A local attacker with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE could potentially exploit this vulnerability, leading to elevation of privilege. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.ĭell PowerScale OneFS 8.2.2 and above contain an elevation of privilege vulnerability. (The credentials are stored in the firmware, encrypted by the crypt function.)Īn issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6.
Users unable to upgrade should limit access to the Icinga Web 2 configuration.īaicells Nova436Q and Neutrino 430 devices with firmware through QRTB 2.7.8 have hardcoded credentials that are easily discovered, and can be used by remote attackers to authenticate via ssh. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. Icinga Web 2 is an open source monitoring web interface, framework and command-line interface.
This vulnerability allows attackers to obtain the root user private SSH key(id_rsa).īettini Srl GAMS Product Line v4.3.0 was discovered to re-use static SSH keys across installations, allowing unauthenticated attackers to login as root users via extracting a key from the software.Ī missing permission check in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.Ī cross-site request forgery (CSRF) vulnerability in Jenkins SCP publisher Plugin 1.8 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials. The /x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.ĪaPanel v6.8.21 was discovered to be vulnerable to directory traversal.
A missing/An incorrect permission check in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.Ī cross-site request forgery (CSRF) vulnerability in Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
0 kommentar(er)
