoS 2019-03-12 2019-03-21
2.1
None Local Low Not required None None Partial
Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (daemon crash) via a large crontab file because the calloc return value is not checked.
1829 CVE-2019-9699 200 +Info 2019-10-24 2019-10-30
2.7
None Local Network Low ??? Partial None None
Symantec Messaging Gateway (prior to 10.7.0), may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data.
1830 CVE-2019-9532 319 2019-10-10 2019-10-17
2.1
None Local Low Not required Partial None None
The web application portal of the Cobham EXPLORER 710, firmware version 1.07, sends the login password in cleartext. This could allow an unauthenticated, local attacker to intercept the password and gain access to the portal.
1831 CVE-2019-9475 668 Bypass +Info 2021-06-11 2021-06-15
2.1
None Local Low Not required Partial None None
In /proc/net of the kernel filesystem, there is a possible information leak due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-9496886
1832 CVE-2019-9472 200 +Info 2020-01-06 2020-01-09
2.1
None Local Low Not required Partial None None
In DCRYPTO_equals of compare.c, there is a possible timing attack due to improperly used crypto. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-130237611
1833 CVE-2019-9465 2020-01-07 2020-08-24
2.1
None Local Low Not required Partial None None
In the Titan M handling of cryptographic operations, there is a possible information disclosure due to an unusual root cause. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-10 Android ID: A-133258003
1834 CVE-2019-9455 200 +Info 2019-09-06 2020-06-13
2.1
None Local Low Not required Partial None None
In the Android kernel in the video driver there is a kernel pointer leak due to a WARN_ON statement. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.
1835 CVE-2019-9453 20 2019-09-06 2020-09-23
2.1
None Local Low Not required Partial None None
In the Android kernel in F2FS touch driver there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.
1836 CVE-2019-9452 125 2019-09-06 2019-09-09
2.1
None Local Low Not required Partial None None
In the Android kernel in SEC_TS touch driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.
1837 CVE-2019-9449 125 2019-09-06 2019-09-09
2.1
None Local Low Not required Partial None None
In the Android kernel in FingerTipS touchscreen driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.
1838 CVE-2019-9445 125 2019-09-06 2020-11-02
2.1
None Local Low Not required Partial None None
In the Android kernel in F2FS driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.
1839 CVE-2019-9444 200 +Info 2019-09-06 2019-09-09
2.1
None Local Low Not required Partial None None
In the Android kernel in sync debug fs driver there is a kernel pointer leak due to the usage of printf with %p. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.
1840 CVE-2019-9440 610 2019-09-27 2019-10-04
2.1
None Local Low Not required Partial None None
In AOSP Email, there is a possible information disclosure due to a confused deputy. This could lead to local disclosure of the Email app's protected files with User execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-37637796
1841 CVE-2019-9438 610 2019-09-27 2019-10-03
2.1
None Local Low Not required Partial None None
In the Package Manager service, there is a possible information disclosure due to a confused deputy. This could lead to local disclosure of information about installed packages for other users with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-77821568
1842 CVE-2019-9435 125 2019-09-27 2019-09-30
2.1
None Local Low Not required Partial None None
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80146682
1843 CVE-2019-9427 416 2019-09-27 2019-10-01
2.1
None Local Low Not required Partial None None
In Bluetooth, there is a possible information disclosure due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-110166350
1844 CVE-2019-9417 125 2019-09-27 2019-09-30
2.1
None Local Low Not required Partial None None
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-111450079
1845 CVE-2019-9377 862 Bypass 2019-09-27 2019-10-07
2.1
None Local Low Not required Partial None None
In FingerprintService, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check. This could lead to a local information disclosure of metadata about the biometrics of another user on the device with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-128599663
1846 CVE-2019-9373 502 DoS 2019-09-27 2019-10-03
2.1
None Local Low Not required None None Partial
In JobStore, there is a mismatched serialization/deserialization for the "battery-not-low" job attribute. This could lead to a local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-130173029
1847 CVE-2019-9369 1187 2019-09-27 2019-10-02
2.1
None Local Low Not required Partial None None
In Bluetooth, there is a use of uninitialized variable. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-79995407
1848 CVE-2019-9368 125 2019-09-27 2019-09-30
2.1
None Local Low Not required Partial None None
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-79883568
1849 CVE-2019-9364 863 Bypass 2019-09-27 2020-08-24
2.1
None Local Low Not required Partial None None
In AudioService, there is a possible trigger of background user audio due to a permissions bypass. This could lead to local information disclosure by playing the background user's audio with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-73364631
1850 CVE-2019-9351 862 Bypass 2019-09-27 2019-10-02
2.1
None Local Low Not required Partial None None
In SyncStatusObserver, there is a possible bypass for operating system protections that isolate user profiles from each other due to a missing permission check. This could lead to local limited information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-128599864
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.