| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
4551 |
CVE-2017-1000125 |
732 |
|
|
2017-11-17 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Codiad(full version) is vulnerable to write anything to configure file in the installation resulting upload a webshell. |
|
4552 |
CVE-2017-1000122 |
20 |
|
DoS |
2017-11-01 |
2017-11-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, does not properly validate certain message metadata, allowing a compromised secondary process to cause a denial of service (release assertion) of the UI process. This vulnerability does not affect Apple products. |
|
4553 |
CVE-2017-1000118 |
119 |
|
DoS Overflow |
2017-10-04 |
2017-10-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Akka HTTP versions <= 10.0.5 Illegal Media Range in Accept Header Causes StackOverflowError Leading to Denial of Service |
|
4554 |
CVE-2017-1000115 |
59 |
|
|
2017-10-04 |
2019-05-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository |
|
4555 |
CVE-2017-1000108 |
200 |
|
+Info |
2017-10-04 |
2017-11-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Pipeline: Input Step Plugin by default allowed users with Item/Read access to a pipeline to interact with the step to provide input. This has been changed, and now requires users to have the Item/Build permission instead. |
|
4556 |
CVE-2017-1000106 |
287 |
|
|
2017-10-04 |
2019-10-02 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. Its SCM content REST API supports the pipeline creation and editing feature in Blue Ocean. The SCM content REST API did not check the current user's authentication or credentials. If the GitHub organization folder was created via Blue Ocean, it retained a reference to its creator's GitHub credentials. This allowed users with read access to the GitHub organization folder to create arbitrary commits in the repositories inside the GitHub organization corresponding to the GitHub organization folder with the GitHub credentials of the creator of the organization folder. Additionally, users with read access to the GitHub organization folder could read arbitrary file contents from the repositories inside the GitHub organization corresponding to the GitHub organization folder if the branch contained a Jenkinsfile (which could be created using the other part of this vulnerability), and they could provide the organization folder name, repository name, branch name, and file name. |
|
4557 |
CVE-2017-1000105 |
732 |
|
|
2017-10-04 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean did not check this permission before providing access to archived artifacts, Item/Read permission was sufficient. |
|
4558 |
CVE-2017-1000098 |
769 |
|
|
2017-10-04 |
2018-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors. |
|
4559 |
CVE-2017-1000097 |
295 |
|
|
2017-10-04 |
2018-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate. |
|
4560 |
CVE-2017-1000089 |
276 |
|
|
2017-10-04 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins. The Pipeline: Build Step Plugin did not check the build authentication it was running as and allowed triggering any other project in Jenkins. |
|
4561 |
CVE-2017-1000070 |
601 |
|
|
2017-07-17 |
2017-07-20 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819 |
|
4562 |
CVE-2017-1000068 |
287 |
|
DoS |
2017-07-17 |
2017-08-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
TestTrack Server versions 1.0 and earlier are vulnerable to an authentication flaw in the split disablement feature resulting in the ability to disable arbitrary running splits and cause denial of service to clients in the field. |
|
4563 |
CVE-2017-1000066 |
|
|
|
2017-07-17 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The entry details view function in KeePass version 1.32 inadvertently decrypts certain database entries into memory, which may result in the disclosure of sensitive information. |
|
4564 |
CVE-2017-1000064 |
400 |
|
|
2017-07-17 |
2017-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
kittoframework kitto version 0.5.1 is vulnerable to memory exhaustion in the router resulting in DoS |
|
4565 |
CVE-2017-1000062 |
22 |
|
Exec Code Dir. Trav. |
2017-07-17 |
2017-07-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
kittoframework kitto 0.5.1 is vulnerable to directory traversal in the router resulting in remote code execution |
|
4566 |
CVE-2017-1000061 |
611 |
|
DoS |
2017-07-17 |
2018-01-04 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service |
|
4567 |
CVE-2017-1000050 |
476 |
|
|
2017-07-17 |
2018-11-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
JasPer 2.0.12 is vulnerable to a NULL pointer exception in the function jp2_encode which failed to check to see if the image contained at least one component resulting in a denial-of-service. |
|
4568 |
CVE-2017-1000048 |
20 |
|
|
2017-07-17 |
2017-12-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash. |
|
4569 |
CVE-2017-1000046 |
|
|
|
2017-07-17 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Mautic 2.6.1 and earlier fails to set flags on session cookies |
|
4570 |
CVE-2017-1000030 |
287 |
|
|
2017-07-17 |
2017-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Java Key Store Password Disclosure vulnerability, that makes it possible to provide an unauthenticated attacker plain text password of administrative user and grant access to the web-based administration interface. |
|
4571 |
CVE-2017-1000029 |
200 |
|
+Info File Inclusion |
2017-07-17 |
2017-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Local File Inclusion vulnerability, that makes it possible to include arbitrary files on the server, this vulnerability can be exploited without any prior authentication. |
|
4572 |
CVE-2017-1000028 |
22 |
|
Dir. Trav. |
2017-07-17 |
2019-05-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request. |
|
4573 |
CVE-2017-1000027 |
601 |
|
|
2017-07-17 |
2017-07-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Koozali Foundation SME Server versions 8.x, 9.x, 10.x are vulnerable to an open URL redirect vulnerability in the user web login function resulting in unauthorized account access. |
|
