Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:17 февраля 2011 г.
Источник:
SecurityVulns ID:11441
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:COPPERMINE : Coppermine 1.5
 DRUPAL : Drupal 6.20
 FLATNUX : flatnux 2011 01.26
 APACHE : Archiva 1.2
Оригинальный текстdocumentAPACHE, [SECURITY] CVE-2011-0533: Apache Archiva cross-site scripting vulnerability (17.02.2011)
 documentHigh-Tech Bridge Security Research, HTB22834: Path disclosure in FlatnuX (17.02.2011)
 documentHigh-Tech Bridge Security Research, HTB22835: DoS (Denial of Service) Risk in FlatnuX (17.02.2011)
 documentHigh-Tech Bridge Security Research, HTB22836: Path disclosure in Coppermine (17.02.2011)
 documentMustLive, Уязвимость в reCAPTCHA для Drupal (17.02.2011)
 documentMustLive, Уязвимости в Drupal (17.02.2011)

Уязвимости безопасности в Tembria Server Monitor
Опубликовано:17 февраля 2011 г.
Источник:
SecurityVulns ID:11442
Тип:удаленная
Уровень опасности:
5/10
Описание:Слабая криптография, межсайтовый скриптинг.
Затронутые продукты:TEMBRIA : Tembria Server Monitor 6.0
Оригинальный текстdocumentrobkraus_(at)_solutionary.com, Tembria Server Monitor Weak Cryptographic Password Storage Vulnerability (17.02.2011)
 documentrobkraus_(at)_solutionary.com, Tembria Server Monitor Multiple Cross-site Scripting (XSS) Vulnerabilities (17.02.2011)

Многочисленные уязвимости в Oracle Java / OpenJDK
Опубликовано:17 февраля 2011 г.
Источник:
SecurityVulns ID:11443
Тип:библиотека
Уровень опасности:
8/10
Описание:Свыше 20 различных уязвимостей.
Затронутые продукты:ORACLE : JDK 5.0
 ORACLE : Jre 6.0
 ORACLE : JDK 6.0
 ORACLE : OpenJDK 6
CVE:CVE-2011-0706 (The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in OpenJDK Runtime Environment 1.6.0, allows remote attackers to gain privileges via unknown vectors related to multiple signers and the assignment of "an inappropriate security descriptor.")
 CVE-2010-4476 (The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.)
 CVE-2010-4475 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Deployment.)
 CVE-2010-4474 (Unspecified vulnerability in the Java DB component in Oracle Java SE and Java for Business 6 Update 23, and, and earlier allows local users to affect confidentiality via unknown vectors related to Security, a similar vulnerability to CVE-2009-4269.)
 CVE-2010-4473 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound and unspecified APIs.)
 CVE-2010-4472 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote attackers to affect availability, related to XML Digital Signature and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves the replacement of the "XML DSig Transform or C14N algorithm implementations.")
 CVE-2010-4471 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, and 5.0 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to 2D. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the exposure of system properties via vectors related to Font.createFont and exception text.)
 CVE-2010-4470 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23, and, and earlier allows remote attackers to affect availability via unknown vectors related to JAXP and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to "Features set on SchemaFactory not inherited by Validator.")
 CVE-2010-4469 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is heap corruption related to the Verifier and "backward jsrs.")
 CVE-2010-4468 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, and 5.0 Update 27 and earlier, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity via unknown vectors related to JDBC.)
 CVE-2010-4467 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 10 through 6 Update 23 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
 CVE-2010-4466 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Windows, Solaris, and, Linux; 5.0 Update 27 and earlier for Windows; and 1.4.2_29 and earlier for Windows allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Deployment.)
 CVE-2010-4465 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the lack of framework support by AWT event dispatch, and/or "clipboard access in Applets.")
 CVE-2010-4463 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 21 through 6 Update 23 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
 CVE-2010-4462 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound and unspecified APIs.)
 CVE-2010-4454 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound and unspecified APIs.)
 CVE-2010-4452 (Unspecified vulnerability in the Deployment component in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2010-4451 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Windows, when using Java Update, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install.)
 CVE-2010-4450 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Solaris and Linux; 5.0 Update 27 and earlier for Solaris and Linux; and 1.4.2_29 and earlier for Solaris and Linux allows local standalone applications to affect confidentiality, integrity, and availability via unknown vectors related to Launcher. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is an untrusted search path vulnerability involving an empty LD_LIBRARY_PATH environment variable.)
 CVE-2010-4448 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to Networking. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves "DNS cache poisoning by untrusted applets.")
 CVE-2010-4447 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Deployment.)
 CVE-2010-4422 (Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.)
Оригинальный текстdocumentZDI, ZDI-11-086: Oracle Java Webstart Trusted JNLP Extension Remote Code Execution Vulnerability (17.02.2011)
 documentZDI, ZDI-11-083: Oracle Java Applet Clipboard Injection Remote Code Execution Vulnerability (17.02.2011)
 documentZDI, ZDI-11-085: Oracle Java XGetSamplePtrFromSnd Remote Code Execution Vulnerability (17.02.2011)
 documentZDI, ZDI-11-084: Oracle Java Unsigned Applet Applet2ClassLoader Remote Code Execution Vulnerability (17.02.2011)
 documentZDI, ZDI-11-082: Oracle Java Runtime NTLM Authentication Information Leakage Vulnerability (17.02.2011)
Файлы:Oracle Java SE and Java for Business Critical Patch Update Advisory - February 2011

Проблемы с безопасностью в passwd / shadow
дополнено с 17 февраля 2011 г.
Опубликовано:18 февраля 2011 г.
Источник:
SecurityVulns ID:11444
Тип:локальная
Уровень опасности:
5/10
Описание:Возможно внедрение переводов строки в /etc/passwd
Затронутые продукты:DEBIAN : passwd 4.1
CVE:CVE-2011-0721 (Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow 1:4.1.4 allow local users to add new users or groups to /etc/passwd via the GECOS field.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2164-1] shadow security update (17.02.2011)
 documentUBUNTU, [USN-1065-1] shadow vulnerability (17.02.2011)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород