Search criteria
18 vulnerabilities by Netflix
CVE-2024-9301 (GCVE-0-2024-9301)
Vulnerability from cvelistv5 – Published: 2024-09-27 17:41 – Updated: 2024-09-27 18:59
VLAI?
Summary
A path traversal issue in E2Nest prior to commit 8a41948e553c89c56b14410c6ed395e9cfb9250a
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:netflix:e2nest:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "e2nest",
"vendor": "netflix",
"versions": [
{
"lessThan": "8a41948e553c89c56b14410c6ed395e9cfb9250a",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9301",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T18:57:50.355035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:59:31.078Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "E2Nest",
"repo": "https://github.com/Netflix/e2nest",
"vendor": "Netflix",
"versions": [
{
"lessThan": "8a41948e553c89c56b14410c6ed395e9cfb9250a",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA path traversal issue in E2Nest prior to commit 8a41948e553c89c56b14410c6ed395e9cfb9250a\u003c/span\u003e"
}
],
"value": "A path traversal issue in E2Nest prior to commit 8a41948e553c89c56b14410c6ed395e9cfb9250a"
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T17:41:49.445Z",
"orgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"shortName": "netflix"
},
"references": [
{
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-004.md"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"assignerShortName": "netflix",
"cveId": "CVE-2024-9301",
"datePublished": "2024-09-27T17:41:49.445Z",
"dateReserved": "2024-09-27T17:13:09.452Z",
"dateUpdated": "2024-09-27T18:59:31.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7093 (GCVE-0-2024-7093)
Vulnerability from cvelistv5 – Published: 2024-08-01 21:07 – Updated: 2024-08-02 16:04
VLAI?
Summary
Dispatch's notification service uses Jinja templates to generate messages to users. Jinja permits code execution within blocks, which were neither properly sanitized nor sandboxed. This vulnerability enables users to construct command line scripts in their custom message templates, which are then executed whenever these notifications are rendered and sent out.
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:netflix:dispatch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "dispatch",
"vendor": "netflix",
"versions": [
{
"lessThan": "20240731",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T16:04:33.810735Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T16:04:37.541Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dispatch",
"repo": "https://github.com/Netflix/dispatch",
"vendor": "Netflix",
"versions": [
{
"lessThan": "v20240731",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dispatch\u0027s notification service uses Jinja templates to generate messages to users. Jinja permits code execution within blocks, which were neither properly sanitized nor sandboxed. This vulnerability enables users to construct command line scripts in their custom message templates, which are then executed whenever these notifications are rendered and sent out."
}
],
"value": "Dispatch\u0027s notification service uses Jinja templates to generate messages to users. Jinja permits code execution within blocks, which were neither properly sanitized nor sandboxed. This vulnerability enables users to construct command line scripts in their custom message templates, which are then executed whenever these notifications are rendered and sent out."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T21:07:35.787Z",
"orgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"shortName": "netflix"
},
"references": [
{
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-003.md"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-Side Template Injection in Dispatch Message Templates",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"assignerShortName": "netflix",
"cveId": "CVE-2024-7093",
"datePublished": "2024-08-01T21:07:35.787Z",
"dateReserved": "2024-07-24T21:43:55.252Z",
"dateUpdated": "2024-08-02T16:04:37.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5023 (GCVE-0-2024-5023)
Vulnerability from cvelistv5 – Published: 2024-05-16 18:05 – Updated: 2024-08-01 21:03
VLAI?
