[월:] 2022년 04월

CVE-2022-25226

Posted on by admin

CVE-2022-25226

ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via ‘http://thin-vnc:8080/cmd?cmd=connect’ by obtaining a valid SID without any kind of authentication. It is possible to achieve code execution on the server by sending keyboard or mouse events to the server.

Source: CVE-2022-25226

CVE-2021-3652

Posted on by admin

CVE-2021-3652

A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.

Source: CVE-2021-3652

CVE-2021-3681

Posted on by admin

CVE-2021-3681

A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the “build_ignore“ list in "galaxy.yml" include files in the “.tar.gz“ file. This contains sensitive info, such as the user’s Ansible Galaxy API key and any secrets in “ansible“ or “ansible-playbook“ verbose output without the“no_log“ redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.

Source: CVE-2021-3681

CVE-2021-23284

Posted on by admin

CVE-2021-23284

Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) version 1.5.0plus205 and all prior versions are vulnerable to Stored Cross-site Scripting vulnerability. This issue affects: Eaton Intelligent Power Manager Infrastructure (IPM Infrastructure) all version 1.5.0plus205 and prior versions.

Source: CVE-2021-23284