Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2022-1912
Vulnerability from csaf_certbund
Published
2020-08-17 22:00
Modified
2025-02-23 23:00
Summary
Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JBoss Enterprise Application Platform ist eine skalierbare Plattform für Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform ausnutzen, um Code zur Ausführung zu bringen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service zu verursachen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "JBoss Enterprise Application Platform ist eine skalierbare Plattform f\u00fcr Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform ausnutzen, um Code zur Ausf\u00fchrung zu bringen, Informationen offenzulegen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service zu verursachen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-1912 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2022-1912.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-1912 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1912"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-08-17",
"url": "https://access.redhat.com/errata/RHSA-2020:3461"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-08-17",
"url": "https://access.redhat.com/errata/RHSA-2020:3462"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-08-17",
"url": "https://access.redhat.com/errata/RHSA-2020:3463"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-08-17",
"url": "https://access.redhat.com/errata/RHSA-2020:3464"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:3501 vom 2020-08-18",
"url": "https://access.redhat.com/errata/RHSA-2020:3501"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:3585 vom 2020-08-31",
"url": "https://access.redhat.com/errata/RHSA-2020:3585"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:3539 vom 2020-09-02",
"url": "https://access.redhat.com/errata/RHSA-2020:3539"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:3642 vom 2020-09-07",
"url": "https://access.redhat.com/errata/RHSA-2020:3642"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:3637 vom 2020-09-07",
"url": "https://access.redhat.com/errata/RHSA-2020:3637"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:3639 vom 2020-09-07",
"url": "https://access.redhat.com/errata/RHSA-2020:3639"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:3638 vom 2020-09-07",
"url": "https://access.redhat.com/errata/RHSA-2020:3638"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:3779 vom 2020-09-17",
"url": "https://access.redhat.com/errata/RHSA-2020:3779"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:3806 vom 2020-09-23",
"url": "https://access.redhat.com/errata/RHSA-2020:3806"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2020:2832-1 vom 2020-10-02",
"url": "http://lists.suse.com/pipermail/sle-security-updates/2020-October/007517.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-4575-1 vom 2020-10-14",
"url": "https://usn.ubuntu.com/4575-1/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:4252 vom 2020-10-14",
"url": "https://access.redhat.com/errata/RHSA-2020:4252"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:4960 vom 2020-11-05",
"url": "https://access.redhat.com/errata/RHSA-2020:4960"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:4961 vom 2020-11-05",
"url": "https://access.redhat.com/errata/RHSA-2020:4961"
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2020-136 vom 2020-12-11",
"url": "https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2020-136/index.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:5568 vom 2020-12-16",
"url": "https://access.redhat.com/errata/RHSA-2020:5568"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0885 vom 2021-03-16",
"url": "https://access.redhat.com/errata/RHSA-2021:0885"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0872 vom 2021-03-16",
"url": "https://access.redhat.com/errata/RHSA-2021:0872"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0873 vom 2021-03-16",
"url": "https://access.redhat.com/errata/RHSA-2021:0873"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0874 vom 2021-03-16",
"url": "https://access.redhat.com/errata/RHSA-2021:0874"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:0974 vom 2021-03-23",
"url": "https://access.redhat.com/errata/RHSA-2021:0974"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:2210 vom 2021-06-02",
"url": "https://access.redhat.com/errata/RHSA-2021:2210"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:2755 vom 2021-07-15",
"url": "https://access.redhat.com/errata/RHSA-2021:2755"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:3140 vom 2021-08-11",
"url": "https://access.redhat.com/errata/RHSA-2021:3140"
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2022-136 vom 2022-11-01",
"url": "https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-136/index.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:1746 vom 2025-02-24",
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"source_lang": "en-US",
"title": "Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-02-23T23:00:00.000+00:00",
