CVE-2021-25746: Ingress-nginx directive injection via annotations

A user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

April 22, 2022

CVE-2022-21496: Improper Implementation of the LDAP URI Specification Allowing for Host Validation Bypasses

A parser differential between com.sun.jndi.ldap.LdaoURL and may lead to LDAP URI validation bypasses.

April 19, 2022

CVE-2022-21701: Istio Privileged Escalation in Kubernetes Gateway API

Istio version 1.12.0 and 1.12.1 are vulnerable to a privilege escalation attack. Users who have CREATE permission for objects can escalate this privilege to create other resources that they may not have access to, such as Pod.

January 18, 2022

CVE-2019-18818: strapi Password Reset Auth Bypass

strapi before 3.0.0-beta.17.5 mishandles password resets within default authentication controllers.

November 7, 2019

CVE-2019-1003040: Jenkins Script Security plugin sandbox escape

Sandbox projection in the “Script Security and Pipeline: Groovy Plugins” could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types.

March 28, 2019

CVE-2018-2813: MySQL Missing Privilege Check

Privilege escalation in MySQL server due to a missing file permission check.

December 15, 2017

CVE-2016-7063: Pritunl Privilege Escalation via Path Traversal

The Pritunl Client service accepted configuration data which was saved to a file. The service, running as root, would write user specified data to the user specified path, leading to privilege escalation.

August 23, 2016

CVE-2016-7064: Pritunl Invalid Signature Verification

The Pritunl Client did not validate VPN server certificates before initiating a VPN connection.

August 23, 2016

CVE-2016-4991: Command injection in NodePDF

NodePDF passes filenames to child_process.exec(), however, it does not properly encode all special characters.

May 24, 2016

CVE-2015-5238: Stack overflow in libtre5

A buffer overflow exists in tre_parse() when parsing a literal (e.g. \x{deadbeef}), used during regular expression compilation.

July 1, 2015