CVE-2014-1881
published 2014-03-03CVE-2014-1881: Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intended device-resource restrictions of an event-based…
PriorityP347high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
11.21%
95.4th percentile
Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intended device-resource restrictions of an event-based bridge via a crafted library clone that leverages IFRAME script execution and waits a certain amount of time for an OnJsPrompt handler return value as an alternative to correct synchronization.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | phonegap | <= 2.9.0 | — |
| adobe | phonegap | — | — |
| adobe | phonegap | — | — |
| adobe | phonegap | — | — |
| adobe | phonegap | — | — |
| adobe | phonegap | — | — |
| adobe | phonegap | — | — |
| adobe | phonegap | — | — |
| adobe | phonegap | — | — |
| adobe | phonegap | — | — |
| adobe | phonegap | — | — |
| adobe | phonegap | — | — |
| apache | cordova | <= 3.3.0 | — |
| apache | cordova | — | — |
| apache | cordova | — | — |
| apache | cordova | — | — |
| apache | cordova | — | — |
| glance_project | glance | >= 0 < 11.0.0a0 | 11.0.0a0 |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa4.0MEDIUM
vendor_redhat4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qjxm-w9fw-977v: Apache Cordova 3
ghsa_unreviewed·2022-05-17
CVE-2014-1881 [HIGH] GHSA-qjxm-w9fw-977v: Apache Cordova 3
Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intended device-resource restrictions of an event-based bridge via a crafted library clone that leverages IFRAME script execution and waits a certain amount of time for an OnJsPrompt handler return value as an alternative to correct synchronization.
GHSA
OpenStack Glance Denial of service by creating a large number of images
ghsa·2022-05-17·CVSS 4.0
CVE-2015-1881 [MEDIUM] CWE-770 OpenStack Glance Denial of service by creating a large number of images
OpenStack Glance Denial of service by creating a large number of images
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684.
GHSA
OpenStack Glance Denial of service by creating a large number of images
ghsa·2022-05-17·CVSS 4.0
CVE-2014-9684 [MEDIUM] CWE-770 OpenStack Glance Denial of service by creating a large number of images
OpenStack Glance Denial of service by creating a large number of images
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881.
Red Hat
openstack-glance: potential resource exhaustion and denial of service using images manipulation API
vendor_redhat·2015-02-19·CVSS 4.0
CVE-2015-1881 [MEDIUM] CWE-400 openstack-glance: potential resource exhaustion and denial of service using images manipulation API
openstack-glance: potential resource exhaustion and denial of service using images manipulation API
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684.
Multiple flaws were found in the glance task API that could cause untracked image data to be left in the back end. A malicious user could use these flaws to deliberately accumulate untracked image data, and cause a denial of service via resource exhaustion.
Package: openstack-glance (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Not affected
Package:
Red Hat
openstack-glance: potential resource exhaustion and denial of service using images manipulation API
vendor_redhat·2015-02-19·CVSS 4.0
CVE-2014-9684 [MEDIUM] CWE-400 openstack-glance: potential resource exhaustion and denial of service using images manipulation API
openstack-glance: potential resource exhaustion and denial of service using images manipulation API
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881.
Multiple flaws were found in the glance task API that could cause untracked image data to be left in the back end. A malicious user could use these flaws to deliberately accumulate untracked image data, and cause a denial of service via resource exhaustion.
Package: openstack-glance (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse))
No detection rules found.
No public exploits indexed.
http://openwall.com/lists/oss-security/2014/02/07/9http://packetstormsecurity.com/files/124954/apachecordovaphonegap-bypass.txthttp://seclists.org/bugtraq/2014/Jan/96http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdfhttp://www.internetsociety.org/ndss2014/programme#session3http://openwall.com/lists/oss-security/2014/02/07/9http://packetstormsecurity.com/files/124954/apachecordovaphonegap-bypass.txthttp://seclists.org/bugtraq/2014/Jan/96http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdfhttp://www.internetsociety.org/ndss2014/programme#session3
2014-03-03
Published