The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2015-4166 | Cloudera Key Trustee Server before 5.4.3 does not store keys synchronously, which might allow attackers to have unspecified impact via vectors related to loss of an encryption key. | High | Mar 27, 2017 |
| CVE-2021-29994 | Cloudera Hue 4.6.0 allows XSS. | MEDIUM | Nov 9, 2021 |
| CVE-2021-32481 | Cloudera Hue 4.6.0 allows XSS via the type parameter. | MEDIUM | Nov 9, 2021 |
| CVE-2016-4947 | Cloudera HUE 3.9.0 and earlier allows remote attackers to enumerate user accounts via a request to desktop/api/users/autocomplete. | MEDIUM | Mar 8, 2017 |
| CVE-2020-26936 | Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack. | MEDIUM | Nov 27, 2020 |
| CVE-2018-17860 | Cloudera CDH has Insecure Permissions because ALL cannot be revoked.This affects 5.x through 5.15.1 and 6.x through 6.0.1. | MEDIUM | Nov 26, 2019 |
| CVE-2016-5724 | Cloudera CDH before 5.9 has Potentially Sensitive Information in Diagnostic Support Bundles. | MEDIUM | Nov 26, 2019 |
| CVE-2016-3131 | Cloudera CDH before 5.6.1 allows authorization bypass via direct internal API calls. | MEDIUM | Nov 26, 2019 |
| CVE-2020-9120 | CloudEngine 1800V versions V100R019C10SPC500 has a resource management error vulnerability. Remote unauthorized attackers could send specific types of messages to the device, resulting in the message received by the system can\'t be forwarded normally. | MEDIUM | Dec 24, 2020 |
| CVE-2020-1861 | CloudEngine 12800 with versions of V200R001C00SPC600,V200R001C00SPC700,V200R002C01,V200R002C50SPC800,V200R002C50SPC800PWE,V200R003C00SPC810,V200R003C00SPC810PWE,V200R005C00SPC600,V200R005C00SPC800,V200R005C00SPC800PWE,V200R005C10,V200R005C10SPC300 have an information leakage vulnerability in some Huawei products. In some special cases, an authenticated attacker can exploit this vulnerability because the software processes data improperly. Successful exploitation may lead to information leakage. | LOW | Feb 28, 2020 |
| CVE-2019-5248 | CloudEngine 12800 has a DoS vulnerability. An attacker of a neighboring device sends a large number of specific packets. As a result, a memory leak occurs after the device uses the specific packet. As a result, the attacker can exploit this vulnerability to cause DoS attacks on the target device. | MEDIUM | Dec 13, 2019 |
| CVE-2019-9745 | CloudCTI HIP Integrator Recognition Configuration Tool allows privilege escalation via its EXQUISE integration. This tool communicates with a service (Recognition Update Client Service) via an insecure communication channel (Named Pipe). The data (JSON) sent via this channel is used to import data from CRM software using plugins (.dll files). The plugin to import data from the EXQUISE software (DatasourceExquiseExporter.dll) can be persuaded to start arbitrary programs (including batch files) that are executed using the same privileges as Recognition Update Client Service (NT AUTHORITY\\SYSTEM), thus elevating privileges. This occurs because a higher-privileged process executes scripts from a directory writable by a lower-privileged user. | HIGH | Oct 21, 2019 |
| CVE-2024-30249 | Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to `1.0.0.CR1-20240330.101522-15` impacts publicly accessible software depending on the affected versions of Network and allows an attacker to use Network as an amplification vector for a UDP denial of service attack against a third party or as an attempt to trigger service suspension of the host. All consumers of the library should upgrade to at least version `1.0.0.CR1-20240330.101522-15` to receive a fix. There are no known workarounds beyond updating the library. | -- | Apr 4, 2024 |
| CVE-2019-16999 | CloudBoot through2019-03-08 allows SQL Injection via a crafted Status field in JSON data to the api/osinstall/v1/device/getNumByStatus URI. | HIGH | Oct 2, 2019 |
| CVE-2019-15720 | CloudBerry Backup v6.1.2.34 allows local privilege escalation via a Pre or Post backup action. With only user-level access, a user can modify the backup plan and add a Pre backup action script that executes on behalf of NT AUTHORITY\\SYSTEM. | -- | Aug 28, 2019 |
| CVE-2019-11350 | CloudBees Jenkins Operations Center 2.150.2.3, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page. | MEDIUM | Apr 22, 2019 |
| CVE-2016-3721 | CloudBees Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables. | MEDIUM | May 18, 2016 |
