Show CWE-693: Protection Mechanism Failure - CXSecurity.com

	Topic	Date	Author
Med.	Oracle Database Protection Mechanism Bypass	13.12.2021	Moritz Bechler

CVEMAP Search Results

CVE

Details

Description

2022-07-27

Waiting for details

CVE-2022-36899

Updating...

Jenkins Compuware ISPW Operations Plugin 1.0.8 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties.

2022-06-23

Medium

CVE-2022-34181

Vendor: Jenkins
Software: Xunit

Jenkins xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results, allowing attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test results from existing files in an attacker-specified directory.

2022-01-19

Low

CVE-2022-22152

Vendor: Juniper
Software: Contrail ser...

A Protection Mechanism Failure vulnerability in the REST API of Juniper Networks Contrail Service Orchestration allows one tenant on the system to view confidential configuration details of another tenant on the same system. By utilizing the REST API, one tenant is able to obtain information on another tenant's firewall configuration and access control policies, as well as other sensitive information, exposing the tenant to reduced defense against malicious attacks or exploitation via additional undetermined vulnerabilities. This issue affects Juniper Networks Contrail Service Orchestration versions prior to 6.1.0 Patch 3.

2021-11-12

Medium

CVE-2021-43578

Vendor: Jenkins
Software: Squash tm pu...

Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.

2021-11-04

Medium	CVE-2021-21696	Vendor: Jenkins Software: Jenkins	Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs, allowing attackers in control of agent processes to replace the code of a trusted library with a modified variant. This results in unsandboxed code execution in the Jenkins controller process.
Medium	CVE-2021-21690	Vendor: Jenkins Software: Jenkins	Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.

2021-09-09

Medium

CVE-2021-32835

Vendor: Eclipse
Software: KETI

Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a sandbox escape vulnerability may lead to post-authentication Remote Code execution. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063.

2021-08-31

Medium	CVE-2021-21678	Vendor: Jenkins Software: SAML	Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
Medium	CVE-2021-21679	Vendor: Jenkins Software: Azure ad	Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.

2021-04-21

Medium

CVE-2021-21646

Vendor: Jenkins
Software: Templating e...

Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin, allowing attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

Copyright 2022, cxsecurity.com