Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Oracle Subscribe
Filtered by product Financial Services Crime And Compliance Management Studio
Total 21 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-36090 3 Apache, Netapp, Oracle 34 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 31 more 2023-02-28 5.0 MEDIUM 7.5 HIGH
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
CVE-2021-35517 3 Apache, Netapp, Oracle 27 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 24 more 2023-02-28 5.0 MEDIUM 7.5 HIGH
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CVE-2021-35516 3 Apache, Netapp, Oracle 24 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 21 more 2023-02-28 5.0 MEDIUM 7.5 HIGH
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVE-2021-35515 3 Apache, Netapp, Oracle 26 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 23 more 2023-02-28 5.0 MEDIUM 7.5 HIGH
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVE-2021-38296 2 Apache, Oracle 2 Spark, Financial Services Crime And Compliance Management Studio 2023-02-08 5.0 MEDIUM 7.5 HIGH
Apache Spark supports end-to-end encryption of RPC connections via "spark.authenticate" and "spark.network.crypto.enabled". In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. After an initial interactive attack, this would allow someone to decrypt plaintext traffic offline. Note that this does not affect security mechanisms controlled by "spark.authenticate.enableSaslEncryption", "spark.io.encryption.enabled", "spark.ssl", "spark.ui.strictTransportSecurity". Update to Apache Spark 3.1.3 or later
CVE-2022-22978 3 Netapp, Oracle, Vmware 3 Active Iq Unified Manager, Financial Services Crime And Compliance Management Studio, Spring Security 2023-02-03 7.5 HIGH 9.8 CRITICAL
In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass
CVE-2022-22976 3 Netapp, Oracle, Vmware 3 Active Iq Unified Manager, Financial Services Crime And Compliance Management Studio, Spring Security 2023-02-02 4.3 MEDIUM 5.3 MEDIUM
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
CVE-2021-37714 4 Jsoup, Netapp, Oracle and 1 more 16 Jsoup, Management Services For Element Software And Netapp Hci, Banking Trade Finance and 13 more 2022-12-07 5.0 MEDIUM 7.5 HIGH
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
CVE-2022-23437 3 Apache, Netapp, Oracle 29 Xerces-j, Active Iq Unified Manager, Agile Engineering Data Management and 26 more 2022-12-06 7.1 HIGH 6.5 MEDIUM
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
CVE-2020-9492 2 Apache, Oracle 3 Hadoop, Solr, Financial Services Crime And Compliance Management Studio 2022-12-06 6.5 MEDIUM 8.8 HIGH
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
CVE-2020-7712 2 Joyent, Oracle 5 Json, Commerce Guided Search, Financial Services Crime And Compliance Management Studio and 2 more 2022-12-03 6.5 MEDIUM 7.2 HIGH
This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.
CVE-2022-24823 3 Netapp, Netty, Oracle 5 Active Iq Unified Manager, Oncommand Workflow Automation, Snapcenter and 2 more 2022-12-03 1.9 LOW 5.5 MEDIUM
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CVE-2020-36518 4 Debian, Fasterxml, Netapp and 1 more 36 Debian Linux, Jackson-databind, Active Iq Unified Manager and 33 more 2022-11-29 5.0 MEDIUM 7.5 HIGH
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CVE-2022-25647 4 Debian, Google, Netapp and 1 more 6 Debian Linux, Gson, Active Iq Unified Manager and 3 more 2022-11-28 5.0 MEDIUM 7.5 HIGH
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
CVE-2022-23181 3 Apache, Debian, Oracle 7 Tomcat, Debian Linux, Agile Engineering Data Management and 4 more 2022-11-07 3.7 LOW 7.0 HIGH
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
CVE-2021-34429 3 Eclipse, Netapp, Oracle 18 Jetty, E-series Santricity Os Controller, E-series Santricity Web Services and 15 more 2022-10-27 5.0 MEDIUM 5.3 MEDIUM
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
CVE-2022-22970 3 Netapp, Oracle, Vmware 6 Active Iq Unified Manager, Brocade San Navigator, Cloud Secure Agent and 3 more 2022-10-07 3.5 LOW 5.3 MEDIUM
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CVE-2022-22971 3 Netapp, Oracle, Vmware 4 Cloud Secure Agent, Oncommand Insight, Financial Services Crime And Compliance Management Studio and 1 more 2022-10-05 4.0 MEDIUM 6.5 MEDIUM
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.
CVE-2021-23337 4 Lodash, Netapp, Oracle and 1 more 23 Lodash, Active Iq Unified Manager, Cloud Manager and 20 more 2022-09-13 6.5 MEDIUM 7.2 HIGH
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVE-2020-28500 3 Lodash, Oracle, Siemens 19 Lodash, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 16 more 2022-09-13 5.0 MEDIUM 5.3 MEDIUM
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.