Summary
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Netflix ConsoleMe allows Command Injection.This issue affects ConsoleMe: before 1.4.0.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:netflix:consoleme:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "consoleme",
"vendor": "netflix",
"versions": [
{
"lessThan": "1.4.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T19:41:24.820927Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:54:20.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:09.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-002.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ConsoleMe",
"repo": "https://github.com/Netflix/consoleme/",
"vendor": "Netflix",
"versions": [
{
"lessThan": "1.4.0",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"datePublic": "2024-05-16T18:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in Netflix ConsoleMe allows Command Injection.\u003cp\u003eThis issue affects ConsoleMe: before 1.4.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in Netflix ConsoleMe allows Command Injection.This issue affects ConsoleMe: before 1.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T18:23:48.028Z",
"orgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"shortName": "netflix"
},
"references": [
{
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-002.md"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Arbitrary File Read Vulnerability in ConsoleMe via Limited Git command RCE",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"assignerShortName": "netflix",
"cveId": "CVE-2024-5023",
"datePublished": "2024-05-16T18:05:40.240Z",
"dateReserved": "2024-05-16T17:55:52.981Z",
"dateUpdated": "2024-08-01T21:03:09.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4701 (GCVE-0-2024-4701)
Vulnerability from cvelistv5 – Published: 2024-05-10 18:37 – Updated: 2024-08-01 20:47
VLAI?
Summary
A path traversal issue potentially leading to remote code execution in Genie for all versions prior to 4.3.18
Severity ?
9.9 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:netflix:genie:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "genie",
"vendor": "netflix",
"versions": [
{
"lessThan": "4.3.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4701",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T19:06:05.557902Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:51:31.641Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:41.600Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-001.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Genie",
"repo": "https://github.com/Netflix/genie",
"vendor": "Netflix",
"versions": [
{
"lessThanOrEqual": "4.3.18",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A path traversal issue potentially leading to remote code execution in Genie for all versions prior to 4.3.18"
}
],
"value": "A path traversal issue potentially leading to remote code execution in Genie for all versions prior to 4.3.18"
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-10T18:37:21.582Z",
"orgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"shortName": "netflix"
},
"references": [
{
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-001.md"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Path Traversal vulnerability via File Uploads in Genie",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"assignerShortName": "netflix",
"cveId": "CVE-2024-4701",
"datePublished": "2024-05-10T18:37:21.582Z",
"dateReserved": "2024-05-09T18:27:58.122Z",
"dateUpdated": "2024-08-01T20:47:41.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40171 (GCVE-0-2023-40171)
Vulnerability from cvelistv5 – Published: 2023-08-17 21:19 – Updated: 2024-10-07 19:47
VLAI?
Summary
Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens in error message when the `Dispatch Plugin - Basic Authentication Provider` plugin encounters an error when attempting to decode a JWT token. Any Dispatch users who own their instance and rely on the `Dispatch Plugin - Basic Authentication Provider` plugin for authentication may be impacted, allowing for any account to be taken over within their own instance. This could be done by using the secret to sign attacker crafted JWTs. If you think that you may be impacted, we strongly suggest you to rotate the secret stored in the `DISPATCH_JWT_SECRET` envvar in the `.env` file. This issue has been addressed in commit `b1942a4319` which has been included in the `20230817` release. users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
9.1 (Critical)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:55.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Netflix/dispatch/security/advisories/GHSA-fv3x-67q3-6pg7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Netflix/dispatch/security/advisories/GHSA-fv3x-67q3-6pg7"
},
{
"name": "https://github.com/Netflix/dispatch/pull/3695",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Netflix/dispatch/pull/3695"
},
{
"name": "https://github.com/Netflix/dispatch/commit/b1942a4319f0de820d86b84a58ebc85398b97c70",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Netflix/dispatch/commit/b1942a4319f0de820d86b84a58ebc85398b97c70"
},
{
"name": "https://github.com/Netflix/dispatch/releases/tag/latest",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Netflix/dispatch/releases/tag/latest"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40171",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T19:47:05.416497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T19:47:13.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dispatch",
"vendor": "Netflix",
"versions": [
{
"status": "affected",
