Show filters
177 Total Results
Displaying 41-50 of 177
Sort by:
Attacker Value
Unknown

Additional information exposure with Spring Data JPA example matcher

Disclosure Date: June 03, 2019 (last updated November 27, 2024)
This affects Spring Data JPA in versions up to and including 2.1.6, 2.0.14 and 1.11.20. ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied.
Attacker Value
Unknown

Additional information exposure with Spring Data JPA derived queries

Disclosure Date: May 06, 2019 (last updated November 27, 2024)
This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.
0
Attacker Value
Unknown

Invitations Service supports HTTP connections

Disclosure Date: April 24, 2019 (last updated November 27, 2024)
Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials used to make the invitation requests.
Attacker Value
Unknown

Concourse 5.0.0 SQL Injection vulnerability

Disclosure Date: April 01, 2019 (last updated November 27, 2024)
Pivotal Concourse version 5.0.0, contains an API that is vulnerable to SQL injection. An Concourse resource can craft a version identifier that can carry a SQL injection payload to the Concourse server, allowing the attacker to read privileged data.
0
Attacker Value
Unknown

Reflected XSS in Pivotal Operations Manager

Disclosure Date: March 07, 2019 (last updated November 27, 2024)
Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with malicious content could execute arbitrary JavaScript in the user's browser.
0
Attacker Value
Unknown

Open Redirect in spring-security-oauth2

Disclosure Date: March 07, 2019 (last updated November 27, 2024)
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRe…
Attacker Value
Unknown

Apps Manager unverified SSL certs in Cloud Controller proxy

Disclosure Date: March 07, 2019 (last updated November 27, 2024)
Pivotal Application Service (PAS), versions 2.2.x prior to 2.2.12, 2.3.x prior to 2.3.7 and 2.4.x prior to 2.4.3, contain apps manager that uses a cloud controller proxy that fails to verify SSL certs. A remote unauthenticated attacker that could hijack the Cloud Controller's DNS record could intercept access tokens sent to the Cloud Controller, giving the attacker access to the user's resources in the Cloud Controller
0
Attacker Value
Unknown

CVE-2019-3774

Disclosure Date: January 18, 2019 (last updated November 08, 2023)
Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
0
Attacker Value
Unknown

Spring Web Services XML External Entity Injection (XXE)

Disclosure Date: January 18, 2019 (last updated December 28, 2023)
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
Attacker Value
Unknown

Concourse includes token in CLI authentication callback

Disclosure Date: January 12, 2019 (last updated November 27, 2024)
Pivotal Concourse, all versions prior to 4.2.2, puts the user access token in a url during the login flow. A remote attacker who gains access to a user's browser history could obtain the access token and use it to authenticate as the user.
0