CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
701 CVE-2019-10391 319 2019-08-28 2020-10-02
4.3
None Remote Medium Not required Partial None None
Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.
702 CVE-2019-10390 Exec Code Bypass 2019-08-28 2021-11-02
6.5
None Remote Low ??? Partial Partial Partial
A sandbox bypass vulnerability in Jenkins Splunk Plugin 1.7.4 and earlier allowed attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
703 CVE-2019-10389 862 2019-08-07 2020-10-01
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.
704 CVE-2019-10388 352 CSRF 2019-08-07 2019-10-09
4.3
None Remote Medium Not required None Partial None
A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.
705 CVE-2019-10387 862 2019-08-07 2020-10-02
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
706 CVE-2019-10386 352 CSRF 2019-08-07 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins XL TestView Plugin 1.2.0 and earlier in XLTestView.XLTestDescriptor#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
707 CVE-2019-10385 522 2019-08-07 2020-10-01
4.0
None Remote Low ??? Partial None None
Jenkins eggPlant Plugin 2.2 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
708 CVE-2019-10384 352 Bypass CSRF 2019-08-28 2019-09-20
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.
709 CVE-2019-10383 79 XSS 2019-08-28 2019-09-20
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.
710 CVE-2019-10382 295 2019-08-07 2019-10-09
5.8
None Remote Medium Not required Partial Partial None
Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.
711 CVE-2019-10381 295 2019-08-07 2019-10-09
4.3
None Remote Medium Not required Partial None None
Jenkins Codefresh Integration Plugin 1.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.
712 CVE-2019-10380 Exec Code 2019-08-07 2020-10-01
6.5
None Remote Low ??? Partial Partial Partial
Jenkins Simple Travis Pipeline Runner Plugin 1.0 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.
713 CVE-2019-10379 522 2019-08-07 2020-10-02
4.0
None Remote Low ??? Partial None None
Jenkins Google Cloud Messaging Notification Plugin 1.0 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
714 CVE-2019-10378 522 2019-08-07 2020-10-01
2.1
None Local Low Not required Partial None None
Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
715 CVE-2019-10377 862 2019-08-07 2020-10-01
4.0
None Remote Low ??? None Partial None
A missing permission check in Jenkins Avatar Plugin 1.2 and earlier allows attackers with Overall/Read access to change the avatar of any user of Jenkins.
716 CVE-2019-10376 79 XSS 2019-08-07 2019-10-09
4.3
None Remote Medium Not required None Partial None
A reflected cross-site scripting vulnerability in Jenkins Wall Display Plugin 0.6.34 and earlier allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.
717 CVE-2019-10375 2019-08-07 2020-10-02
4.0
None Remote Low ??? Partial None None
An arbitrary file read vulnerability in Jenkins File System SCM Plugin 2.1 and earlier allows attackers able to configure jobs in Jenkins to obtain the contents of any file on the Jenkins master.
718 CVE-2019-10374 79 XSS 2019-08-07 2019-10-09
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability in Jenkins PegDown Formatter Plugin 1.3 and earlier allows attackers able to edit descriptions and other fields rendered using the configured markup formatter to insert links with the javascript scheme into the Jenkins UI.
719 CVE-2019-10373 79 XSS 2019-08-07 2019-10-09
3.5
None Remote Medium ??? None Partial None
A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.
720 CVE-2019-10372 601 2019-08-07 2019-10-09
5.8
None Remote Medium Not required Partial Partial None
An open redirect vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows attackers to redirect users to a URL outside Jenkins after successful login.
721 CVE-2019-10371 384 2019-08-07 2019-10-09
5.0
None Remote Low Not required Partial None None
A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.
722 CVE-2019-10370 532 2019-08-07 2020-10-02
4.3
None Remote Medium Not required Partial None None
Jenkins Mask Passwords Plugin 2.12.0 and earlier transmits globally configured passwords in plain text as part of the configuration form, potentially resulting in their exposure.
723 CVE-2019-10369 862 2019-08-07 2020-10-01
4.0
None Remote Low ??? Partial None None
A missing permission check in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
724 CVE-2019-10368 352 CSRF 2019-08-07 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
A cross-site request forgery vulnerability in Jenkins JClouds Plugin 2.14 and earlier in BlobStoreProfile.DescriptorImpl#doTestConnection and JCloudsCloud.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
725 CVE-2019-10367 532 2019-08-07 2019-10-09
2.1
None Local Low Not required Partial None None
Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied.
726 CVE-2019-10201 347 2019-08-14 2020-10-02
5.5
None Remote Low ??? Partial Partial None
It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
727 CVE-2019-10199 352 2019-08-14 2021-10-28
6.8
None Remote Medium Not required Partial Partial Partial
It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.
728 CVE-2019-10176 352 CSRF 2019-08-02 2019-09-17
5.8
None Remote Medium Not required Partial Partial None
A flaw was found in OpenShift Container Platform, versions 3.11 and later, in which the CSRF tokens used in the cluster console component were found to remain static during a user's session. An attacker with the ability to observe the value of this token would be able to re-use the token to perform a CSRF attack.