"version": "\u003c 20230817"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens in error message when the `Dispatch Plugin - Basic Authentication Provider` plugin encounters an error when attempting to decode a JWT token. Any Dispatch users who own their instance and rely on the `Dispatch Plugin - Basic Authentication Provider` plugin for authentication may be impacted, allowing for any account to be taken over within their own instance. This could be done by using the secret to sign attacker crafted JWTs. If you think that you may be impacted, we strongly suggest you to rotate the secret stored in the `DISPATCH_JWT_SECRET` envvar in the `.env` file. This issue has been addressed in commit `b1942a4319` which has been included in the `20230817` release. users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-17T21:19:28.326Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Netflix/dispatch/security/advisories/GHSA-fv3x-67q3-6pg7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Netflix/dispatch/security/advisories/GHSA-fv3x-67q3-6pg7"
},
{
"name": "https://github.com/Netflix/dispatch/pull/3695",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Netflix/dispatch/pull/3695"
},
{
"name": "https://github.com/Netflix/dispatch/commit/b1942a4319f0de820d86b84a58ebc85398b97c70",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Netflix/dispatch/commit/b1942a4319f0de820d86b84a58ebc85398b97c70"
},
{
"name": "https://github.com/Netflix/dispatch/releases/tag/latest",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Netflix/dispatch/releases/tag/latest"
}
],
"source": {
"advisory": "GHSA-fv3x-67q3-6pg7",
"discovery": "UNKNOWN"
},
"title": "Dispatch writes JWT tokens in error message"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40171",
"datePublished": "2023-08-17T21:19:28.326Z",
"dateReserved": "2023-08-09T15:26:41.051Z",
"dateUpdated": "2024-10-07T19:47:13.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30797 (GCVE-0-2023-30797)
Vulnerability from cvelistv5 – Published: 2023-04-19 19:10 – Updated: 2025-11-21 16:10
VLAI?
Summary
Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.
Severity ?
7.5 (High)
CWE
- CWE-330 - Use of Insufficiently Random Values
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:37:15.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-30797",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T14:49:23.482600Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330 Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T14:50:36.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/lemur/",
"defaultStatus": "unaffected",
"packageName": "lemur",
"product": "Lemur",
"repo": "https://github.com/Netflix/lemur",
"vendor": "Netflix",
"versions": [
{
"lessThan": "1.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netflix:lemur:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.3.2",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"datePublic": "2023-02-28T15:41:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eNetflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur."
}
],
"impacts": [
{
"capecId": "CAPEC-112",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-112 Brute Force"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330 Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T16:10:24.442Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2023-001.md"
},
{
"tags": [
"patch"
],
"url": "https://github.com/Netflix/lemur/commit/666d853212174ee7f4e6f8b3b4b389ede1872238"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/Netflix/lemur/security/advisories/GHSA-5fqv-mpj8-h7gm"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/netflix-lemur-weak-rng"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure Random Generation in Netflix Lemur",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-30797",
"datePublished": "2023-04-19T19:10:12.523Z",
"dateReserved": "2023-04-18T10:31:45.962Z",
"dateUpdated": "2025-11-21T16:10:24.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-27177 (GCVE-0-2022-27177)
Vulnerability from cvelistv5 – Published: 2022-04-01 22:17 – Updated: 2024-08-03 05:25
VLAI?
Summary
A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2
Severity ?
No CVSS data available.
CWE
- Format String Vulnerability in ConsoleMe
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:25:31.009Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2022-001.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ConsoleMe",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 1.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Format String Vulnerability in ConsoleMe",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-01T22:17:04",
"orgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"shortName": "netflix"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2022-001.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-report@netflix.com",
"ID": "CVE-2022-27177",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ConsoleMe",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 1.2.2"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Format String Vulnerability in ConsoleMe"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2022-001.md",
"refsource": "MISC",
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2022-001.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"assignerShortName": "netflix",
"cveId": "CVE-2022-27177",
"datePublished": "2022-04-01T22:17:04",
"dateReserved": "2022-03-25T00:00:00",
"dateUpdated": "2024-08-03T05:25:31.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28099 (GCVE-0-2021-28099)
Vulnerability from cvelistv5 – Published: 2021-03-23 20:28 – Updated: 2024-08-03 21:33
VLAI?
