andikahilmy

165 exploits Active since Aug 2013
CVE-2017-15717 NOMISEC MEDIUM WRITEUP
Apache Sling XSS Protection API 1.0.4-1.0.18 and 2.0.0 - Cross-Site Scripting via URL Validation Bypass
A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.
CVSS 6.1
CVE-2017-1000207 NOMISEC HIGH WORKING POC
Swagger-Parser <=1.0.30 & Swagger Codegen <=2.2.2 - RCE
A vulnerability in Swagger-Parser's version <= 1.0.30 and Swagger codegen version <= 2.2.2 yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification.
CVSS 8.8
CVE-2016-9606 NOMISEC HIGH WORKING POC
JBoss RESTEasy < 3.1.2 - Remote Code Execution via YamlProvider Unmarshalling
JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.
CVSS 8.1
CVE-2016-9589 NOMISEC HIGH STUB
Red Hat JBoss WildFly Application Server < 10.1.0 - Denial of Service via HTTP Header Cache Exhaustion
Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to "max-headers" (default 200) * "max-header-size" (default 1MB) per active TCP connection.
CVSS 7.5
CVE-2016-9177 NOMISEC HIGH STUB
Spark < 2.5 - Path Traversal via URI
Directory traversal vulnerability in Spark 2.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.
CVSS 7.5
CVE-2016-8744 NOMISEC HIGH STUB
Apache Brooklyn <0.10.0 - Code Injection
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability.
CVSS 8.8
CVE-2016-8741 NOMISEC HIGH WRITEUP
Apache Qpid Broker for Java <6.0.6, <6.1.1 - Info Disclosure
The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256.
CVSS 7.5
CVE-2016-7051 NOMISEC HIGH WORKING POC
jackson-dataformat-xml < 2.7.8 - Server-Side Request Forgery via DTD Processing
XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD.
CVSS 8.6
CVE-2016-6809 NOMISEC CRITICAL STUB
Apache Tika < 1.14 - Remote Code Execution via MATLAB File Deserialization
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
CVSS 9.8
CVE-2016-6802 NOMISEC HIGH STUB
Apache Shiro < 1.3.2 - Filter Bypass via Non-Root Servlet Context Path
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
CVSS 7.5
CVE-2016-6801 NOMISEC HIGH WORKING POC
Apache Jackrabbit < 2.4.6 - CSRF
Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
CVSS 8.8
CVE-2016-4974 NOMISEC HIGH WRITEUP
Apache Qpid AMQP JMS Client < 6.0.4 & JMS (AMQP 1.0) < 0.10.0 - RCE via JMS ObjectMessage Deserialization
Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function.
CVSS 7.5
CVE-2016-4464 NOMISEC CRITICAL WORKING POC
Apache CXF Fediz 1.2.0-1.2.2 and 1.3.0 - Improper Access Control via SAML AudienceRestriction Bypass
The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature.
CVSS 9.8
CVE-2016-3092 NOMISEC HIGH WORKING POC
Apache Tomcat 7.x < 7.0.70, 8.x < 8.0.36, 8.5.x < 8.5.3, 9.x < 9.0.0.M7 - Denial of Service via Long Boundary String
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
CVSS 7.5
CVE-2016-1000031 NOMISEC CRITICAL WORKING POC
Apache Commons FileUpload <1.3.3 - RCE
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
CVSS 9.8
CVE-2015-6748 NOMISEC MEDIUM WRITEUP
jsoup < 1.8.3 - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.
CVSS 6.1
CVE-2015-6254 NOMISEC STUB
PicketLink <2.7.0 - Info Disclosure
The (1) Service Provider (SP) and (2) Identity Provider (IdP) in PicketLink before 2.7.0 does not ensure that the Destination attribute in a Response element in a SAML assertion matches the location from which the message was received, which allows remote attackers to have unspecified impact via unknown vectors. NOTE: this identifier was SPLIT from CVE-2015-0277 per ADT2 due to different vulnerability types.
CVE-2017-15095 NOMISEC CRITICAL WORKING POC
jackson-databind <2.8.10, 2.9.1 - Code Injection
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVSS 9.8
CVE-2017-14063 NOMISEC HIGH WORKING POC
async-http-client < 2.0.35 - Server-Side Request Forgery via Fragment Identifier
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
CVSS 7.5
CVE-2017-12197 NOMISEC MEDIUM WORKING POC
libpam4j <= 1.8 - Authentication Bypass via Disabled Account Validation
It was found that libpam4j up to and including 1.8 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.
CVSS 6.5
CVE-2017-12165 NOMISEC LOW STUB
Undertow <1.4.17, <1.3.31, <2.0.0 - HTTP Request Smuggling
It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.
CVSS 2.6
CVE-2017-1000487 NOMISEC CRITICAL WRITEUP
Plexus-utils <3.0.16 - Command Injection
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS 9.8
CVE-2017-1000209 NOMISEC MEDIUM WRITEUP
nv-websocket-client - Man-in-the-Middle
The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL/TLS servers via an arbitrary valid certificate.
CVSS 5.9
CVE-2017-1000208 NOMISEC HIGH WORKING POC
Swagger-Parser <= 1.0.30 and Swagger-Codegen <= 2.2.2 - Remote Code Execution via YAML Parsing
A vulnerability in Swagger-Parser's (version <= 1.0.30) yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification.
CVSS 8.8
CVE-2011-4367 NOMISEC WRITEUP
Apache MyFaces Core <2.0.12, <2.1.6 - Path Traversal
Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/.