729 CVE-2019-10171 770 DoS 2019-08-02 2020-12-04
7.8
None Remote Low Not required None None Complete
It was found that the fix for CVE-2018-14648 in 389-ds-base, versions 1.4.0.x before 1.4.0.17, was incorrectly applied in RHEL 7.5. An attacker would still be able to provoke excessive CPU consumption leading to a denial of service.
730 CVE-2019-10168 22 Dir. Trav. 2019-08-02 2020-10-15
4.6
None Local Low Not required Partial Partial Partial
The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
731 CVE-2019-10167 22 Dir. Trav. 2019-08-02 2020-10-15
4.6
None Local Low Not required Partial Partial Partial
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
732 CVE-2019-10166 2019-08-02 2020-10-15
4.6
None Local Low Not required Partial Partial Partial
It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed.
733 CVE-2019-10140 476 DoS 2019-08-15 2019-09-06
4.9
None Local Low Not required None None Complete
A vulnerability was found in Linux kernel's, versions up to 3.10, implementation of overlayfs. An attacker with local access can create a denial of service situation via NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).
734 CVE-2019-10099 310 2019-08-07 2021-07-21
4.3
None Remote Medium Not required Partial None None
Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.
735 CVE-2019-10094 770 Overflow 2019-08-02 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.
736 CVE-2019-10093 770 2019-08-02 2020-08-24
4.3
None Remote Medium Not required None None Partial
In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.
737 CVE-2019-10088 770 2019-08-02 2020-08-24
6.8
None Remote Medium Not required Partial Partial Partial
A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.
738 CVE-2019-10086 502 2019-08-20 2021-12-14
7.5
None Remote Low Not required Partial Partial Partial
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
739 CVE-2019-10081 787 2019-08-15 2021-06-06
5.0
None Remote Low Not required None None Partial
HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.
740 CVE-2019-10059 254 2019-08-28 2019-09-03
5.0
None Remote Low Not required Partial None None
The legacy finger service (TCP port 79) is enabled by default on various older Lexmark devices.
741 CVE-2019-10058 2019-08-28 2020-08-24
6.4
None Remote Low Not required Partial Partial None
Various Lexmark products have Incorrect Access Control.
742 CVE-2019-10057 352 CSRF 2019-08-28 2019-08-29
4.3
None Remote Medium Not required None Partial None
Various Lexmark products have CSRF.
743 CVE-2019-10056 119 Exec Code Overflow 2019-08-28 2021-07-21
5.0
None Remote Low Not required None None Partial
An issue was discovered in Suricata 4.1.3. The code mishandles the case of sending a network packet with the right type, such that the function DecodeEthernet in decode-ethernet.c is executed a second time. At this point, the algorithm cuts the first part of the packet and doesn't determine the current length. Specifically, if the packet is exactly 28 long, in the first iteration it subtracts 14 bytes. Then, it is working with a packet length of 14. At this point, the case distinction says it is a valid packet. After that it casts the packet, but this packet has no type, and the program crashes at the type case distinction.
744 CVE-2019-10055 20 2019-08-28 2021-07-21
7.8
None Remote Low Not required None None Complete
An issue was discovered in Suricata 4.1.3. The function ftp_pasv_response lacks a check for the length of part1 and part2, leading to a crash within the ftp/mod.rs file.
745 CVE-2019-10054 119 Overflow 2019-08-28 2021-07-21
5.0
None Remote Low Not required None None Partial
An issue was discovered in Suricata 4.1.3. The function process_reply_record_v3 lacks a check for the length of reply.data. It causes an invalid memory access and the program crashes within the nfs/nfs3.rs file.
746 CVE-2019-10052 707 2019-08-28 2019-09-04
5.0
None Remote Low Not required None None Partial
An issue was discovered in Suricata 4.1.3. If the network packet does not have the right length, the parser tries to access a part of a DHCP packet. At this point, the Rust environment runs into a panic in parse_clientid_option in the dhcp/parser.rs file.
747 CVE-2019-10051 754 2019-08-28 2019-09-05
5.0
None Remote Low Not required None None Partial
An issue was discovered in Suricata 4.1.3. If the function filetracker_newchunk encounters an unsafe "Some(sfcm) => { ft.new_chunk }" item, then the program enters an smb/files.rs error condition and crashes.
748 CVE-2019-9935 306 2019-08-28 2020-08-24
5.0
None Remote Low Not required Partial None None
Various Lexmark products have Incorrect Access Control (issue 2 of 2).
749 CVE-2019-9934 306 2019-08-28 2020-08-24
5.0
None Remote Low Not required Partial None None
Various Lexmark products have Incorrect Access Control (issue 1 of 2).
750 CVE-2019-9933 119 Overflow 2019-08-28 2019-09-03
10.0
None Remote Low Not required Complete Complete Complete
Various Lexmark products have a Buffer Overflow (issue 3 of 3).
Total number of vulnerabilities : 2004   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 (This Page)16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.