shoucheng3

136 exploits Active since Dec 2012
CVE-2022-2712 NOMISEC MEDIUM
Eclipse GlassFish 5.1.0-6.2.5 - Unauthenticated Path Traversal via Relative Path
In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with './'. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed application source code.
CVSS 6.5
CVE-2022-26884 NOMISEC MEDIUM WRITEUP
Apache DolphinScheduler <2.0.6 - Info Disclosure
Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.
CVSS 6.5
CVE-2022-26049 NOMISEC MEDIUM WRITEUP
com.diffplug.gradle:goomph <3.37.2 - Code Injection
This affects the package com.diffplug.gradle:goomph before 3.37.2. It allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an attacker to achieve remote code execution on a target system by exploiting this vulnerability. **Note:** This could have allowed a malicious zip file to extract itself into an arbitrary directory. The only file that Goomph extracts is the p2 bootstrapper and eclipse metadata files hosted at eclipse.org, which are not malicious, so the only way this vulnerability could have affected you is if you had set a custom bootstrap zip, and that zip was malicious.
CVSS 5.3
CVE-2022-25842 NOMISEC MEDIUM WORKING POC
alibaba one-java-agent-plugin < 0.0.2 - Arbitrary File Write via Zip Slip Archive Extraction
All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.
CVSS 6.9
CVE-2022-25175 NOMISEC HIGH WRITEUP
Jenkins Pipeline Multibranch < 706.vd43c65dec013 - Authenticated OS Command Injection via readTrusted Step
Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier uses the same checkout directories for distinct SCMs for the readTrusted step, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.
CVSS 8.8
CVE-2022-25174 NOMISEC HIGH WORKING POC
Jenkins Pipeline < 552.vd9cc05b8a2e1 - Authenticated OS Command Injection via SCM Checkout Directory
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same checkout directories for distinct SCMs for Pipeline libraries, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.
CVSS 8.8
CVE-2022-25173 NOMISEC HIGH WORKING POC
Jenkins Pipeline: Groovy Plugin < 2648.va9433432b33c - OS Command Injection via SCM Content
Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.
CVSS 8.8
CVE-2022-24897 NOMISEC HIGH WRITEUP
XWiki 2.3-12.6.6 - Authenticated Path Traversal via Velocity Script File API
APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. The problem has been patched in versions 12.6.7, 12.10.3, and 13.0. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.
CVSS 7.5
CVE-2022-24891 NOMISEC MEDIUM WRITEUP
OWASP Enterprise Security API < 2.3.0.0 - Cross-Site Scripting via antisamy-esapi.xml onsiteURL Regex
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.
CVSS 5.4
CVE-2022-23457 NOMISEC HIGH WRITEUP
OWASP Enterprise Security API < 2.3.0.0 - Path Traversal via Validator.getValidDirectoryPath
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.
CVSS 7.5
CVE-2022-23082 NOMISEC HIGH WORKING POC
CureKit 1.0.1-1.1.3 - Path Traversal via isFileOutsideDir Input Sanitization Bypass
In CureKit versions v1.0.1 through v1.1.3 are vulnerable to path traversal as the function isFileOutsideDir fails to sanitize the user input which may lead to path traversal.
CVSS 7.5
CVE-2022-20617 NOMISEC HIGH STUB
Jenkins Docker Commons Plugin <1.17 - Command Injection
Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job's SCM repository.
CVSS 8.8
CVE-2022-22965 NOMISEC CRITICAL STUB
Spring Framework - Remote Code Execution via Data Binding
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CVSS 9.8
CVE-2022-22947 NOMISEC CRITICAL WORKING POC
Spring Cloud Gateway Remote Code Execution
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
CVSS 10.0
CVE-2022-22932 NOMISEC MEDIUM STUB
Apache Karaf < 4.2.15 and 4.3.0-4.3.6 - Path Traversal via obr Commands and karaf-maven-plugin
Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326
CVSS 5.3
CVE-2022-1274 NOMISEC MEDIUM WORKING POC
Keycloak < 20.0.5 - Cross-Site Scripting via Execute-Actions-Email Endpoint
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
CVSS 5.4
CVE-2021-4178 NOMISEC MEDIUM WRITEUP
fabric8-kubernetes 5.0.0-beta-1-5.0.3 - Arbitrary Code Execution via YAML Parsing
A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.
CVSS 6.7
CVE-2021-29425 NOMISEC MEDIUM WRITEUP
Apache Commons IO - Path Traversal via FileNameUtils.normalize
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CVSS 4.8
CVE-2021-30180 NOMISEC CRITICAL STUB
Apache Dubbo < 2.7.10 - Remote Code Execution via Tag Routing YAML Parsing
Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.
CVSS 9.8
CVE-2021-30181 NOMISEC CRITICAL STUB
Apache Dubbo 2.5.0-2.6.8 and 2.5.0-2.7.8 - Remote Code Execution via Script Routing Rule Parsing
Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.
CVSS 9.8
CVE-2021-41269 NOMISEC CRITICAL WRITEUP
cron-utils < 9.1.6 - Unauthenticated Remote Code Execution via Java EL Expression Injection
cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected. The issue was patched and a new version was released. Please upgrade to version 9.1.6. There are no known workarounds known.
CVSS 10.0
CVE-2021-44667 NOMISEC MEDIUM WRITEUP
Nacos 2.0.3 - Cross-Site Scripting via Auth Users Page Parameters
A Cross Site Scripting (XSS) vulnerability exists in Nacos 2.0.3 in auth/users via the (1) pageSize and (2) pageNo parameters.
CVSS 6.1
CVE-2020-29204 NOMISEC MEDIUM WORKING POC
XXL-JOB < 2.3.0 - Stored Cross-Site Scripting in Add User via Username Parameter
XXL-JOB 2.2.0 allows Stored XSS (in Add User) to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java.
CVSS 6.1
CVE-2021-21345 NOMISEC MEDIUM STUB
Netapp Oncommand Insight < 5.15.14 - Insecure Deserialization
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVSS 5.8
CVE-2020-8570 NOMISEC CRITICAL WRITEUP
Kubernetes Java Client <10.0.0 - Path Traversal
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.
CVSS 9.1