Common Weakness Enumeration

CWE-358

Allowed

Improperly Implemented Security Check for Standard

Abstraction: Base · Status: Draft

The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.

197 vulnerabilities reference this CWE, most recent first.

CVE-2017-2612 (GCVE-0-2017-2612)

Vulnerability from cvelistv5 – Published: 2018-05-15 20:00 – Updated: 2024-08-05 14:02
VLAI
Summary
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK.
CWE
Assigner
Impacted products
Vendor Product Version
[UNKNOWN] jenkins Affected: jenkins 2.44
Affected: jenkins 2.32.2
Create a notification for this product.
Date Public
2017-02-01 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:02:06.508Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2017-02-01/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722"
          },
          {
            "name": "95957",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/95957"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2612"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jenkins",
          "vendor": "[UNKNOWN]",
          "versions": [
            {
              "status": "affected",
              "version": "jenkins 2.44"
            },
            {
              "status": "affected",
              "version": "jenkins 2.32.2"
            }
          ]
        }
      ],
      "datePublic": "2017-02-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-358",
              "description": "CWE-358",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-05-16T09:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2017-02-01/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722"
        },
        {
          "name": "95957",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/95957"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2612"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2017-2612",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "jenkins",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "jenkins 2.44"
                          },
                          {
                            "version_value": "jenkins 2.32.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "[UNKNOWN]"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "5.4/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-358"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2017-02-01/",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2017-02-01/"
            },
            {
              "name": "https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722",
              "refsource": "CONFIRM",
              "url": "https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722"
            },
            {
              "name": "95957",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/95957"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2612",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2612"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2017-2612",
    "datePublished": "2018-05-15T20:00:00.000Z",
    "dateReserved": "2016-12-01T00:00:00.000Z",
    "dateUpdated": "2024-08-05T14:02:06.508Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-2611 (GCVE-0-2017-2611)

Vulnerability from cvelistv5 – Published: 2018-05-08 18:00 – Updated: 2024-08-05 14:02
VLAI
Summary
Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents.
CWE
Assigner
Impacted products
Vendor Product Version
unspecified jenkins Affected: jenkins 2.44
Affected: jenkins 2.32.2
Create a notification for this product.
Date Public
2017-02-01 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:02:06.500Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2017-02-01/"
          },
          {
            "name": "95956",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/95956"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2611"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/jenkinsci/jenkins/commit/97a61a9fe55f4c16168c123f98301a5173b9fa86"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jenkins",
          "vendor": "unspecified",
          "versions": [
            {
              "status": "affected",
              "version": "jenkins 2.44"
            },
            {
              "status": "affected",
              "version": "jenkins 2.32.2"
            }
          ]
        }
      ],
      "datePublic": "2017-02-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-358",
              "description": "CWE-358",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-05-09T09:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2017-02-01/"
        },
        {
          "name": "95956",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/95956"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2611"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jenkinsci/jenkins/commit/97a61a9fe55f4c16168c123f98301a5173b9fa86"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2017-2611",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "jenkins",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "jenkins 2.44"
                          },
                          {
                            "version_value": "jenkins 2.32.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": ""
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient permission check for periodic processes (SECURITY-389). The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins master and agents."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "4.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-358"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2017-02-01/",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2017-02-01/"
            },
            {
              "name": "95956",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/95956"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2611",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2611"
            },
            {
              "name": "https://github.com/jenkinsci/jenkins/commit/97a61a9fe55f4c16168c123f98301a5173b9fa86",
              "refsource": "CONFIRM",
              "url": "https://github.com/jenkinsci/jenkins/commit/97a61a9fe55f4c16168c123f98301a5173b9fa86"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2017-2611",
    "datePublished": "2018-05-08T18:00:00.000Z",
    "dateReserved": "2016-12-01T00:00:00.000Z",
    "dateUpdated": "2024-08-05T14:02:06.500Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-2604 (GCVE-0-2017-2604)