"generator": {
"date": "2025-02-24T09:10:42.470+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2022-1912",
"initial_release_date": "2020-08-17T22:00:00.000+00:00",
"revision_history": [
{
"date": "2020-08-17T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2020-08-18T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2020-08-31T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2020-09-01T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2020-09-07T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2020-09-17T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2020-09-23T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2020-10-04T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2020-10-13T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2020-11-05T23:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2020-12-10T23:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2020-12-16T23:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-03-16T23:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-03-23T23:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-06-03T22:00:00.000+00:00",
"number": "15",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-07-15T22:00:00.000+00:00",
"number": "16",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-08-11T22:00:00.000+00:00",
"number": "17",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2022-10-31T23:00:00.000+00:00",
"number": "18",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2025-02-23T23:00:00.000+00:00",
"number": "19",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "19"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Hitachi Ops Center",
"product": {
"name": "Hitachi Ops Center",
"product_id": "T017562",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:-"
}
}
},
{
"category": "product_name",
"name": "Hitachi Network Attached Storage",
"product": {
"name": "Hitachi Network Attached Storage",
"product_id": "T011055",
"product_identification_helper": {
"cpe": "cpe:/h:hitachi:virtual_storage_platform:-"
}
}
}
],
"category": "vendor",
"name": "Hitachi"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c7.3.2",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform \u003c7.3.2",
"product_id": "130262"
}
},
{
"category": "product_version",
"name": "7.3.2",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 7.3.2",
"product_id": "130262-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c7.1.9",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform \u003c7.1.9",
"product_id": "T041370"
}
},
{
"category": "product_version",
"name": "7.1.9",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 7.1.9",
"product_id": "T041370-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1.9"
}
}
}
],
"category": "product_name",
"name": "JBoss Enterprise Application Platform"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14900",
"product_status": {
"known_affected": [
"130262",
"T002207",
"T041370",
"67646",
"T000126",
"T011055",
"T017562"
]
},
"release_date": "2020-08-17T22:00:00.000+00:00",
"title": "CVE-2019-14900"
},
{
"cve": "CVE-2020-10672",
"product_status": {
"known_affected": [
"130262",
"T002207",
"T041370",
"67646",
"T000126",
"T011055",
"T017562"
]
},
"release_date": "2020-08-17T22:00:00.000+00:00",
"title": "CVE-2020-10672"
},
{
"cve": "CVE-2020-10673",
"product_status": {
"known_affected": [
"130262",
"T002207",
"T041370",
"67646",
"T000126",
"T011055",
"T017562"
]
},
"release_date": "2020-08-17T22:00:00.000+00:00",
"title": "CVE-2020-10673"
},
{
"cve": "CVE-2020-10683",
"product_status": {
"known_affected": [
"130262",
"T002207",
"T041370",
"67646",
"T000126",
"T011055",
"T017562"
]
},
"release_date": "2020-08-17T22:00:00.000+00:00",
"title": "CVE-2020-10683"
},
{
"cve": "CVE-2020-10687",
"product_status": {
"known_affected": [
"130262",
"T002207",
"T041370",
"67646",
"T000126",
"T011055",
"T017562"
]
},
"release_date": "2020-08-17T22:00:00.000+00:00",
"title": "CVE-2020-10687"
},
{
"cve": "CVE-2020-10693",
"product_status": {
"known_affected": [
"130262",
"T002207",
"T041370",
"67646",
"T000126",
"T011055",
"T017562"
]
},
"release_date": "2020-08-17T22:00:00.000+00:00",
"title": "CVE-2020-10693"
},
{
"cve": "CVE-2020-10714",
"product_status": {
"known_affected": [
"130262",
"T002207",
"T041370",
"67646",
"T000126",
"T011055",
"T017562"
]
},
"release_date": "2020-08-17T22:00:00.000+00:00",
"title": "CVE-2020-10714"
},
{
"cve": "CVE-2020-10718",
"product_status": {
"known_affected": [
"130262",
"T002207",
"T041370",
"67646",
"T000126",
"T011055",
"T017562"
]
},
"release_date": "2020-08-17T22:00:00.000+00:00",
"title": "CVE-2020-10718"
},
{
"cve": "CVE-2020-10740",
"product_status": {
"known_affected": [
"130262",
"T002207",
"T041370",
"67646",
"T000126",
"T011055",
"T017562"
]
},
"release_date": "2020-08-17T22:00:00.000+00:00",
"title": "CVE-2020-10740"
},
{
"cve": "CVE-2020-14297",
"product_status": {
"known_affected": [
"130262",
"T002207",
"T041370",
"67646",
"T000126",
"T011055",
"T017562"
]
},
"release_date": "2020-08-17T22:00:00.000+00:00",
