Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
References
https://nvd.nist.gov/v…
Jenkins Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission….
An issue was discovered in the lru crate before 0.7.1 for Rust. The iterators have a use-after-free, as demonstrated by an access after a pop operation.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-45720
https://raw.githubusercontent.com/rusts…
pytorch-lightning is vulnerable to Deserialization of Untrusted Data.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-4118
https://github.com/pytorchlightning/pytorch-lightning/commit/62f1e82e032eb16565e676d39e0db0cac7e34ace
https://huntr.dev/bou…
An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can unsoundly coerce an immutable reference into a mutable reference, leading to memory corruption.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-25024
https://raw.github…
An issue was discovered in the smallvec crate before 0.6.13 for Rust. It can create an uninitialized value of any type, including a reference type.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-25023
https://raw.githubusercontent.com/rustsec/ad…
An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can unsoundly extend the lifetime of a string, leading to memory corruption.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-25025
https://raw.githubusercontent.com/rustsec…
archivy is vulnerable to Cross-Site Request Forgery (CSRF). There is a fix available in the master branch.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-4162
https://github.com/archivy/archivy/commit/796c3ae318eea183fc88c87ec5a27355b0f6a99d
htt…
A vulnerability in Kubernetes kube-apiserver could allow node updates to bypass a Validating Admission Webhook and allow unauthorized node updates. The information that is provided to the admission controller could contain old configurations that overw…
When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache se…
