Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Oracle Subscribe
Filtered by product Banking Platform
Total 72 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-21342 4 Debian, Fedoraproject, Oracle and 1 more 12 Debian Linux, Fedora, Banking Enterprise Default Management and 9 more 2023-03-09 5.8 MEDIUM 9.1 CRITICAL
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVE-2021-36090 3 Apache, Netapp, Oracle 34 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 31 more 2023-02-28 5.0 MEDIUM 7.5 HIGH
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
CVE-2019-14439 6 Apache, Debian, Fasterxml and 3 more 18 Drill, Debian Linux, Jackson-databind and 15 more 2023-02-28 5.0 MEDIUM 7.5 HIGH
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
CVE-2021-43797 5 Debian, Netapp, Netty and 2 more 18 Debian Linux, Oncommand Workflow Automation, Snapcenter and 15 more 2023-02-24 4.3 MEDIUM 6.5 MEDIUM
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CVE-2020-11023 7 Debian, Drupal, Fedoraproject and 4 more 55 Debian Linux, Drupal, Fedora and 52 more 2023-02-02 4.3 MEDIUM 6.1 MEDIUM
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVE-2020-25649 6 Apache, Fasterxml, Fedoraproject and 3 more 39 Iotdb, Jackson-databind, Fedora and 36 more 2023-02-02 5.0 MEDIUM 7.5 HIGH
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CVE-2019-14379 7 Apple, Debian, Fasterxml and 4 more 25 Xcode, Debian Linux, Jackson-databind and 22 more 2022-12-02 7.5 HIGH 9.8 CRITICAL
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
CVE-2021-41182 7 Debian, Drupal, Fedoraproject and 4 more 37 Debian Linux, Drupal, Fedora and 34 more 2022-11-07 4.3 MEDIUM 6.1 MEDIUM
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
CVE-2021-41184 6 Drupal, Fedoraproject, Jquery and 3 more 35 Drupal, Fedora, Jquery Ui and 32 more 2022-11-07 4.3 MEDIUM 6.1 MEDIUM
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
CVE-2021-41183 7 Debian, Drupal, Fedoraproject and 4 more 36 Debian Linux, Drupal, Fedora and 33 more 2022-11-07 4.3 MEDIUM 6.1 MEDIUM
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
CVE-2020-26217 5 Apache, Debian, Netapp and 2 more 15 Activemq, Debian Linux, Snapmanager and 12 more 2022-10-28 9.3 HIGH 8.8 HIGH
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
CVE-2021-29425 4 Apache, Debian, Netapp and 1 more 60 Commons Io, Debian Linux, Active Iq Unified Manager and 57 more 2022-10-27 5.8 MEDIUM 4.8 MEDIUM
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CVE-2017-15095 5 Debian, Fasterxml, Netapp and 2 more 25 Debian Linux, Jackson-databind, Oncommand Balance and 22 more 2022-10-25 7.5 HIGH 9.8 CRITICAL
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVE-2021-21348 4 Debian, Fedoraproject, Oracle and 1 more 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more 2022-10-21 7.8 HIGH 7.5 HIGH
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVE-2021-21345 4 Debian, Fedoraproject, Oracle and 1 more 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more 2022-10-21 6.5 MEDIUM 9.9 CRITICAL
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CVE-2021-2351 1 Oracle 110 Advanced Networking Option, Agile Engineering Data Management, Agile Plm and 107 more 2022-10-06 5.1 MEDIUM 8.3 HIGH
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Advanced Networking Option. Note: The July 2021 Critical Patch Update introduces a number of Native Network Encryption changes to deal with vulnerability CVE-2021-2351 and prevent the use of weaker ciphers. Customers should review: "Changes in Native Network Encryption with the July 2021 Critical Patch Update" (Doc ID 2791571.1). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
CVE-2021-45105 5 Apache, Debian, Netapp and 2 more 121 Log4j, Debian Linux, Cloud Manager and 118 more 2022-10-06 4.3 MEDIUM 5.9 MEDIUM
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
CVE-2019-10173 2 Oracle, Xstream Project 10 Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine and 7 more 2022-10-05 7.5 HIGH 9.8 CRITICAL
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
CVE-2019-10219 3 Netapp, Oracle, Redhat 195 Active Iq Unified Manager, Element, Management Services For Element Software And Netapp Hci and 192 more 2022-09-12 4.3 MEDIUM 6.1 MEDIUM
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
CVE-2021-35043 3 Antisamy Project, Netapp, Oracle 10 Antisamy, Active Iq Unified Manager, Banking Enterprise Default Management and 7 more 2022-09-12 4.3 MEDIUM 6.1 MEDIUM
OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with &#00058 as the replacement for the : character.