Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 1.9 days (on average).

CVE-2020-2268

Cross-Site Request Forgery (CSRF) in maven/io.jenkins.plugins/mongodb

A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller.

Added on 2020-09-22

CVE-2020-13944

Cross-site Scripting in pypi/apache-airflow

In Apache Airflow, the `origin` parameter passed to endpoints like `/trigger` is vulnerable to XSS.

Added on 2020-09-22

CVE-2020-14332

Inclusion of Sensitive Information in Log Files in pypi/ansible

A flaw was found in the Ansible Engine when using `module_args`. Tasks executed with check mode (`--check-mode`) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.

Added on 2020-09-22

CVE-2020-8927

Buffer Overflow in conan/brotli

A buffer overflow exists in the Brotli library where an attacker controlling the input length of a `one-shot` decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB.

Added on 2020-09-22

CVE-2020-2254

Path Traversal in maven/io.jenkins.blueocean/blueocean

Jenkins Blue Ocean Plugin provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system.

Added on 2020-09-21

CVE-2020-24660

Direct Request (Forced Browsing) in npm/lemonldap-ng-handler

An issue was discovered in `LemonLDAP::NG` when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI.

Added on 2020-09-21

CVE-2020-2258

Incorrect Authorization in maven/org.jenkins-ci.plugins/cloudbees-jenkins-advisor

Jenkins Health Advisor by CloudBees Plugin does not correctly perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view that HTTP endpoint.

Added on 2020-09-21

CVE-2020-14330

Improper Encoding or Escaping of Output in pypi/ansible

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.

Added on 2020-09-21

CVE-2020-2272

Missing Authorization in maven/org.jenkins-ci.plugins/elastest

A missing permission check in Jenkins ElasTest Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Added on 2020-09-21

CVE-2020-11991

Improper Restriction of XML External Entity Reference in maven/org.apache.cocoon/cocoon-core

When using the `StreamGenerator`, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.

Added on 2020-09-21

CVE-2020-2273

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/elastest

A cross-site request forgery (CSRF) vulnerability in Jenkins ElasTest allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

Added on 2020-09-21

CVE-2020-2276

OS Command Injection in maven/org.jvnet.hudson.plugins/selection-tasks-plugin

Jenkins Selection tasks Plugin 1.0 executes a user-specified program on the Jenkins controller, allowing attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as.

Added on 2020-09-21

CVE-2020-2277

Path Traversal in maven/org.jvnet.hudson.plugins/storable-configs-plugin

Jenkins Storable Configs Plugin allows users with Job/Read permission to read arbitrary files on the Jenkins controller.

Added on 2020-09-21

CVE-2020-2278

Path Traversal in maven/org.jvnet.hudson.plugins/storable-configs-plugin

Jenkins Storable Configs Plugin does not restrict the user-specified file name, allowing attackers with Job/Configure permission to replace any other '.xml' file on the Jenkins controller with a job `config.xml` file's content.

Added on 2020-09-21

CVE-2020-2255

Missing Authorization in maven/io.jenkins.blueocean/blueocean

A missing permission check in Jenkins Blue Ocean Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Added on 2020-09-21

CVE-2020-2271

Cross-site Scripting in maven/org.jvnet.hudson.plugins/locked-files-report

Jenkins Locked Files Report Plugin does not escape locked files' names in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Added on 2020-09-21

CVE-2020-2275

Path Traversal in maven/org.jvnet.hudson.plugins/copy-data-to-workspace-plugin

Jenkins Copy data to workspace Plugin does not limit which directories can be copied from the Jenkins controller to job workspaces, allowing attackers with Job/Configure permission to read arbitrary files on the Jenkins controller.

Added on 2020-09-21

CVE-2020-2265

Cross-site Scripting in maven/io.jenkins.plugins/covcomplplot

Jenkins Coverage/Complexity Scatter Plot Plugin does not escape the method information in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

Added on 2020-09-21

CVE-2020-2260

Missing Authorization in maven/io.jenkins.plugins/perfecto

A missing permission check in Jenkins Perfecto Plugin allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials.

Added on 2020-09-21

CVE-2020-2274

Cleartext Storage of Sensitive Information in maven/org.jenkins-ci.plugins/elastest

Jenkins ElasTest Plugin stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Added on 2020-09-21

CVE-2020-2267

Missing Authorization in maven/io.jenkins.plugins/mongodb

A missing permission check in Jenkins MongoDB Plugin allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.