Summary
In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.
Severity ?
No CVSS data available.
CWE
- Local Information Disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Netflix OSS Hollow |
Affected:
All versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.497Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Netflix OSS Hollow",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Local Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-23T20:28:52",
"orgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"shortName": "netflix"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-report@netflix.com",
"ID": "CVE-2021-28099",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Netflix OSS Hollow",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Local Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md",
"refsource": "MISC",
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"assignerShortName": "netflix",
"cveId": "CVE-2021-28099",
"datePublished": "2021-03-23T20:28:52",
"dateReserved": "2021-03-09T00:00:00",
"dateUpdated": "2024-08-03T21:33:17.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28100 (GCVE-0-2021-28100)
Vulnerability from cvelistv5 – Published: 2021-03-23 20:26 – Updated: 2024-08-03 21:33
VLAI?
Summary
Priam uses File.createTempFile, which gives the permissions on that file -rw-r--r--. An attacker with read access to the local filesystem can read anything written there by the Priam process.
Severity ?
No CVSS data available.
CWE
- Local Information Disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Netflix OSS Priam |
Affected:
All versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Netflix OSS Priam",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Priam uses File.createTempFile, which gives the permissions on that file -rw-r--r--. An attacker with read access to the local filesystem can read anything written there by the Priam process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Local Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-23T20:26:01",
"orgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"shortName": "netflix"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-report@netflix.com",
"ID": "CVE-2021-28100",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Netflix OSS Priam",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Priam uses File.createTempFile, which gives the permissions on that file -rw-r--r--. An attacker with read access to the local filesystem can read anything written there by the Priam process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Local Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md",
"refsource": "MISC",
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"assignerShortName": "netflix",
"cveId": "CVE-2021-28100",
"datePublished": "2021-03-23T20:26:01",
"dateReserved": "2021-03-09T00:00:00",
"dateUpdated": "2024-08-03T21:33:17.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-2323 (GCVE-0-2020-2323)
Vulnerability from cvelistv5 – Published: 2020-12-03 15:55 – Updated: 2024-08-04 07:09
VLAI?
Summary
Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jenkins project | Jenkins Chaos Monkey Plugin |
Affected:
unspecified , ≤ 0.4
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:09:54.327Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2109%20%282%29"
},
{
"name": "[oss-security] 20201203 Multiple vulnerabilities in Jenkins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/12/03/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Chaos Monkey Plugin",
"vendor": "Jenkins project",
"versions": [
{
"lessThanOrEqual": "0.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:09:15.916Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2109%20%282%29"
},
{
"name": "[oss-security] 20201203 Multiple vulnerabilities in Jenkins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/12/03/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2020-2323",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins Chaos Monkey Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "0.4"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2109%20(2)",
"refsource": "CONFIRM",
"url": "https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2109%20(2)"
},
{
"name": "[oss-security] 20201203 Multiple vulnerabilities in Jenkins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/12/03/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2020-2323",
"datePublished": "2020-12-03T15:55:16",
"dateReserved": "2019-12-05T00:00:00",
"dateUpdated": "2024-08-04T07:09:54.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-2322 (GCVE-0-2020-2322)
Vulnerability from cvelistv5 – Published: 2020-12-03 15:55 – Updated: 2024-08-04 07:09
VLAI?
