dawetmaster

165 exploits Active since Aug 2013
CVE-2017-9801 NOMISEC HIGH WORKING POC
Apache Commons Email <1.5 - Info Disclosure
When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.
CVSS 7.5
CVE-2018-1000125 NOMISEC CRITICAL WORKING POC
inversoft prime-jwt <1.3.0 - Info Disclosure
inversoft prime-jwt version prior to version 1.3.0 or prior to commit 0d94dcef0133d699f21d217e922564adbb83a227 contains an input validation vulnerability in JWTDecoder.decode that can result in a JWT that is decoded and thus implicitly validated even if it lacks a valid signature. This attack appear to be exploitable via an attacker crafting a token with a valid header and body and then requests it to be validated. This vulnerability appears to have been fixed in 1.3.0 and later or after commit 0d94dcef0133d699f21d217e922564adbb83a227.
CVSS 9.8
CVE-2018-1000531 NOMISEC HIGH WORKING POC
prime-jwt < 1.3.0 - JWT Signature Validation Bypass via 'none' Algorithm
inversoft prime-jwt version prior to commit abb0d479389a2509f939452a6767dc424bb5e6ba contains a CWE-20 vulnerability in JWTDecoder.decode that can result in an incorrect signature validation of a JWT token. This attack can be exploitable when an attacker crafts a JWT token with a valid header using 'none' as algorithm and a body to requests it be validated. This vulnerability was fixed after commit abb0d479389a2509f939452a6767dc424bb5e6ba.
CVSS 7.5
CVE-2018-1000822 NOMISEC CRITICAL WORKING POC
codelibs fess < 12.2.3 and 12.3.0-12.3.1 - XML External Entity Injection in GSA XML File Parser
codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via specially crafted GSA XML files. This vulnerability appears to have been fixed in after commit faa265b.
CVSS 10.0
CVE-2018-1000844 NOMISEC CRITICAL WRITEUP
Square Retrofit < 2.5.0 - XML External Entity Injection via JAXB
Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.
CVSS 9.1
CVE-2018-1000873 NOMISEC MEDIUM STUB
jackson-modules-java8 < 2.9.8 - Denial of Service via Large Nanoseconds Field in Time Value
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
CVSS 6.5
CVE-2018-1002200 NOMISEC MEDIUM WRITEUP
Plexus-archiver <3.6.0 - Path Traversal
plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
CVSS 5.5
CVE-2018-1002201 NOMISEC MEDIUM WRITEUP
zt-zip < 1.13 - Path Traversal via Zip Archive Entry Extraction
zt-zip before 1.13 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
CVSS 5.5
CVE-2018-10936 NOMISEC HIGH WRITEUP
postgresql-jdbc <42.2.5 - SSL Man-In-The-Middle
A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.
CVSS 8.1
CVE-2018-1114 NOMISEC MEDIUM STUB
Undertow < 1.4.25.Final - File Descriptor Leak via URLResource.getLastModified()
It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.
CVSS 6.5
CVE-2018-11307 NOMISEC CRITICAL WORKING POC
jackson-databind 2.0.0-2.9.5 - Deserialization of Untrusted Data via iBatis Gadget Class
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
CVSS 9.8
CVE-2018-11771 NOMISEC MEDIUM STUB
Apache Commons Compress 1.7-1.17 - Denial of Service via Malformed ZIP Archive
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
CVSS 5.5
CVE-2018-12022 NOMISEC HIGH WORKING POC
FasterXML jackson-databind <2.7.9.4, 2.8.11.2, 2.9.6 - Code Injection
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVSS 7.5
CVE-2018-12023 NOMISEC HIGH WORKING POC
FasterXML jackson-databind <2.7.9.4-2.8.11.2-2.9.6 - Code Injection
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVSS 7.5
CVE-2018-12537 NOMISEC MEDIUM STUB
Eclipse Vert.x <3.5.1 - Code Injection
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVSS 5.3
CVE-2018-12540 NOMISEC HIGH WORKING POC
Eclipse Vert.x 3.0.0-3.5.2 - Cross-Site Request Forgery via XSRF Token Replay
In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issued tokens which are not expired yet.
CVSS 8.8
CVE-2018-12541 NOMISEC MEDIUM WRITEUP
Eclipse Vert.x <3.5.3 - Memory Corruption
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP response with the 413 status code and the connection gets closed.
CVSS 6.5
CVE-2018-12542 NOMISEC CRITICAL WORKING POC
Eclipse Vert.x <3.5.3 - Path Traversal
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems.
CVSS 9.8
CVE-2018-12544 NOMISEC CRITICAL WORKING POC
Eclipse Vert.x 3.5.Beta1-3.5.3 - XML External Entity Injection via OpenAPI XML Type Validator
In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.
CVSS 9.8
CVE-2018-1273 NOMISEC CRITICAL STUB
Spring Data Commons < 1.13.11 - Unauthenticated Remote Code Execution via Property Binder
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
CVSS 9.8
CVE-2018-1274 NOMISEC HIGH STUB
Pivotal Software Spring Data Commons < 1.13.11 - Resource Allocation Without Limits
Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).
CVSS 7.5
CVE-2018-1306 NOMISEC HIGH WORKING POC
Apache Pluto 3.0.0 - Exposure of Sensitive Information via File Upload Path Disclosure
The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.
CVSS 7.5
CVE-2018-1324 NOMISEC MEDIUM STUB
Apache Commons Compress 1.11-1.15 - Denial of Service via ZIP Extra Field Parser
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
CVSS 5.5
CVE-2018-1337 NOMISEC CRITICAL STUB
Apache Directory LDAP API < 1.0.2 - Exposure of Sensitive Information via TLS Handshake Bypass
In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).
CVSS 9.8
CVE-2011-4367 NOMISEC STUB
Apache MyFaces Core <2.0.12, <2.1.6 - Path Traversal
Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/.