Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Oracle Subscribe
Filtered by product Enterprise Repository
Total 21 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-36374 2 Apache, Oracle 36 Ant, Agile Engineering Data Management, Agile Plm and 33 more 2023-02-28 4.3 MEDIUM 5.5 MEDIUM
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
CVE-2021-36373 2 Apache, Oracle 32 Ant, Agile Plm, Banking Trade Finance and 29 more 2023-02-28 4.3 MEDIUM 5.5 MEDIUM
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
CVE-2019-17566 2 Apache, Oracle 18 Batik, Api Gateway, Business Intelligence and 15 more 2022-12-06 5.0 MEDIUM 7.5 HIGH
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CVE-2020-1941 2 Apache, Oracle 7 Activemq, Communications Diameter Signaling Router, Communications Element Manager and 4 more 2022-10-05 4.3 MEDIUM 6.1 MEDIUM
In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.
CVE-2020-11987 3 Apache, Fedoraproject, Oracle 18 Batik, Fedora, Banking Apis and 15 more 2022-07-25 6.4 MEDIUM 8.2 HIGH
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CVE-2020-11979 4 Apache, Fedoraproject, Gradle and 1 more 37 Ant, Fedora, Gradle and 34 more 2022-05-12 5.0 MEDIUM 7.5 HIGH
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
CVE-2018-1258 5 Netapp, Oracle, Pivotal Software and 2 more 42 Oncommand Insight, Oncommand Unified Manager, Oncommand Workflow Automation and 39 more 2022-04-11 6.5 MEDIUM 8.8 HIGH
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
CVE-2019-12415 2 Apache, Oracle 27 Poi, Application Testing Suite, Banking Enterprise Originations and 24 more 2022-04-08 2.1 LOW 5.5 MEDIUM
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
CVE-2020-1945 5 Apache, Canonical, Fedoraproject and 2 more 50 Ant, Ubuntu Linux, Fedora and 47 more 2022-04-04 3.3 LOW 6.3 MEDIUM
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
CVE-2020-11994 2 Apache, Oracle 4 Camel, Communications Diameter Signaling Router, Enterprise Manager Base Platform and 1 more 2022-04-01 5.0 MEDIUM 7.5 HIGH
Server-Side Template Injection and arbitrary file disclosure on Camel templating components
CVE-2018-1000613 4 Bouncycastle, Netapp, Opensuse and 1 more 24 Legion-of-the-bouncy-castle-java-crytography-api, Oncommand Workflow Automation, Leap and 21 more 2022-01-14 7.5 HIGH 9.8 CRITICAL
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.
CVE-2020-11998 2 Apache, Oracle 7 Activemq, Communications Diameter Signaling Router, Communications Element Manager and 4 more 2021-12-10 7.5 HIGH 9.8 CRITICAL
A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code." Mitigation: Upgrade to Apache ActiveMQ 5.15.13
CVE-2019-0222 4 Apache, Debian, Netapp and 1 more 8 Activemq, Debian Linux, E-series Santricity Web Services and 5 more 2021-07-21 5.0 MEDIUM 7.5 HIGH
In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.
CVE-2018-1000180 5 Bouncycastle, Debian, Netapp and 2 more 21 Fips Java Api, Legion-of-the-bouncy-castle-java-crytography-api, Debian Linux and 18 more 2021-06-14 5.0 MEDIUM 7.5 HIGH
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
CVE-2019-2904 1 Oracle 22 Application Testing Suite, Banking Enterprise Collections, Banking Enterprise Originations and 19 more 2021-05-18 7.5 HIGH 9.8 CRITICAL
Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVE-2019-0188 2 Apache, Oracle 5 Camel, Enterprise Data Quality, Enterprise Manager Base Platform and 2 more 2021-03-15 5.0 MEDIUM 7.5 HIGH
Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.
CVE-2018-11775 2 Apache, Oracle 3 Activemq, Enterprise Repository, Flexcube Private Banking 2021-03-05 5.8 MEDIUM 7.4 HIGH
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
CVE-2021-1994 1 Oracle 2 Enterprise Repository, Weblogic Server 2021-01-22 7.5 HIGH 9.8 CRITICAL
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVE-2018-8013 4 Apache, Canonical, Debian and 1 more 21 Batik, Ubuntu Linux, Debian Linux and 18 more 2020-10-20 7.5 HIGH 9.8 CRITICAL
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
CVE-2017-10048 1 Oracle 1 Enterprise Repository 2019-10-02 5.8 MEDIUM 8.2 HIGH
Vulnerability in the Oracle Enterprise Repository component of Oracle Fusion Middleware (subcomponent: Web Interface). Supported versions that are affected are 11.1.1.7.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Repository. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Repository, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Repository accessible data as well as unauthorized update, insert or delete access to some of Oracle Enterprise Repository accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).