Added on 2020-09-21

CVE-2020-2261

OS Command Injection in maven/io.jenkins.plugins/perfecto

Jenkins Perfecto Plugin executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller

Added on 2020-09-21

CVE-2020-11991

Improper Restriction of XML External Entity Reference in maven/org.apache.cocoon/cocoon

When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.

Added on 2020-09-18

CVE-2020-0878

Memory Corruption in nuget/Microsoft.ChakraCore

A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka 'Microsoft Browser Memory Corruption Vulnerability'.

Added on 2020-09-18

CVE-2020-15168

Allocation of Resources Without Limits or Throttling in npm/node-fetch

node-fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Added on 2020-09-18

CVE-2020-1180

Out-of-bounds Write in nuget/Microsoft.ChakraCore

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1057, CVE-2020-1172.

Added on 2020-09-18

CVE-2020-16873

Insecure Default Initialization of Resource in nuget/xamarin.forms

A spoofing vulnerability manifests in Microsoft `Xamarin.Forms` due to the default settings on Android WebView , aka 'Xamarin.Forms Spoofing Vulnerability'.

Added on 2020-09-18

CVE-2020-1172

Out-of-bounds Write in nuget/Microsoft.ChakraCore

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1057, CVE-2020-1180.

Added on 2020-09-18

CVE-2020-25540

Path Traversal in packagist/zoujingli/thinkadmin

ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.

Added on 2020-09-18

CVE-2020-2270

Cross-site Scripting in maven/org.jvnet.hudson.plugins/clearcase-release

Jenkins ClearCase Release Plugin does not escape the composite baseline in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Added on 2020-09-17

CVE-2020-11998

Code Injection in maven/org.apache.activemq/activemq-broker

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to `RMIConnectorServer`, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

Added on 2020-09-17

CVE-2020-2259

Cross-site Scripting in maven/jenkins.ci.plugins.computerqueue/computer-queue-plugin

Jenkins computer-queue-plugin Plugin does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Added on 2020-09-17

CVE-2020-2266

Cross-site Scripting in maven/org.jenkins-ci.plugins/description-column-plugin

Jenkins Description Column Plugin does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Added on 2020-09-17

CVE-2020-2257

Cross-site Scripting in maven/org.jenkins-ci.plugins/validating-string-parameter

Jenkins Validating String Parameter Plugin does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Added on 2020-09-17

CVE-2020-1968

Inadequate Encryption Strength in conan/openssl

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite.

Added on 2020-09-17

CVE-2020-2269

Cross-site Scripting in maven/org.jenkins-ci.plugins/chosen-views-tabbar

Jenkins chosen-views-tabbar Plugin does not escape view names in the dropdown to select views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.

Added on 2020-09-17

CVE-2020-2264

Cross-site Scripting in maven/org.jenkins-ci.plugins/custom-job-icon

Jenkins Custom Job Icon Plugin does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Added on 2020-09-17

CVE-2020-7730

Command Injection in npm/bestzip

The package bestzip is vulnerable to Command Injection via the options `param`.

Added on 2020-09-17

CVE-2020-15169

Cross-site Scripting in gem/actionview

In Action View there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in `_html`, the default string is incorrectly marked as HTML-safe and not escaped.

Added on 2020-09-17

CVE-2020-2263

Cross-site Scripting in maven/org.jenkins-ci.plugins/radiatorviewplugin

Jenkins Radiator View Plugin does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Added on 2020-09-17

CVE-2020-1057

Improper Restriction of Operations within the Bounds of a Memory Buffer in nuget/Microsoft.ChakraCore

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1172, CVE-2020-1180.

Added on 2020-09-15

CVE-2020-15094

Improper Cross-boundary Removal of Sensitive Data in packagist/symfony/security

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

Added on 2020-09-14

CVE-2020-16150

Information Exposure Through Discrepancy in conan/mbedtls

A Lucky timing side channel in `mbedtls_ssl_decrypt_buf` in `library/ssl_msg.c` in Trusted Firmware Mbed TLS allows an attacker to recover secret key information. This affects CBC mode because of a computed time difference based on a padding length.

Added on 2020-09-14

CVE-2020-24977

Buffer Overflow in conan/libxml2

GNOME project libxml2 has a global Buffer Overflow vulnerability in `xmlEncodeEntitiesInternal` at `libxml2/entities.c`. The issue has been fixed in commit `8e7c20a1` (20910-GITv2.9.10-103-g8e7c20a1).