| CVE-2016-3725 | CloudBees Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption). | MEDIUM | May 18, 2016 |
| CVE-2016-3723 | CloudBees Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints. | MEDIUM | May 18, 2016 |
| CVE-2016-3722 | CloudBees Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the full name. | MEDIUM | May 18, 2016 |
| CVE-2016-3724 | CloudBees Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration. | MEDIUM | May 18, 2016 |
| CVE-2016-0791 | CloudBees Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach. | HIGH | Apr 11, 2016 |
| CVE-2016-0790 | CloudBees Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach. | MEDIUM | Apr 11, 2016 |
| CVE-2015-7538 | CloudBees Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors. | MEDIUM | Feb 3, 2016 |
| CVE-2015-5318 | CloudBees Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack. | MEDIUM | Nov 25, 2015 |
| CVE-2015-5320 | CloudBees Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave. | MEDIUM | Nov 25, 2015 |
| CVE-2015-5323 | CloudBees Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user. | MEDIUM | Nov 25, 2015 |
| CVE-2015-5324 | CloudBees Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api. | MEDIUM | Nov 25, 2015 |
| CVE-2015-5325 | CloudBees Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665. | HIGH | Nov 25, 2015 |
| CVE-2015-1808 | CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data. | Low | Oct 19, 2015 |
| CVE-2014-3665 | CloudBees Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave. | MEDIUM | Nov 25, 2015 |
| CVE-2014-3667 | CloudBees Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code. | Medium | Oct 22, 2014 |
| CVE-2014-3680 | CloudBees Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM. | Medium | Oct 22, 2014 |
| CVE-2014-3663 | CloudBees Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors. | Medium | Oct 22, 2014 |
| CVE-2014-3666 | CloudBees Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel. | High | Oct 22, 2014 |
| CVE-2014-3662 | CloudBees Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts. | Medium | Oct 22, 2014 |
| CVE-2014-3661 | CloudBees Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake. | Medium | Oct 22, 2014 |
| CVE-2014-2062 | CloudBees Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token. | Medium | Oct 23, 2014 |
| CVE-2014-2063 | CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors. | High | Oct 23, 2014 |
| CVE-2013-0331 | CloudBees Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload. | Medium | Mar 21, 2013 |
| CVE-2013-7330 | CloudBees Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions. | Medium | Oct 23, 2014 |
| CVE-2020-8631 | cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function. | LOW | Feb 7, 2020 |
| CVE-2020-11933 | cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 devices was run without restrictions on every boot, which a physical attacker could exploit by crafting cloud-init user-data/meta-data via external media to perform arbitrary changes on the device to bypass intended security mechanisms such as full disk encryption. This issue did not affect traditional Ubuntu systems. Fixed in snapd version 2.45.2, revision 8539 and core version 2.45.2, revision 9659. | MEDIUM | Jul 29, 2020 |
| CVE-2019-19023 | Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform. | MEDIUM | Mar 20, 2020 |
| CVE-2019-19029 | Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform. | MEDIUM | Mar 20, 2020 |
| CVE-2019-19026 | Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform. | MEDIUM | Mar 20, 2020 |
| CVE-2019-19025 | Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform. | MEDIUM | Mar 20, 2020 |
| CVE-2019-19030 | Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists. | -- | Dec 27, 2022 |
| CVE-2019-9946 | Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI \'portmap\' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0. | Medium | Apr 4, 2019 |
| CVE-2022-34434 | Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains an Improper Access Control vulnerability within the Postgres database. A threat actor with root level access to either the vApp or containerized versions of Cloud Mobility may potentially exploit this vulnerability, leading to the modification or deletion of tables that are required for many of the core functionalities of Cloud Mobility. Exploitation may lead to the compromise of integrity and availability of the normal functionality of the Cloud Mobility application. | -- | Oct 14, 2022 |
