dawetmaster

165 exploits Active since Aug 2013
CVE-2016-8741 NOMISEC HIGH WRITEUP
Apache Qpid Broker for Java <6.0.6, <6.1.1 - Info Disclosure
The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256.
CVSS 7.5
CVE-2016-8744 NOMISEC HIGH STUB
Apache Brooklyn <0.10.0 - Code Injection
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability.
CVSS 8.8
CVE-2016-9177 NOMISEC HIGH STUB
Spark < 2.5 - Path Traversal via URI
Directory traversal vulnerability in Spark 2.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.
CVSS 7.5
CVE-2016-9589 NOMISEC HIGH STUB
Red Hat JBoss WildFly Application Server < 10.1.0 - Denial of Service via HTTP Header Cache Exhaustion
Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to "max-headers" (default 200) * "max-header-size" (default 1MB) per active TCP connection.
CVSS 7.5
CVE-2016-9606 NOMISEC HIGH WORKING POC
JBoss RESTEasy < 3.1.2 - Remote Code Execution via YamlProvider Unmarshalling
JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.
CVSS 8.1
CVE-2017-1000207 NOMISEC HIGH STUB
Swagger-Parser <=1.0.30 & Swagger Codegen <=2.2.2 - RCE
A vulnerability in Swagger-Parser's version <= 1.0.30 and Swagger codegen version <= 2.2.2 yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification.
CVSS 8.8
CVE-2017-1000208 NOMISEC HIGH WORKING POC
Swagger-Parser <= 1.0.30 and Swagger-Codegen <= 2.2.2 - Remote Code Execution via YAML Parsing
A vulnerability in Swagger-Parser's (version <= 1.0.30) yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification.
CVSS 8.8
CVE-2017-1000209 NOMISEC MEDIUM WRITEUP
nv-websocket-client - Man-in-the-Middle
The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL/TLS servers via an arbitrary valid certificate.
CVSS 5.9
CVE-2017-1000487 NOMISEC CRITICAL WORKING POC
Plexus-utils <3.0.16 - Command Injection
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS 9.8
CVE-2017-12165 NOMISEC LOW STUB
Undertow <1.4.17, <1.3.31, <2.0.0 - HTTP Request Smuggling
It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.
CVSS 2.6
CVE-2017-12197 NOMISEC MEDIUM WORKING POC
libpam4j <= 1.8 - Authentication Bypass via Disabled Account Validation
It was found that libpam4j up to and including 1.8 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.
CVSS 6.5
CVE-2017-14063 NOMISEC HIGH STUB
async-http-client < 2.0.35 - Server-Side Request Forgery via Fragment Identifier
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
CVSS 7.5
CVE-2017-15095 NOMISEC CRITICAL WORKING POC
jackson-databind <2.8.10, 2.9.1 - Code Injection
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVSS 9.8
CVE-2017-15700 NOMISEC HIGH WRITEUP
Apache Sling Authentication Service 1.4.0 - Exposure of Sensitive Information via Login Form Redirect
A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method in Apache Sling Authentication Service 1.4.0 allows an attacker, through the Sling login form, to trick a victim to send over their credentials.
CVSS 8.8
CVE-2017-15717 NOMISEC MEDIUM WRITEUP
Apache Sling XSS Protection API 1.0.4-1.0.18 and 2.0.0 - Cross-Site Scripting via URL Validation Bypass
A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected versions are Apache Sling XSS Protection API 1.0.4 to 1.0.18, Apache Sling XSS Protection API Compat 1.1.0 and Apache Sling XSS Protection API 2.0.0.
CVSS 6.1
CVE-2017-17485 NOMISEC CRITICAL WORKING POC
jackson-databind < 2.6.7.3, 2.9.0-2.9.3 - Unauthenticated Remote Code Execution via Malicious JSON Input
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVSS 9.8
CVE-2017-18640 NOMISEC HIGH WORKING POC
SnakeYAML < 1.26 - XML Entity Expansion via Alias Feature
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CVSS 7.5
CVE-2017-2649 NOMISEC HIGH WRITEUP
Jenkins Active Directory Plugin <= 2.2 - Improper Certificate Validation
It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.
CVSS 8.1
CVE-2017-2666 NOMISEC MEDIUM STUB
Undertow < 1.3.31 - HTTP Request Smuggling via Invalid Request Line Characters
It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
CVSS 6.5
CVE-2017-5929 NOMISEC CRITICAL WRITEUP
Logback < 1.2.0 - Deserialization of Untrusted Data in SocketServer and ServerSocketReceiver
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
CVSS 9.8
CVE-2017-7559 NOMISEC MEDIUM STUB
Undertow <2.0.0.Alpha2,<1.4.17.Final,<1.3.31.Final - SSRF
In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
CVSS 6.1
CVE-2017-7561 NOMISEC HIGH WORKING POC
Red Hat JBoss EAP 3.0.7-3.0.25.Final - Server-Side Cache Poisoning via JAX-RS Component
Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.
CVSS 7.5
CVE-2017-7661 NOMISEC HIGH WORKING POC
Apache CXF Fediz <1.4.0-1.2.4 - CSRF
Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3, Jetty 8 and Jetty 9 plugins in Apache CXF Fediz prior to 1.4.0, 1.3.2 and 1.2.4.
CVSS 8.8
CVE-2017-7662 NOMISEC HIGH WORKING POC
Apache CXF Fediz <1.4.0-1.3.2 - CSRF
Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc. A CSRF (Cross Style Request Forgery) style vulnerability has been found in this web application in Apache CXF Fediz prior to 1.4.0 and 1.3.2, meaning that a malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active.
CVSS 8.8
CVE-2011-4367 NOMISEC STUB
Apache MyFaces Core <2.0.12, <2.1.6 - Path Traversal
Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/.