Search for packages
| purl | pkg:rpm/redhat/tfm-ror52-rubygem-execjs@2.7.0-1?arch=el7sat |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2g54-3acq-pbha
Aliases: CVE-2020-10716 |
rubygem-foreman_ansible: "User input" entry from Job Invocation may contain sensitive data | There are no reported fixed by versions. |
|
VCID-3af2-c1m7-3kdr
Aliases: CVE-2019-10198 |
foreman: authorization bypasses in foreman-tasks leading to information disclosure | There are no reported fixed by versions. |
|
VCID-3t8t-yt9b-1fce
Aliases: CVE-2016-10516 GHSA-h2fp-xgx6-xh6f PYSEC-2017-43 |
Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message. | There are no reported fixed by versions. |
|
VCID-6fxc-s6ht-x7ht
Aliases: CVE-2016-10745 GHSA-hj2j-77xm-mc5v PYSEC-2019-220 |
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. | There are no reported fixed by versions. |
|
VCID-6wxf-ewtr-z3hb
Aliases: CVE-2019-10906 GHSA-462w-v97r-4m45 PYSEC-2019-217 |
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. | There are no reported fixed by versions. |
|
VCID-9wej-f7zx-pfeq
Aliases: CVE-2019-12086 GHSA-5ww9-j83m-q7qx |
Information exposure in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. | There are no reported fixed by versions. |
|
VCID-bhq3-j6aj-1yae
Aliases: CVE-2019-10086 GHSA-6phf-73q6-gh87 |
Insecure Deserialization in Apache Commons Beanutils In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. | There are no reported fixed by versions. |
|
VCID-bsbd-bsbq-7qdk
Aliases: CVE-2019-14825 GHSA-m4wh-848j-9w2r |
Katello cleartext password storage issue A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.2. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users. | There are no reported fixed by versions. |
|
VCID-ftzy-9uny-byfb
Aliases: CVE-2018-16887 GHSA-mhhc-r88h-2qrm |
Cross-site Scripting A cross-site scripting (XSS) flaw was found in the katello component of Satellite. An attacker with privilege to create/edit organizations and locations is able to execute a XSS attacks against other users through the Subscriptions or the Red Hat Repositories wizards. This can possibly lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users. Versions before `3.9.0` are vulnerable. | There are no reported fixed by versions. |
|
VCID-hmcs-7s53-mbft
Aliases: CVE-2019-3893 |
foreman: Recover of plaintext password or token for the compute resources | There are no reported fixed by versions. |
|
VCID-m29v-624x-kkha
Aliases: CVE-2019-3891 |
candlepin: credentials exposure through log files | There are no reported fixed by versions. |
|
VCID-mv26-fzn6-vycf
Aliases: CVE-2017-17718 GHSA-m7p8-9w66-9frm |
No validation of hostname certificate Net-ldap does not validate the hostname certificate. Ruby is relying on OpenSSL, and one common mistake made by users of OpenSSL is to assume that OpenSSL will validate the hostname in the server's certificate. did not perform hostname validation. and up contain support for hostname validation, but they still require the user to call a few functions to set it up. | There are no reported fixed by versions. |
|
VCID-nmya-eyxd-9ybe
Aliases: CVE-2018-1000632 GHSA-6pcc-3rfx-4gpm |
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. | There are no reported fixed by versions. |
|
VCID-pyr1-73vu-93ej
Aliases: CVE-2018-14664 |
foreman: Persisted XSS on all pages that use breadcrumbs | There are no reported fixed by versions. |
|
VCID-rnuk-n3a6-cbh9
Aliases: CVE-2018-16861 |
foreman: stored XSS in success notification after entity creation | There are no reported fixed by versions. |
|
VCID-sw69-1r7d-kkht
Aliases: CVE-2018-16470 GHSA-hg78-4f6x-99wq |
Uncontrolled Resource Consumption There is a possible DoS vulnerability in the multipart parser in Rack. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size. | There are no reported fixed by versions. |
|
VCID-wbgc-tuj3-47by
Aliases: CVE-2016-6346 GHSA-wxvr-vqfp-9cqw |
Uncontrolled Resource Consumption RESTEasy enables `GZIPInterceptor`, which allows remote attackers to cause a denial of service via unspecified vectors. | There are no reported fixed by versions. |
|
VCID-wucb-ckae-97aq
Aliases: CVE-2018-10917 GHSA-574p-6fw4-4hw8 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories. | There are no reported fixed by versions. |
|
VCID-z6er-42pm-7ubq
Aliases: CVE-2019-0231 GHSA-5h29-qq92-wj7f |
Cleartext Transmission of Sensitive Information in Apache MINA Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA. | There are no reported fixed by versions. |
|
VCID-zx5n-czhy-6qgu
Aliases: CVE-2019-12387 GHSA-6cc5-2vg4-cc7m PYSEC-2019-128 |
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||