admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-05 10:18:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2020-03-31 19:01:25 +00:00
parent 44c404179c
commit 78c0b15083
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
2020/5xxx/CVE-2020-5291.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces,\nthen the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable.\nThis can in turn be used to gain root permissions.\n\nNote that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces\nare not supported) and the support of unprivileged user namespaces.\n\nKnown to be affected are:\n * Debian testing/unstable, if unprivileged user namespaces enabled (not default)\n * Debian buster-backports, if unprivileged user namespaces enabled (not default)\n * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default)\n * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default)\n\nThis has been fixed in the 0.4.1 release, and all affected users should update."
"value": "Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update."
}
]
},
@ -85,4 +85,4 @@
"advisory": "GHSA-j2qp-rvxj-43vj",
"discovery": "UNKNOWN"
}
}
}

4
2020/5xxx/CVE-2020-5292.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability.\n\nThe impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality,\nintegrity, and availability of the site. Attackers can exfiltrate data like the users' and administrators' password hashes,\nmodify data, or drop tables. The unescaped parameter is \"searchUsers\" when sending a POST request to \"/tickets/showKanban\"\nwith a valid session. In the code, the parameter is named \"users\" in class.tickets.php.\n\nThis issue is fixed in versions 2.0.15 and 2.1.0 beta 3."
"value": "Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and administrators' password hashes, modify data, or drop tables. The unescaped parameter is \"searchUsers\" when sending a POST request to \"/tickets/showKanban\" with a valid session. In the code, the parameter is named \"users\" in class.tickets.php. This issue is fixed in versions 2.0.15 and 2.1.0 beta 3."
}
]
},
@ -90,4 +90,4 @@
"advisory": "GHSA-ww6x-rhvp-55hp",
"discovery": "UNKNOWN"
}
}
}