Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Communications_cloud_native_core_automated_test_suite
(Oracle)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 50 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2018-06-05 | CVE-2018-1000195 | A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not. | Jenkins, Communications_cloud_native_core_automated_test_suite | 4.3 | ||
| 2018-07-23 | CVE-2018-1999001 | A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users. | Jenkins, Communications_cloud_native_core_automated_test_suite | 8.8 | ||
| 2018-07-23 | CVE-2018-1999002 | A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to. | Jenkins, Communications_cloud_native_core_automated_test_suite | 7.5 | ||
| 2018-07-23 | CVE-2018-1999003 | A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds. | Jenkins, Communications_cloud_native_core_automated_test_suite | 4.3 | ||
| 2018-07-23 | CVE-2018-1999004 | A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches. | Jenkins, Communications_cloud_native_core_automated_test_suite | 4.3 | ||
| 2018-07-23 | CVE-2018-1999005 | A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. | Jenkins, Communications_cloud_native_core_automated_test_suite | 5.4 | ||
| 2018-07-23 | CVE-2018-1999007 | A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled. | Jenkins, Communications_cloud_native_core_automated_test_suite | 5.4 | ||
| 2021-01-14 | CVE-2021-22132 | Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2 | Elasticsearch, Communications_cloud_native_core_automated_test_suite | 4.8 | ||
| 2021-07-21 | CVE-2021-22145 | A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details. | Elasticsearch, Communications_cloud_native_core_automated_test_suite | 6.5 | ||
| 2021-07-26 | CVE-2021-22144 | In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node. | Elasticsearch, Communications_cloud_native_core_automated_test_suite | 6.5 |