Nomisec Exploits

22,029 exploits tracked across all sources.

Sort: Activity Stars
CVE-2019-5736 NOMISEC HIGH
Docker Container Escape Via runC Overwrite
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
by Lee-SungYoung
CVSS 8.6
CVE-2019-13272 NOMISEC HIGH
Linux Polkit pkexec helper PTRACE_TRACEME local root exploit
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
by bigbigliang-malwarebenchmark
1 stars
CVSS 7.8
CVE-2018-15473 NOMISEC MEDIUM
OpenSSH < 7.7 - User Enumeration via Authentication Request Timing
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
by NHPT
1 stars
CVSS 5.3
CVE-2013-2028 NOMISEC
nginx 1.3.9-1.4.0 - Remote Code Execution via Chunked Transfer-Encoding
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow.
by tachibana51
3 stars
CVE-2019-7839 NOMISEC CRITICAL
ColdFusion <Update 3 - Command Injection
ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
by securifera
7 stars
CVSS 9.8
CVE-2017-9830 NOMISEC CRITICAL
Code42 CrashPlan 5.4.x - Remote Code Execution via org.apache.commons.ssl.rmi.DateRMI Deserialization
Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients.
by securifera
1 stars
CVSS 9.8
CVE-2019-2525 NOMISEC MEDIUM
Oracle VM VirtualBox <5.2.24-6.0.2 - Privilege Escalation
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are prior to 5.2.24 and prior to 6.0.2. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 5.6 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N).
by Phantomn
2 stars
CVSS 5.6
CVE-2019-13272 NOMISEC HIGH
Linux Polkit pkexec helper PTRACE_TRACEME local root exploit
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
by jas502n
328 stars
CVSS 7.8
CVE-2019-14439 NOMISEC HIGH
FasterXML jackson-databind <2.9.9.2 - Info Disclosure
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
by jas502n
5 stars
CVSS 7.5
CVE-2019-13272 NOMISEC HIGH
Linux Polkit pkexec helper PTRACE_TRACEME local root exploit
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
by Cyc1eC
5 stars
CVSS 7.8
CVE-2019-1132 NOMISEC HIGH
Windows 7 and Windows Server 2008 - Elevation of Privilege in Win32k Component
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.
by petercc
3 stars
CVSS 7.8
CVE-2018-14667 NOMISEC CRITICAL
RichFaces Framework 3.X-3.3.4 - Code Injection
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
by quandqn
1 stars
CVSS 9.8
CVE-2019-7238 NOMISEC CRITICAL
Sonatype Nexus Repository Manager <3.15.0 - Privilege Escalation
Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.
by verctor
39 stars
CVSS 9.8
CVE-2019-2107 NOMISEC HIGH
Android 7.0-9 - Out-of-bounds Write in ihevcd_parse_pps
In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-130024844.
by infiniteLoopers
4 stars
CVSS 8.8
CVE-2019-0708 NOMISEC CRITICAL
CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
by ze0r
12 stars
CVSS 9.8
CVE-2019-1096 NOMISEC MEDIUM
Windows - Information Disclosure in win32k Component
An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka 'Win32k Information Disclosure Vulnerability'.
by CrackerCat
CVSS 5.5
CVE-2019-0708 NOMISEC CRITICAL
CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
by ntkernel0
1 stars
CVSS 9.8
CVE-2018-0708 NOMISEC HIGH
QNAP Q'center < 1.7.1063 - Authenticated OS Command Injection
Command injection vulnerability in networking of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.
by ntkernel0
1 stars
CVSS 8.8
CVE-2019-12384 NOMISEC MEDIUM
FasterXML jackson-databind <2.9.9.1 - Deserialization
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
by jas502n
102 stars
CVSS 5.9
CVE-2014-4699 NOMISEC
Linux kernel <3.15.4 - Privilege Escalation
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
by vnik5287
1 stars
CVE-2017-16995 NOMISEC HIGH
Linux BPF Sign Extension Local Privilege Escalation
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
by vnik5287
1 stars
CVSS 7.8
CVE-2013-2094 NOMISEC HIGH
Linux Kernel < 3.0.75 - Local Privilege Escalation via perf_event_open System Call
The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.
by vnik5287
1 stars
CVSS 8.4
CVE-2016-6187 NOMISEC HIGH
Linux kernel <4.6.5 - Privilege Escalation
The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.
by vnik5287
5 stars
CVSS 7.8
CVE-2014-4014 NOMISEC
Linux kernel <3.14.8 - Privilege Escalation
The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.
by vnik5287
2 stars
CVE-2018-6574 NOMISEC HIGH
GO < 1.8.6 - Code Injection
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
by french560
CVSS 7.8
By Source
All 22,029 Writeup 60,933 Exploitdb 50,023 Nomisec 22,029 Metasploit 3,243 Github 3,050 Vulncheck_xdb 909 Inthewild 514 Gitlab 461 Gitee 415 Patchapalooza 312
By Language
text 31,351 python 6,262 ruby 5,933 c 3,602 perl 2,849 html 2,057 php 1,327 bash 460 java 364 c++ 253 javascript 221 shell 108 go 65 postscript 25 xml 24