Filtered by vendor Oracle
Subscribe
Filtered by product Communications Session Route Manager
Subscribe
Total
73 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-13990 | 4 Apache, Netapp, Oracle and 1 more | 30 Tomee, Active Iq Unified Manager, Cloud Secure Agent and 27 more | 2023-03-03 | 7.5 HIGH | 9.8 CRITICAL |
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. | |||||
CVE-2021-36090 | 3 Apache, Netapp, Oracle | 34 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 31 more | 2023-02-28 | 5.0 MEDIUM | 7.5 HIGH |
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. | |||||
CVE-2021-35516 | 3 Apache, Netapp, Oracle | 24 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 21 more | 2023-02-28 | 5.0 MEDIUM | 7.5 HIGH |
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. | |||||
CVE-2021-35517 | 3 Apache, Netapp, Oracle | 27 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 24 more | 2023-02-28 | 5.0 MEDIUM | 7.5 HIGH |
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. | |||||
CVE-2021-35515 | 3 Apache, Netapp, Oracle | 26 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 23 more | 2023-02-28 | 5.0 MEDIUM | 7.5 HIGH |
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. | |||||
CVE-2020-11023 | 7 Debian, Drupal, Fedoraproject and 4 more | 55 Debian Linux, Drupal, Fedora and 52 more | 2023-02-02 | 4.3 MEDIUM | 6.1 MEDIUM |
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | |||||
CVE-2020-28052 | 3 Apache, Bouncycastle, Oracle | 20 Karaf, Legion-of-the-bouncy-castle-java-crytography-api, Banking Corporate Lending Process Management and 17 more | 2023-02-02 | 6.8 MEDIUM | 8.1 HIGH |
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. | |||||
CVE-2022-23437 | 3 Apache, Netapp, Oracle | 29 Xerces-j, Active Iq Unified Manager, Agile Engineering Data Management and 26 more | 2022-12-06 | 7.1 HIGH | 6.5 MEDIUM |
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. | |||||
CVE-2021-44790 | 7 Apache, Apple, Debian and 4 more | 14 Http Server, Mac Os X, Macos and 11 more | 2022-11-02 | 7.5 HIGH | 9.8 CRITICAL |
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. | |||||
CVE-2021-44224 | 6 Apache, Apple, Debian and 3 more | 12 Http Server, Mac Os X, Macos and 9 more | 2022-11-02 | 6.4 MEDIUM | 8.2 HIGH |
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). | |||||
CVE-2021-33037 | 4 Apache, Debian, Mcafee and 1 more | 22 Tomcat, Tomee, Debian Linux and 19 more | 2022-10-26 | 5.0 MEDIUM | 5.3 MEDIUM |
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. | |||||
CVE-2021-22118 | 3 Netapp, Oracle, Vmware | 32 Hci, Management Services For Element Software, Commerce Guided Search and 29 more | 2022-10-25 | 4.6 MEDIUM | 7.8 HIGH |
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data. | |||||
CVE-2019-17359 | 4 Apache, Bouncycastle, Netapp and 1 more | 21 Tomee, Legion-of-the-bouncy-castle-java-crytography-api, Active Iq Unified Manager and 18 more | 2022-10-07 | 5.0 MEDIUM | 7.5 HIGH |
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64. | |||||
CVE-2020-9490 | 7 Apache, Canonical, Debian and 4 more | 25 Http Server, Ubuntu Linux, Debian Linux and 22 more | 2022-10-07 | 5.0 MEDIUM | 7.5 HIGH |
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. | |||||
CVE-2021-2351 | 1 Oracle | 110 Advanced Networking Option, Agile Engineering Data Management, Agile Plm and 107 more | 2022-10-06 | 5.1 MEDIUM | 8.3 HIGH |
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Advanced Networking Option. Note: The July 2021 Critical Patch Update introduces a number of Native Network Encryption changes to deal with vulnerability CVE-2021-2351 and prevent the use of weaker ciphers. Customers should review: "Changes in Native Network Encryption with the July 2021 Critical Patch Update" (Doc ID 2791571.1). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). | |||||
CVE-2021-45105 | 5 Apache, Debian, Netapp and 2 more | 121 Log4j, Debian Linux, Cloud Manager and 118 more | 2022-10-06 | 4.3 MEDIUM | 5.9 MEDIUM |
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1. | |||||
CVE-2020-1941 | 2 Apache, Oracle | 7 Activemq, Communications Diameter Signaling Router, Communications Element Manager and 4 more | 2022-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue. | |||||
CVE-2020-36189 | 4 Debian, Fasterxml, Netapp and 1 more | 40 Debian Linux, Jackson-databind, Cloud Backup and 37 more | 2022-09-08 | 6.8 MEDIUM | 8.1 HIGH |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. | |||||
CVE-2019-0197 | 6 Apache, Canonical, Fedoraproject and 3 more | 12 Http Server, Ubuntu Linux, Fedora and 9 more | 2022-09-07 | 4.9 MEDIUM | 4.2 MEDIUM |
A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue. | |||||
CVE-2020-36180 | 4 Debian, Fasterxml, Netapp and 1 more | 45 Debian Linux, Jackson-databind, Cloud Backup and 42 more | 2022-09-02 | 6.8 MEDIUM | 8.1 HIGH |
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. |