Filtered by CWE-285
Filtered by vendor Subscriptions
Total 889 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2018-10906 3 Debian, Fuse Project, Redhat 6 Debian Linux, Fuse, Enterprise Linux and 3 more 2024-11-21 N/A
In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. This allows non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects.
CVE-2018-10861 4 Ceph, Debian, Opensuse and 1 more 9 Ceph, Debian Linux, Leap and 6 more 2024-11-21 N/A
A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. Ceph branches master, mimic, luminous and jewel are believed to be affected.
CVE-2018-1000195 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2024-11-21 4.3 Medium
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.
CVE-2018-1000015 1 Jenkins 1 Pipeline Nodes And Processes 2024-11-21 N/A
On Jenkins instances with Authorize Project plugin, the authentication associated with a build may lack the Computer/Build permission on some agents. This did not prevent the execution of Pipeline `node` blocks on those agents due to incorrect permissions checks in Pipeline: Nodes and Processes plugin 2.17 and earlier.
CVE-2018-0505 3 Debian, Mediawiki, Redhat 3 Debian Linux, Mediawiki, Openshift 2024-11-21 N/A
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords can bypass CentralAuth's account lock
CVE-2017-9325 1 Cloudera 1 Cdh 2024-11-21 N/A
The provided secure solrconfig.xml sample configuration does not enforce Sentry authorization on /update/json/docs.
CVE-2017-9268 1 Opensuse 1 Open Build Service 2024-11-21 N/A
In the open build service before 201707022 the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users to cause operations on projects where they did not have permissions leading to denial of service (resource consumption).
CVE-2017-8777 1 Open-xchange 1 Ox Cloud 2024-11-21 N/A
Open-Xchange GmbH OX Cloud Plugins 1.4.0 and earlier is affected by: Missing Authorization.
CVE-2017-8409 1 Dlink 2 Dcs-1130, Dcs-1130 Firmware 2024-11-21 7.5 High
An issue was discovered on D-Link DCS-1130 devices. The device requires that a user logging to the device to provide a username and password. However, the device does not enforce the same restriction on a specific URL thereby allowing any attacker in possession of that to view the live video feed. The severity of this attack is enlarged by the fact that there more than 100,000 D-Link devices out there.
CVE-2017-8252 1 Qualcomm 110 Ipq4019, Ipq4019 Firmware, Ipq8074 and 107 more 2024-11-21 N/A
Kernel can inject faults in computations during the execution of TrustZone leading to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in IPQ4019, IPQ8074, MDM9150, MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24, SM7150, Snapdragon_High_Med_2016, SXR1130
CVE-2017-7789 1 Mozilla 1 Firefox 2024-11-21 N/A
If a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection. This vulnerability affects Firefox < 55.
CVE-2017-2632 1 Redhat 3 Cloudforms, Cloudforms Management Engine, Cloudforms Managementengine 2024-11-21 N/A
A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate privileges.
CVE-2017-2589 2 Hawt, Redhat 3 Hawtio, Jboss Amq, Jboss Fuse 2024-11-21 N/A
It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.
CVE-2017-16773 1 Synology 1 Universal Search 2024-11-21 N/A
Improper authorization vulnerability in Highlight Preview in Synology Universal Search before 1.0.5-0135 allows remote authenticated users to bypass permission checks for directories in POSIX mode.
CVE-2017-16743 1 Phoenixcontact 58 Fl Switch 3004t-fx, Fl Switch 3004t-fx Firmware, Fl Switch 3004t-fx St and 55 more 2024-11-21 N/A
An Improper Authorization issue was discovered in PHOENIX CONTACT FL SWITCH 3xxx, 4xxx, and 48xxx Series products running firmware Version 1.0 to 1.32. A remote unauthenticated attacker may be able to craft special HTTP requests allowing an attacker to bypass web-service authentication allowing the attacker to obtain administrative privileges on the device.
CVE-2017-16726 1 Beckhoff 1 Twincat 2024-11-21 N/A
Beckhoff TwinCAT supports communication over ADS. ADS is a protocol for industrial automation in protected environments. ADS has not been designed to achieve security purposes and therefore does not include any encryption algorithms because of their negative effect on performance and throughput. An attacker can forge arbitrary ADS packets when legitimate ADS traffic is observable.
CVE-2017-15138 1 Redhat 2 Openshift, Openshift Container Platform 2024-11-21 N/A
The OpenShift Enterprise cluster-read can access webhook tokens which would allow an attacker with sufficient privileges to view confidential webhook tokens.
CVE-2017-11398 1 Trendmicro 1 Smart Protection Server 2024-11-21 N/A
A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an unauthenticated attacker to hijack active user sessions to perform authenticated requests on a vulnerable system.
CVE-2017-0927 1 Gitlab 1 Gitlab 2024-11-21 N/A
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the deployment keys component resulting in unauthorized use of deployment keys by guest users.
CVE-2017-0926 2 Debian, Gitlab 2 Debian Linux, Gitlab 2024-11-21 N/A
Gitlab Community Edition version 10.3 is vulnerable to an improper authorization issue in the Oauth sign-in component resulting in unauthorized user login.