Added on 2020-09-14

CVE-2020-23811

Information Exposure in maven/xxl-job

xxl-job allows Information Disclosure of username, model, and password via `job/admin/controller/UserController.java.`

Added on 2020-09-14

CVE-2020-7729

Insecure Default Initialization of Resource in npm/grunt

The package grunt is vulnerable to Arbitrary Code Execution due to the default usage of the function `load()` instead of its secure replacement `safeLoad()` of the package js-yaml inside `grunt.file.readYAML`.

Added on 2020-09-14

CVE-2020-15094

Improper Cross-boundary Removal of Sensitive Data in packagist/symfony/http-client

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

Added on 2020-09-14

CVE-2020-15094

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. in packagist/symfony/form

In Symfony before versions 4\.

Added on 2020-09-14

CVE-2020-15094

Improper Cross-boundary Removal of Sensitive Data in packagist/symfony/http-foundation

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

Added on 2020-09-14

CVE-2020-15094

Improper Cross-boundary Removal of Sensitive Data in packagist/symfony/security-http

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

Added on 2020-09-14

CVE-2020-15094

Improper Cross-boundary Removal of Sensitive Data in packagist/symfony/http-kernel

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

Added on 2020-09-14

CVE-2020-24977

Buffer Overflow in nuget/libxml2.vc140_xp.mt.static.x86

GNOME project libxml2 has a global Buffer Overflow vulnerability in `xmlEncodeEntitiesInternal` at `libxml2/entities.c`. The issue has been fixed in commit `8e7c20a1` (20910-GITv2.9.10-103-g8e7c20a1).

Added on 2020-09-14

CVE-2020-15094

Improper Cross-boundary Removal of Sensitive Data in packagist/symfony/symfony

In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

Added on 2020-09-14

CVE-2020-24583

Incorrect Default Permissions in pypi/Django

An issue was discovered in Django (when Python + is used). `FILE_UPLOAD_DIRECTORY_PERMISSIONS` mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the `collectstatic` management command.

Added on 2020-09-12

CVE-2020-24584

Incorrect Default Permissions in pypi/Django

An issue was discovered in Django (when Python + is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than `0o077`.

Added on 2020-09-11

CVE-2020-13920

Improper Authentication in maven/org.apache.activemq/activemq-web-console

Apache ActiveMQ uses `LocateRegistry.createRegistry()` to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ

Added on 2020-09-11

CVE-2020-25102

Cross-site Scripting in packagist/silverstripe-australia/advancedreports

The Advanced Reports module for SilverStripe is vulnerable to Cross-Site Scripting (XSS) because it is possible to inject and store malicious JavaScript code. This affects `admin/advanced-reports/DataObjectReport/EditForm/field/DataObjectReport/item` (report preview) when an SVG document is provided in the `Description` parameter.

Added on 2020-09-11

CVE-2020-13920

Improper Authentication in maven/org.apache.activemq/activemq-broker

Apache ActiveMQ uses `LocateRegistry.createRegistry()` to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ

Added on 2020-09-11

CVE-2020-15170

Improper Input Validation in nuget/Creekdream.Configuration.Apollo

apollo-adminservice does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it does not have access control built-in. Malicious hackers may access apollo-adminservice apis directly to `access/edit` the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.

Added on 2020-09-11

CVE-2020-14209

Unrestricted Upload of File with Dangerous Type in packagist/dolibarr/dolibarr

Dolibarr allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because `.pht` and `.phar` files can be uploaded. Also, an `.htaccess` file can be uploaded to reconfigure access control (e.g., to let `.noexe` files be executed as PHP code to defeat the `.noexe` protection mechanism).

Added on 2020-09-11

CVE-2020-13920

Improper Authentication in maven/org.apache.activemq/activemq-client

Apache ActiveMQ uses `LocateRegistry.createRegistry()` to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ

Added on 2020-09-11

CVE-2020-15170

Improper Input Validation in npm/ctrip-apollo

apollo-adminservice does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it does not have access control built-in. Malicious hackers may access apollo-adminservice apis directly to `access/edit` the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.

Added on 2020-09-11

CVE-2020-13920

Improper Authentication in maven/org.apache.activemq/activemq-all

Apache ActiveMQ uses `LocateRegistry.createRegistry()` to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ

Added on 2020-09-11