Total
3408 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-18823 | 3 Debian, Fedoraproject, Wisc | 3 Debian Linux, Fedora, Htcondor | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| HTCondor up to and including stable series 8.8.6 and development series 8.9.4 has Incorrect Access Control. It is possible to use a different authentication method to submit a job than the administrator has specified. If the administrator has configured the READ or WRITE methods to include CLAIMTOBE, then it is possible to impersonate another user to the condor_schedd. (For example to submit or remove jobs) | |||||
| CVE-2019-17134 | 2 Canonical, Opendev | 2 Ubuntu Linux, Octavia | 2023-11-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED. | |||||
| CVE-2019-14870 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2023-11-07 | 6.4 MEDIUM | 5.4 MEDIUM |
| All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set. | |||||
| CVE-2019-13372 | 1 Dlink | 1 Central Wifimanager | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication. | |||||
| CVE-2019-12405 | 1 Apache | 1 Traffic Control | 2023-11-07 | 6.8 MEDIUM | 9.8 CRITICAL |
| Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password. | |||||
| CVE-2019-12300 | 1 Buildbot | 1 Buildbot | 2023-11-07 | 5.0 MEDIUM | 9.8 CRITICAL |
| Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim. | |||||
| CVE-2018-7749 | 1 Asyncssh Project | 1 Asyncssh | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| The SSH server implementation of AsyncSSH before 1.12.1 does not properly check whether authentication is completed before processing other requests. A customized SSH client can simply skip the authentication step. | |||||
| CVE-2018-6689 | 1 Mcafee | 1 Data Loss Prevention Endpoint | 2023-11-07 | 4.6 MEDIUM | 7.8 HIGH |
| Authentication Bypass vulnerability in McAfee Data Loss Prevention Endpoint (DLPe) 10.0.x earlier than 10.0.510, and 11.0.x earlier than 11.0.600 allows attackers to bypass local security protection via specific conditions. | |||||
| CVE-2018-6686 | 1 Mcafee | 1 Drive Encryption | 2023-11-07 | 4.6 MEDIUM | 6.6 MEDIUM |
| Authentication Bypass vulnerability in TPM autoboot in McAfee Drive Encryption (MDE) 7.1.0 and above allows physically proximate attackers to bypass local security protection via specific set of circumstances. | |||||
| CVE-2018-6667 | 1 Mcafee | 1 Mcafee Web Gateway | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| Authentication Bypass vulnerability in the administrative user interface in McAfee Web Gateway 7.8.1.0 through 7.8.1.5 allows remote attackers to execute arbitrary code via Java management extensions (JMX). | |||||
| CVE-2018-1343 | 1 Netiq | 1 Privileged Account Manager | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| PAM exposure enabling unauthenticated access to remote host | |||||
| CVE-2018-1317 | 1 Apache | 1 Zeppelin | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication. | |||||
| CVE-2018-1312 | 5 Apache, Canonical, Debian and 2 more | 14 Http Server, Ubuntu Linux, Debian Linux and 11 more | 2023-11-07 | 6.8 MEDIUM | 9.8 CRITICAL |
| In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. | |||||
| CVE-2018-1286 | 1 Apache | 1 Openmeetings | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users. | |||||
| CVE-2018-19834 | 1 Bombba Project | 1 Bombba | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The quaker function of a smart contract implementation for BOMBBA (BOMB), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19833 | 1 Ddq Project | 1 Ddq | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The owned function of a smart contract implementation for DDQ, an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19832 | 1 Newinteltechmedia Project | 1 Newinteltechmedia | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The NETM() function of a smart contract implementation for NewIntelTechMedia (NETM), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19831 | 1 Cryptbond Network Project | 1 Cryptbond Network | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The ToOwner() function of a smart contract implementation for Cryptbond Network (CBN), an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity. | |||||
| CVE-2018-19645 | 1 Microfocus | 1 Solutions Business Manager | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| An Authentication Bypass issue exists in Solutions Business Manager (SBM) (formerly Serena Business Manager (SBM)) versions prior to 11.5. | |||||
| CVE-2018-18095 | 1 Intel | 4 Ssd Dc S4500, Ssd Dc S4500 Firmware, Ssd Dc S4600 and 1 more | 2023-11-07 | 4.6 MEDIUM | 6.8 MEDIUM |
| Improper authentication in firmware for Intel(R) SSD DC S4500 Series and Intel(R) SSD DC S4600 Series before SCV10150 may allow an unprivileged user to potentially enable escalation of privilege via physical access. | |||||