4574 |
CVE-2017-1000026 |
22 |
|
Dir. Trav. |
2017-07-17 |
2017-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable to a directory traversal attack allowing attackers to overwrite arbitrary files by using ".." in tar archive entries |
|
4575 |
CVE-2017-1000025 |
200 |
|
+Info |
2017-07-17 |
2017-08-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
GNOME Web (Epiphany) 3.23 before 3.23.5, 3.22 before 3.22.6, 3.20 before 3.20.7, 3.18 before 3.18.11, and prior versions, is vulnerable to a password manager sweep attack resulting in the remote exfiltration of stored passwords for a selected set of websites. |
|
4576 |
CVE-2017-1000024 |
319 |
|
|
2017-07-17 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Shotwell version 0.24.4 or earlier and 0.25.3 or earlier is vulnerable to an information disclosure in the web publishing plugins resulting in potential password and oauth token plaintext transmission |
|
4577 |
CVE-2017-1000018 |
20 |
|
|
2017-07-17 |
2018-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the replication status by using a specially crafted table name |
|
4578 |
CVE-2017-1000016 |
20 |
|
|
2017-07-17 |
2017-07-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. This is a re-issue of an incomplete fix from PMASA-2016-18. |
|
4579 |
CVE-2017-1000014 |
20 |
|
|
2017-07-17 |
2018-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a DOS weakness in the table editing functionality |
|
4580 |
CVE-2017-1000013 |
601 |
|
|
2017-07-17 |
2018-07-27 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness |
|
4581 |
CVE-2017-1000001 |
20 |
|
|
2017-07-17 |
2017-07-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
FedMsg 0.18.1 and older is vulnerable to a message validation flaw resulting in message validation not being enabled if configured to be on. |
|
4582 |
CVE-2017-18636 |
22 |
|
Dir. Trav. |
2019-09-30 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
CDG through 2017-01-01 allows downloadDocument.jsp?command=download&pathAndName= directory traversal. |
|
4583 |
CVE-2017-18604 |
502 |
|
|
2019-09-10 |
2019-09-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The sitebuilder-dynamic-components plugin through 1.0 for WordPress has PHP object injection via an AJAX request. |
|
4584 |
CVE-2017-18594 |
415 |
|
DoS |
2019-08-28 |
2019-09-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
nse_libssh2.cc in Nmap 7.70 is subject to a denial of service condition due to a double free when an SSH connection fails, as demonstrated by a leading \n character to ssh-brute.nse or ssh-auth-methods.nse. |
|
4585 |
CVE-2017-18592 |
434 |
|
|
2019-08-27 |
2019-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The woocommerce-catalog-enquiry plugin before 3.1.0 for WordPress has an incorrect wp_upload directory for file uploads. |
|
4586 |
CVE-2017-18589 |
20 |
|
|
2019-08-26 |
2019-08-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An issue was discovered in the cookie crate before 0.7.6 for Rust. Large integers in the Max-Age of a cookie cause a panic. |
|
4587 |
CVE-2017-18588 |
295 |
|
|
2019-08-26 |
2019-08-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in the security-framework crate before 0.1.12 for Rust. Hostname verification for certificates does not occur if ClientBuilder uses custom root certificates. |
|
4588 |
CVE-2017-18587 |
93 |
|
|
2019-08-26 |
2019-09-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
An issue was discovered in the hyper crate before 0.9.18 for Rust. It mishandles newlines in headers. |
|
4589 |
CVE-2017-18585 |
22 |
|
Dir. Trav. |
2019-08-22 |
2019-08-23 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
The posts-in-page plugin before 1.3.0 for WordPress has ic_add_posts template='../ directory traversal. |
|
4590 |
CVE-2017-18584 |
264 |
|
|
2019-08-22 |
2019-08-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The post-pay-counter plugin before 2.731 for WordPress has no permissions check for an update-settinga action. |
|
4591 |
CVE-2017-18545 |
20 |
|
|
2019-08-16 |
2019-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The invite-anyone plugin before 1.3.16 for WordPress has incorrect escaping of untrusted Dashboard and front-end input. |
|
4592 |
CVE-2017-18485 |
352 |
|
CSRF |
2019-08-08 |
2019-08-15 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Cognitoys Dino devices allow profiles_add.html CSRF. |
|
4593 |
CVE-2017-18476 |
254 |
|
|
2019-08-05 |
2019-08-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Leech Protect in cPanel before 62.0.4 does not protect certain directories (SEC-205). |
|
4594 |
CVE-2017-18464 |
20 |
|
|
2019-08-05 |
2019-08-12 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
cPanel before 62.0.17 allows arbitrary file-overwrite operations via the WHM Zone Template editor (SEC-226). |
|
4595 |
CVE-2017-18462 |
254 |
|
Bypass |
2019-08-05 |
2019-08-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
cPanel before 62.0.17 allows a CPHulk one-day ban bypass when IP based protection is enabled (SEC-224). |
|
4596 |
CVE-2017-18461 |
20 |
|
|
2019-08-02 |
2019-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
cPanel before 62.0.17 allows does not preserve security policy questions across an account rename (SEC-223). |
|
4597 |
CVE-2017-18451 |
264 |
|
|
2019-08-02 |
2019-08-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
cPanel before 64.0.21 allows attackers to read a user's crontab file during a short time interval upon a cPAddon upgrade (SEC-257). |
|
4598 |
CVE-2017-18448 |
22 |
|
Dir. Trav. |
2019-08-02 |
2019-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
cPanel before 64.0.21 allows certain file-read operations via a Serverinfo_manpage API call (SEC-252). |
|
4599 |
CVE-2017-18444 |
20 |
|
Exec Code |
2019-08-02 |
2019-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
cPanel before 64.0.21 allows demo accounts to execute SSH API commands (SEC-248). |
|
4600 |
CVE-2017-18443 |
20 |
|
|
2019-08-02 |
2019-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
cPanel before 64.0.21 allows demo and suspended accounts to use SSH port forwarding (SEC-247). |
