Monthly Archive: June 2021

A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description Date...

An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members’ on-call rotations in other projects Date published : 2021-06-08 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22215.json https://gitlab.com/gitlab-org/gitlab/-/issues/328668

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on...

A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page...

ntpkeygen can generate keys that ntpd fails to parse. NTPsec 1.2.0 allows ntpkeygen to generate keys with ‘#’ characters. ntpd then either pads, shortens the key, or fails to load these keys entirely, depending...

RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious user can exploit the vulnerability by sending...

Dell EMC NetWorker, versions 18.x, 19.1.x, 19.2.x 19.3.x, 19.4, and 19.4.0.1 contain an Improper Certificate Validation vulnerability in the client (NetWorker Management Console) components which uses SSL encrypted connection in order to communicate with...

Dell EMC NetWorker, 18.x, 19.1.x, 19.2.x 19.3.x, 19.4 and 19.4.0.1, contains an Information Disclosure vulnerability. A local administrator of the gstd system may potentially exploit this vulnerability to read LDAP credentials from local logs...

The ATOM (ATOM – Smart life App for Android versions prior to 1.8.1 and ATOM – Smart life App for iOS versions prior to 1.8.2) does not verify server certificate properly, which allows man-in-the-middle...

WSR-1166DHP3 firmware Ver.1.16 and prior and WSR-1166DHP4 firmware Ver.1.02 and prior allow an attacker to execute arbitrary OS commands with root privileges via unspecified vectors. Date published : 2021-06-08 https://jvn.jp/en/vu/JVNVU92862829/index.html https://www.buffalo.jp/news/detail/20210531-01.html

Improper access control vulnerability in WSR-1166DHP3 firmware Ver.1.16 and prior and WSR-1166DHP4 firmware Ver.1.02 and prior allows an attacker to obtain configuration information via unspecified vectors. Date published : 2021-06-08 https://jvn.jp/en/vu/JVNVU92862829/index.html https://www.buffalo.jp/news/detail/20210531-01.html

Improper access control vulnerability in goo blog App for Android ver.1.2.25 and earlier and for iOS ver.1.3.3 and earlier allows a remote attacker to lead a user to access an arbitrary website via the...

Windows Print Spooler Elevation of Privilege Vulnerability Date published : 2021-06-08 https://www.kb.cert.org/vuls/id/383432 http://packetstormsecurity.com/files/163349/Microsoft-PrintNightmare-Proof-Of-Concept.html

Incorrect access control in push notification service in Night Owl Smart Doorbell FW version 20190505 allows remote users to send push notification events via an exposed PNS server. A remote attacker can passively record...