Summary
Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jenkins project | Jenkins Chaos Monkey Plugin |
Affected:
unspecified , ≤ 0.3
(custom)
Unaffected: 0.4.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:09:54.492Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2109%20%281%29"
},
{
"name": "[oss-security] 20201203 Multiple vulnerabilities in Jenkins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/12/03/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jenkins Chaos Monkey Plugin",
"vendor": "Jenkins project",
"versions": [
{
"lessThanOrEqual": "0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "0.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:09:14.782Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2109%20%281%29"
},
{
"name": "[oss-security] 20201203 Multiple vulnerabilities in Jenkins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/12/03/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2020-2322",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins Chaos Monkey Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "0.3"
},
{
"version_affected": "!",
"version_value": "0.4.1"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2109%20(1)",
"refsource": "CONFIRM",
"url": "https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-2109%20(1)"
},
{
"name": "[oss-security] 20201203 Multiple vulnerabilities in Jenkins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/12/03/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2020-2322",
"datePublished": "2020-12-03T15:55:15",
"dateReserved": "2019-12-05T00:00:00",
"dateUpdated": "2024-08-04T07:09:54.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-9299 (GCVE-0-2020-9299)
Vulnerability from cvelistv5 – Published: 2020-11-09 14:50 – Updated: 2024-08-04 10:26
VLAI?
Summary
There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. This vulnerability can be exploited by an authenticated user.
Severity ?
No CVSS data available.
CWE
- Multiple Cross-Site Scripting Vulnerabilities
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Netflix Dispatch |
Affected:
All versions prior to v20201106
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:26:15.857Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Netflix/dispatch/releases/tag/v20201106"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-004.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Netflix Dispatch",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to v20201106"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. This vulnerability can be exploited by an authenticated user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Multiple Cross-Site Scripting Vulnerabilities",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-09T14:50:18",
"orgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"shortName": "netflix"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Netflix/dispatch/releases/tag/v20201106"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-004.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-report@netflix.com",
"ID": "CVE-2020-9299",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Netflix Dispatch",
"version": {
"version_data": [
{
"version_value": "All versions prior to v20201106"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. This vulnerability can be exploited by an authenticated user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Multiple Cross-Site Scripting Vulnerabilities"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Netflix/dispatch/releases/tag/v20201106",
"refsource": "MISC",
"url": "https://github.com/Netflix/dispatch/releases/tag/v20201106"
},
{
"name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-004.md",
"refsource": "MISC",
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-004.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"assignerShortName": "netflix",
"cveId": "CVE-2020-9299",
"datePublished": "2020-11-09T14:50:18",
"dateReserved": "2020-02-19T00:00:00",
"dateUpdated": "2024-08-04T10:26:15.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-9300 (GCVE-0-2020-9300)
Vulnerability from cvelistv5 – Published: 2020-11-09 14:41 – Updated: 2024-08-04 10:26
VLAI?
Summary
The Access Control issues include allowing a regular user to view a restricted incident, user role escalation to admin, users adding themselves as a participant in a restricted incident, and users able to view restricted incidents via the search feature. If your install has followed the secure deployment guidelines the risk of this is lowered, as this may only be exploited by an authenticated user.
Severity ?
No CVSS data available.
CWE
- Multiple Multiple Access Control Issues in Dispatch
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Netflix Dispatch |
Affected:
All versions prior to v20201106
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:26:15.669Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-005.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Netflix/dispatch/releases/tag/v20201106"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Netflix Dispatch",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to v20201106"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Access Control issues include allowing a regular user to view a restricted incident, user role escalation to admin, users adding themselves as a participant in a restricted incident, and users able to view restricted incidents via the search feature. If your install has followed the secure deployment guidelines the risk of this is lowered, as this may only be exploited by an authenticated user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Multiple Multiple Access Control Issues in Dispatch",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-09T14:41:37",
"orgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"shortName": "netflix"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-005.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Netflix/dispatch/releases/tag/v20201106"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-report@netflix.com",
"ID": "CVE-2020-9300",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Netflix Dispatch",
"version": {
"version_data": [
{
"version_value": "All versions prior to v20201106"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Access Control issues include allowing a regular user to view a restricted incident, user role escalation to admin, users adding themselves as a participant in a restricted incident, and users able to view restricted incidents via the search feature. If your install has followed the secure deployment guidelines the risk of this is lowered, as this may only be exploited by an authenticated user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Multiple Multiple Access Control Issues in Dispatch"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-005.md",
"refsource": "MISC",
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-005.md"
},
{
"name": "https://github.com/Netflix/dispatch/releases/tag/v20201106",
"refsource": "MISC",
"url": "https://github.com/Netflix/dispatch/releases/tag/v20201106"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"assignerShortName": "netflix",
"cveId": "CVE-2020-9300",
"datePublished": "2020-11-09T14:41:37",
"dateReserved": "2020-02-19T00:00:00",
"dateUpdated": "2024-08-04T10:26:15.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-9297 (GCVE-0-2020-9297)
Vulnerability from cvelistv5 – Published: 2020-07-14 19:07 – Updated: 2024-08-04 10:26
VLAI?