Vulnerability from cvelistv5 – Published: 2018-05-15 21:00 – Updated: 2024-08-05 14:02
VLAI
Summary
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).
CWE
Assigner
Impacted products
Vendor Product Version
[UNKNOWN] jenkins Affected: jenkins 2.44
Affected: jenkins 2.32.2
Create a notification for this product.
Date Public
2017-02-01 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:02:06.918Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2017-02-01/"
          },
          {
            "name": "95959",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/95959"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/jenkinsci/jenkins/commit/6efcf6c2ac39bc5c59ac7251822be8ddf67ceaf8"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2604"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jenkins",
          "vendor": "[UNKNOWN]",
          "versions": [
            {
              "status": "affected",
              "version": "jenkins 2.44"
            },
            {
              "status": "affected",
              "version": "jenkins 2.32.2"
            }
          ]
        }
      ],
      "datePublic": "2017-02-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371)."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-358",
              "description": "CWE-358",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-05-16T09:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2017-02-01/"
        },
        {
          "name": "95959",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/95959"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jenkinsci/jenkins/commit/6efcf6c2ac39bc5c59ac7251822be8ddf67ceaf8"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2604"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2017-2604",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "jenkins",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "jenkins 2.44"
                          },
                          {
                            "version_value": "jenkins 2.32.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "[UNKNOWN]"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371)."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "4.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-358"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2017-02-01/",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2017-02-01/"
            },
            {
              "name": "95959",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/95959"
            },
            {
              "name": "https://github.com/jenkinsci/jenkins/commit/6efcf6c2ac39bc5c59ac7251822be8ddf67ceaf8",
              "refsource": "CONFIRM",
              "url": "https://github.com/jenkinsci/jenkins/commit/6efcf6c2ac39bc5c59ac7251822be8ddf67ceaf8"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2604",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2604"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2017-2604",
    "datePublished": "2018-05-15T21:00:00.000Z",
    "dateReserved": "2016-12-01T00:00:00.000Z",
    "dateUpdated": "2024-08-05T14:02:06.918Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-8635 (GCVE-0-2016-8635)

Vulnerability from cvelistv5 – Published: 2018-08-01 13:00 – Updated: 2024-08-06 02:27
VLAI
Summary
It was found that Diffie Hellman Client key exchange handling in NSS 3.21.x was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group.
CWE
Assigner
References
URL Tags
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2016-2779.html vendor-advisoryx_refsource_REDHAT
https://security.gentoo.org/glsa/201701-46 vendor-advisoryx_refsource_GENTOO
http://www.securityfocus.com/bid/94346 vdb-entryx_refsource_BID
Impacted products
Vendor Product Version
Mozilla nss Affected: 3.21.x
Create a notification for this product.
Date Public
2016-11-16 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:27:41.258Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8635"
          },
          {
            "name": "RHSA-2016:2779",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-2779.html"
          },
          {
            "name": "GLSA-201701-46",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201701-46"
          },
          {
            "name": "94346",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/94346"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nss",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "3.21.x"
            }
          ]
        }
      ],
      "datePublic": "2016-11-16T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that Diffie Hellman Client key exchange handling in NSS 3.21.x was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-358",
              "description": "CWE-358",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-08-02T09:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8635"
        },
        {
          "name": "RHSA-2016:2779",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-2779.html"
        },
        {
          "name": "GLSA-201701-46",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201701-46"
        },
        {
          "name": "94346",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/94346"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-8635",
    "datePublished": "2018-08-01T13:00:00.000Z",
    "dateReserved": "2016-10-12T00:00:00.000Z",
    "dateUpdated": "2024-08-06T02:27:41.258Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-8614 (GCVE-0-2016-8614)

Vulnerability from cvelistv5 – Published: 2018-07-31 21:00 – Updated: 2024-08-06 02:27
VLAI
Summary
A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.
CWE
Assigner
Impacted products
Vendor Product Version
Red Hat Ansible Affected: 2.2.0
Create a notification for this product.
Date Public
2016-11-01 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:27:41.024Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "94108",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/94108"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ansible/ansible-modules-core/pull/5353"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ansible/ansible-modules-core/pull/5357"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ansible/ansible-modules-core/issues/5237"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Ansible",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "2.2.0"
            }
          ]
        }
      ],
      "datePublic": "2016-11-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-358",
              "description": "CWE-358",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-08-01T16:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "94108",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/94108"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ansible/ansible-modules-core/pull/5353"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ansible/ansible-modules-core/pull/5357"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ansible/ansible-modules-core/issues/5237"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-8614",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Ansible",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "2.2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "6.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            ],
            [
              {
                "vectorString": "6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-358"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "94108",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/94108"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614"
            },
            {
              "name": "https://github.com/ansible/ansible-modules-core/pull/5353",
              "refsource": "CONFIRM",
              "url": "https://github.com/ansible/ansible-modules-core/pull/5353"
            },
            {
              "name": "https://github.com/ansible/ansible-modules-core/pull/5357",
              "refsource": "CONFIRM",
              "url": "https://github.com/ansible/ansible-modules-core/pull/5357"
            },
            {
              "name": "https://github.com/ansible/ansible-modules-core/issues/5237",
              "refsource": "CONFIRM",
              "url": "https://github.com/ansible/ansible-modules-core/issues/5237"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-8614",
    "datePublished": "2018-07-31T21:00:00.000Z",
    "dateReserved": "2016-10-12T00:00:00.000Z",
    "dateUpdated": "2024-08-06T02:27:41.024Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-2355-2H8C-MW45

