Max CVSS 7.5 Min CVSS 2.1 Total Count2
IDCVSSSummaryLast (major) updatePublished
CVE-2019-12086 5.0
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java ja
13-09-2023 - 14:16 17-05-2019 - 17:29
CVE-2019-10906 5.0
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.
01-03-2023 - 14:56 07-04-2019 - 00:29
CVE-2019-12387 4.3
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
28-02-2023 - 20:47 10-06-2019 - 12:29
CVE-2019-14825 4.0
A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry cre
12-02-2023 - 23:34 25-11-2019 - 16:15
CVE-2018-10917 4.0
pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso reposit
12-02-2023 - 22:15 15-08-2018 - 17:29
CVE-2019-3893 4.0
In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resou
30-11-2022 - 22:00 09-04-2019 - 16:29
CVE-2020-10716 4.0
A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and
21-10-2022 - 17:58 27-05-2021 - 19:15
CVE-2019-10086 7.5
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by defa
25-07-2022 - 18:15 20-08-2019 - 21:15
CVE-2018-1000632 5.0
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be explo
07-09-2021 - 06:15 20-08-2018 - 19:31
CVE-2019-3891 2.1
It was discovered that a world-readable log file belonging to Candlepin component of Red Hat Satellite 6.4 leaked the credentials of the Candlepin database. A malicious user with local access to a Satellite host can use those credentials to modify th
15-10-2020 - 19:58 15-04-2019 - 12:31
CVE-2019-12086 5.0
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java ja
01-10-2020 - 00:15 17-05-2019 - 17:29
CVE-2019-10198 4.0
An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view th
30-09-2020 - 18:16 31-07-2019 - 22:15
CVE-2019-10198 4.0
An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view th
30-09-2020 - 18:16 31-07-2019 - 22:15
CVE-2018-16470 5.0
There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.
09-10-2019 - 23:36 13-11-2018 - 23:29
CVE-2019-0231 5.0
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.
08-10-2019 - 17:47 01-10-2019 - 20:15
CVE-2016-10745 5.0
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
06-06-2019 - 16:29 08-04-2019 - 13:29
CVE-2018-16861 3.5
A cross-site scripting (XSS) flaw was found in the foreman component of satellite. An attacker with privilege to create entries using the Hosts, Monitor, Infrastructure, or Administer Menus is able to execute a XSS attacks against other users, possib
14-05-2019 - 17:29 07-12-2018 - 19:29
CVE-2018-14664 3.5
A flaw was found in foreman from versions 1.18. A stored cross-site scripting vulnerability exists due to an improperly escaped HTML code in the breadcrumbs bar. This allows a user with permissions to edit which attribute is used in the breadcrumbs b
14-05-2019 - 17:29 12-10-2018 - 22:15
CVE-2016-6346 5.0
RESTEasy enables GZIPInterceptor, which allows remote attackers to cause a denial of service via unspecified vectors.
14-05-2019 - 17:29 07-09-2016 - 18:59
CVE-2018-16887 3.5
A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Rep
14-05-2019 - 17:29 13-01-2019 - 02:29
CVE-2016-10516 4.3
Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML v
04-02-2018 - 02:29 23-10-2017 - 16:29
CVE-2017-17718 4.3
The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.
05-01-2018 - 18:12 17-12-2017 - 21:29
Back to Top Mark selected
Back to Top