Summary
Netflix Titus, all versions prior to version v0.1.1-rc.274, uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.
Severity ?
No CVSS data available.
CWE
- Server-Side Template Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Netflix Titus |
Affected:
All versions prior to version v0.1.1-rc.274
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:26:15.938Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Netflix Titus",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version v0.1.1-rc.274"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netflix Titus, all versions prior to version v0.1.1-rc.274, uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server-Side Template Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-14T19:07:54",
"orgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"shortName": "netflix"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-report@netflix.com",
"ID": "CVE-2020-9297",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Netflix Titus",
"version": {
"version_data": [
{
"version_value": "All versions prior to version v0.1.1-rc.274"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netflix Titus, all versions prior to version v0.1.1-rc.274, uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server-Side Template Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md",
"refsource": "MISC",
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"assignerShortName": "netflix",
"cveId": "CVE-2020-9297",
"datePublished": "2020-07-14T19:07:54",
"dateReserved": "2020-02-19T00:00:00",
"dateUpdated": "2024-08-04T10:26:15.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-9296 (GCVE-0-2020-9296)
Vulnerability from cvelistv5 – Published: 2020-06-16 13:19 – Updated: 2024-08-04 10:26
VLAI?
Summary
Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code.
Severity ?
No CVSS data available.
CWE
- Server-Side Template Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Netflix Titus |
Affected:
All versions prior to version v0.1.1-rc.274
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:26:16.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Netflix Titus",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version v0.1.1-rc.274"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server-Side Template Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-30T17:36:33",
"orgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"shortName": "netflix"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-report@netflix.com",
"ID": "CVE-2020-9296",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Netflix Titus",
"version": {
"version_data": [
{
"version_value": "All versions prior to version v0.1.1-rc.274"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netflix Titus uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, different types of interpolation are supported, including Java EL expressions. If an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server-Side Template Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md",
"refsource": "MISC",
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"assignerShortName": "netflix",
"cveId": "CVE-2020-9296",
"datePublished": "2020-06-16T13:19:56",
"dateReserved": "2020-02-19T00:00:00",
"dateUpdated": "2024-08-04T10:26:16.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10028 (GCVE-0-2019-10028)
Vulnerability from cvelistv5 – Published: 2019-06-21 20:10 – Updated: 2024-08-04 22:10
VLAI?
Summary
Denial of Service (DOS) in Dial Reference Source Code Used before June 18th, 2019.
Severity ?
No CVSS data available.
CWE
- Denial of Service
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Netflix | Dial Reference Source Code Repo (https://github.com/Netflix/dial-reference) |
Affected:
Before June 18
Affected: 2019. |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.364Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2019-002.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Dial Reference Source Code Repo (https://github.com/Netflix/dial-reference)",
"vendor": "Netflix",
"versions": [
{
"status": "affected",
"version": "Before June 18"
},
{
"status": "affected",
"version": "2019."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Denial of Service (DOS) in Dial Reference Source Code Used before June 18th, 2019."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-21T20:10:03",
"orgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"shortName": "netflix"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2019-002.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-report@netflix.com",
"ID": "CVE-2019-10028",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Dial Reference Source Code Repo (https://github.com/Netflix/dial-reference)",
"version": {
"version_data": [
{
"version_value": "Before June 18"
},
{
"version_value": "2019."