Vulnerability from github – Published: 2024-08-06 18:30 – Updated: 2024-08-06 18:30
VLAI
Details

Inappropriate implementation in FedCM in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7003"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-06T16:15:50Z",
    "severity": "CRITICAL"
  },
  "details": "Inappropriate implementation in FedCM in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)",
  "id": "GHSA-2355-2h8c-mw45",
  "modified": "2024-08-06T18:30:57Z",
  "published": "2024-08-06T18:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7003"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_23.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/338233148"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-262P-FJ3F-XH7V

Vulnerability from github – Published: 2026-06-26 15:32 – Updated: 2026-06-30 03:37
VLAI
Details

It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57915"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-304",
      "CWE-358"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T13:16:35Z",
    "severity": "HIGH"
  },
  "details": "It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue.",
  "id": "GHSA-262p-fj3f-xh7v",
  "modified": "2026-06-30T03:37:14Z",
  "published": "2026-06-26T15:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57915"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-57915"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493407"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/1y3glgh3kzwoxo5m2lq504cjlh1dsrfh"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-57915.json"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/26/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-282X-MJ8H-7Q8W

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:25
VLAI
Details

A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. A man in the middle attacker could use this flaw to intercept the request to the KDC and replace the user name (principal) in the request with any desired user name (principal) that exists in the KDC effectively obtaining a ticket for that principal.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-31T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in samba\u0027s Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. A man in the middle attacker could use this flaw to intercept the request to the KDC and replace the user name (principal) in the request with any desired user name (principal) that exists in the KDC effectively obtaining a ticket for that principal.",
  "id": "GHSA-282x-mj8h-7q8w",
  "modified": "2024-04-04T01:25:20Z",
  "published": "2022-05-24T16:51:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16860"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16860"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Aug/21"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Aug/22"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Aug/23"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Aug/25"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202003-52"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT210346"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT210348"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT210351"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT210353"
    },
    {
      "type": "WEB",
      "url": "https://www.samba.org/samba/security/CVE-2018-16860.html"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/security/advisory/Synology_SA_19_23"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00026.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/Aug/11"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/Aug/13"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/Aug/14"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/Aug/15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-28WQ-PXV7-MR7M

Vulnerability from github – Published: 2022-05-14 03:47 – Updated: 2022-05-14 03:47
VLAI
Details

In Flexense DiskBoss Enterprise 8.5.12, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 8094.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-358"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-10T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Flexense DiskBoss Enterprise 8.5.12, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 8094.",
  "id": "GHSA-28wq-pxv7-mr7m",
  "modified": "2022-05-14T03:47:20Z",
  "published": "2022-05-14T03:47:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15665"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/43454"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/145756/DiskBoss-Enterprise-8.5.12-Denial-Of-Service.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-29RJ-95HW-FHM9

Vulnerability from github – Published: 2022-11-21 12:30 – Updated: 2022-11-23 15:30
VLAI
Details

The DeepL Pro API translation plugin WordPress plugin before 1.7.5 discloses sensitive information in its log files (which are publicly accessible), including DeepL API key.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-358",
      "CWE-532",
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-21T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "The DeepL Pro API translation plugin WordPress plugin before 1.7.5 discloses sensitive information in its log files (which are publicly accessible), including DeepL API key.",
  "id": "GHSA-29rj-95hw-fhm9",
  "modified": "2022-11-23T15:30:21Z",
  "published": "2022-11-21T12:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3691"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/4248a0af-1b7e-4e29-8129-3f40c1d0c560"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.