An information disclosure in ovirt-hosted-engine-setup prior to 2.2.7 reveals the root user's password in the log file.
Source: MITRE
Max CVSS
7.8
EPSS Score
0.05%
Published
2018-01-24
Updated
2019-10-03
On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. This did not prevent the execution of Pipeline `node` blocks on those agents due to incorrect permissions checks in Pipeline: Nodes and Processes plugin 2.17 and earlier.
Source: MITRE
Max CVSS
4.9
EPSS Score
0.06%
Published
2018-01-23
Updated
2020-08-24
Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator.
Source: MITRE
Max CVSS
8.8
EPSS Score
0.08%
Published
2018-01-23
Updated
2018-02-07
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.
Source: MITRE
Max CVSS
8.8
EPSS Score
0.08%
Published
2018-01-23
Updated
2018-02-07
Jenkins Warnings Plugin 4.64 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
Source: MITRE
Max CVSS
8.8
EPSS Score
0.10%
Published
2018-01-23
Updated
2018-02-07
Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
Source: MITRE
Max CVSS
8.8
EPSS Score
0.10%
Published
2018-01-23
Updated
2018-02-07
Jenkins DRY Plugin 2.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
Source: MITRE
Max CVSS
8.8
EPSS Score
0.10%
Published
2018-01-23
Updated
2018-02-07
Jenkins Checkstyle Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
Source: MITRE
Max CVSS
8.8
EPSS Score
0.10%
Published
2018-01-23
Updated
2018-02-07
Jenkins PMD Plugin 3.49 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
Source: MITRE
Max CVSS
8.8
EPSS Score
0.10%
Published
2018-01-23
Updated
2018-02-07
libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.
Source: MITRE
Max CVSS
9.8
EPSS Score
0.57%
Published
2018-01-24
Updated
2022-06-13

CVE-2018-1000006

Public exploit
GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.
Source: MITRE
Max CVSS
9.3
EPSS Score
96.92%
Published
2018-01-24
Updated
2018-04-01
libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
Source: MITRE
Max CVSS
9.1
EPSS Score
0.65%
Published
2018-01-24
Updated
2019-06-18
In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition.
Source: MITRE
Max CVSS
7.1
EPSS Score
0.82%
Published
2018-01-16
Updated
2020-07-15
Improper input validation bugs in DNSSEC validators components in PowerDNS version 4.1.0 allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet replay.
Source: MITRE
Max CVSS
4.3
EPSS Score
0.07%
Published
2018-01-22
Updated
2018-02-06
Improper input validation bugs in DNSSEC validators components in Knot Resolver (prior version 1.5.2) allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet replay.
Source: MITRE
Max CVSS
4.3
EPSS Score
0.07%
Published
2018-01-22
Updated
2019-11-06

CVE-2018-1000001

Public exploit
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
Source: MITRE
Max CVSS
7.8
EPSS Score
0.53%
Published
2018-01-31
Updated
2019-10-03
A type confusion issue was discovered in CCN-lite 2, leading to a memory access violation and a failure of the nonce feature (which, for example, helped with loop prevention). ccnl_fwd_handleInterest assumes that the union member s is of type ccnl_pktdetail_ndntlv_s. However, if the type is in fact struct ccnl_pktdetail_ccntlv_s or struct ccnl_pktdetail_iottlv_s, the memory at that point is either uninitialised or points to data that is not a nonce, which renders the code using the local variable nonce pointless. A later nonce check is insufficient.
Source: MITRE
Max CVSS
8.8
EPSS Score
0.20%
Published
2018-01-31
Updated
2018-02-21
An issue was discovered on Netwave IP Camera devices. An unauthenticated attacker can crash a device by sending a POST request with a huge body size to the / URI.
Source: MITRE
Max CVSS
7.8
EPSS Score
0.09%
Published
2018-01-31
Updated
2021-09-13
In SUPERAntiSpyware Professional Trial 6.0.1254, the SASKUTIL.SYS driver allows privilege escalation to NT AUTHORITY\SYSTEM because of not validating input values from IOCtl 0x9C402114 or 0x9C402124 or 0x9C40207c.
Source: MITRE
Max CVSS
10.0
EPSS Score
0.20%
Published
2018-01-31
Updated
2018-02-13
In SUPERAntiSpyware Professional Trial 6.0.1254, SUPERAntiSpyware.exe allows DLL hijacking, leading to Escalation of Privileges.
Source: MITRE
Max CVSS
9.3
EPSS Score
0.06%
Published
2018-01-31
Updated
2018-02-13
In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file (SASKUTIL.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9C402148.
Source: MITRE
Max CVSS
7.8
EPSS Score
0.04%
Published
2018-01-31
Updated
2018-02-13
In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file (SASKUTIL.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9C402080.
Source: MITRE
Max CVSS
7.8
EPSS Score
0.04%
Published
2018-01-31
Updated
2018-02-13
In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file (SASKUTIL.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9C40204c.
Source: MITRE
Max CVSS
7.8
EPSS Score
0.04%
Published
2018-01-31
Updated
2018-02-13
In SUPERAntiSpyware Professional Trial 6.0.1254, the driver file (SASKUTIL.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9C402078.
Source: MITRE
Max CVSS
7.8
EPSS Score
0.04%
Published
2018-01-31
Updated
2018-02-13
The PropertyHive plugin before 1.4.15 for WordPress has XSS via the body parameter to includes/admin/views/html-preview-applicant-matches-email.php.
Source: MITRE
Max CVSS
6.1
EPSS Score
0.15%
Published
2018-01-31
Updated
2018-02-15
1273 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!