}
]
}
}
]
},
"vendor_name": "Netflix"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Denial of Service (DOS) in Dial Reference Source Code Used before June 18th, 2019."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2019-002.md",
"refsource": "CONFIRM",
"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2019-002.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ea63fd80-a441-4c7b-ba78-e48a8071cae2",
"assignerShortName": "netflix",
"cveId": "CVE-2019-10028",
"datePublished": "2019-06-21T20:10:03",
"dateReserved": "2019-03-25T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7764 (GCVE-0-2015-7764)
Vulnerability from cvelistv5 – Published: 2017-08-09 16:00 – Updated: 2024-08-06 07:58
VLAI?
Summary
Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:58:59.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Netflix/lemur/issues/117"
},
{
"name": "[oss-security] 20151020 Re: CVE request for sqlalchemy-utils",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/10/20/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kvesteri/sqlalchemy-utils/issues/166"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-10-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-09T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Netflix/lemur/issues/117"
},
{
"name": "[oss-security] 20151020 Re: CVE request for sqlalchemy-utils",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/10/20/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kvesteri/sqlalchemy-utils/issues/166"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7764",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Netflix/lemur/issues/117",
"refsource": "CONFIRM",
"url": "https://github.com/Netflix/lemur/issues/117"
},
{
"name": "[oss-security] 20151020 Re: CVE request for sqlalchemy-utils",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/10/20/3"
},
{
"name": "https://github.com/kvesteri/sqlalchemy-utils/issues/166",
"refsource": "CONFIRM",
"url": "https://github.com/kvesteri/sqlalchemy-utils/issues/166"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7764",
"datePublished": "2017-08-09T16:00:00",
"dateReserved": "2015-10-09T00:00:00",
"dateUpdated": "2024-08-06T07:58:59.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7266 (GCVE-0-2017-7266)
Vulnerability from cvelistv5 – Published: 2017-03-26 05:47 – Updated: 2024-08-05 15:56
VLAI?
Summary
Netflix Security Monkey before 0.8.0 has an Open Redirect. The logout functionality accepted the "next" parameter which then redirects to any domain irrespective of the Host header.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:56:36.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Netflix/security_monkey/releases/tag/v0.8.0"
},
{
"name": "97088",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97088"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Netflix/security_monkey/commit/3b4da13efabb05970c80f464a50d3c1c12262466"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Netflix/security_monkey/pull/482"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-03-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Netflix Security Monkey before 0.8.0 has an Open Redirect. The logout functionality accepted the \"next\" parameter which then redirects to any domain irrespective of the Host header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-28T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Netflix/security_monkey/releases/tag/v0.8.0"
},
{
"name": "97088",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97088"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Netflix/security_monkey/commit/3b4da13efabb05970c80f464a50d3c1c12262466"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Netflix/security_monkey/pull/482"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-7266",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netflix Security Monkey before 0.8.0 has an Open Redirect. The logout functionality accepted the \"next\" parameter which then redirects to any domain irrespective of the Host header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Netflix/security_monkey/releases/tag/v0.8.0",
"refsource": "CONFIRM",
"url": "https://github.com/Netflix/security_monkey/releases/tag/v0.8.0"
},
{
"name": "97088",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97088"
},
{
"name": "https://github.com/Netflix/security_monkey/commit/3b4da13efabb05970c80f464a50d3c1c12262466",
"refsource": "CONFIRM",
"url": "https://github.com/Netflix/security_monkey/commit/3b4da13efabb05970c80f464a50d3c1c12262466"
},
{
"name": "https://github.com/Netflix/security_monkey/pull/482",
"refsource": "CONFIRM",
"url": "https://github.com/Netflix/security_monkey/pull/482"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-7266",
"datePublished": "2017-03-26T05:47:00",
"dateReserved": "2017-03-26T00:00:00",
"dateUpdated": "2024-08-05T15:56:36.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}