| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via OracleNet to compromise Core RDBMS. While the vulnerability is in Core RDBMS, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Core RDBMS. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). |
| Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via OracleNet to compromise Core RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Core RDBMS. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). |
| A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.1.1456 build 20201015 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) |
| If exploited, the command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. QTS versions prior to 4.4.3.1421 on build 20200907. |
| If exploited, the command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. QTS versions prior to 4.4.3.1421 on build 20200907. |
| Jenkins CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project. |
| Jenkins Role-based Authorization Strategy Plugin 3.0 and earlier does not properly invalidate a permission cache when the configuration is changed, resulting in permissions being granted based on an outdated configuration. |
| Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Warnings Plugin 5.0.1 and earlier allows attackers to execute arbitrary code. |
| Jenkins Selection tasks Plugin 1.0 and earlier executes a user-specified program on the Jenkins controller, allowing attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain access to some metadata of any arbitrary files on the Jenkins controller. |
| Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller |
| Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to connect to an attacker-specified database server using attacker-specified credentials. |
| A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts. |
| Jenkins Email Extension Plugin 2.72 and 2.73 transmits and displays the SMTP password in plain text as part of the global Jenkins configuration form, potentially resulting in its exposure. |
| Jenkins Gitlab Authentication Plugin 1.5 and earlier does not perform group authorization checks properly, resulting in a privilege escalation vulnerability. |
| Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. |