"title": "CVE-2020-14297"
},
{
"cve": "CVE-2020-1710",
"product_status": {
"known_affected": [
"130262",
"T002207",
"T041370",
"67646",
"T000126",
"T011055",
"T017562"
]
},
"release_date": "2020-08-17T22:00:00.000+00:00",
"title": "CVE-2020-1710"
},
{
"cve": "CVE-2020-1748",
"product_status": {
"known_affected": [
"130262",
"T002207",
"T041370",
"67646",
"T000126",
"T011055",
"T017562"
]
},
"release_date": "2020-08-17T22:00:00.000+00:00",
"title": "CVE-2020-1748"
}
]
}
CVE-2020-1748 (GCVE-0-2020-1748)
Vulnerability from cvelistv5
Published
2020-09-16 15:27
Modified
2024-08-04 06:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Authorization
Summary
A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:46:30.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807707"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20201001-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Wildfly",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "before wildfly-elytron-1.6.8.Final-redhat-00001"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-01T13:06:15",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1807707"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20201001-0005/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-1748",
"datePublished": "2020-09-16T15:27:36",
"dateReserved": "2019-11-27T00:00:00",
"dateUpdated": "2024-08-04T06:46:30.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-14900 (GCVE-0-2019-14900)
Vulnerability from cvelistv5
Published
2020-07-06 18:35
Modified
2024-08-05 00:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:26:39.118Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666499"
},
{
"name": "[turbine-dev] 20211015 Fulcrum Security Hibernate Module",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220210-0020/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Hibernate",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions before Hibernate ORM 5.3.18"
},
{
"status": "affected",
"version": "Versions before Hibernate ORM 5.4.18"
},
{
"status": "affected",
"version": "Versions before Hibernate ORM 5.5.0.Beta1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-10T09:07:46",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666499"
},
{
"name": "[turbine-dev] 20211015 Fulcrum Security Hibernate Module",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220210-0020/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-14900",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Hibernate",
"version": {
"version_data": [
{
"version_value": "Versions before Hibernate ORM 5.3.18"
},
{
"version_value": "Versions before Hibernate ORM 5.4.18"
},
{
"version_value": "Versions before Hibernate ORM 5.5.0.Beta1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1666499",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666499"
},
{
"name": "[turbine-dev] 20211015 Fulcrum Security Hibernate Module",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220210-0020/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220210-0020/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-14900",
"datePublished": "2020-07-06T18:35:01",
"dateReserved": "2019-08-10T00:00:00",
"dateUpdated": "2024-08-05T00:26:39.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10740 (GCVE-0-2020-10740)
Vulnerability from cvelistv5
Published
2020-06-22 17:39
Modified
2024-08-04 11:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:14:14.944Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wildfly",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "Versions before 20.0.0.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-22T17:39:58",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-10740",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wildfly",
"version": {
"version_data": [
{
"version_value": "Versions before 20.0.0.Final"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "6.6/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-10740",
"datePublished": "2020-06-22T17:39:58",
"dateReserved": "2020-03-20T00:00:00",
"dateUpdated": "2024-08-04T11:14:14.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10714 (GCVE-0-2020-10714)
Vulnerability from cvelistv5
Published
2020-09-23 12:28
Modified
2024-08-04 11:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | wildfly-elytron |
Version: wildfly-elytron 1.10.7.Final |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:14:14.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1825714"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20201223-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wildfly-elytron",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "wildfly-elytron 1.10.7.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-23T07:06:28",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1825714"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20201223-0002/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-10714",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wildfly-elytron",
"version": {
"version_data": [
{
"version_value": "wildfly-elytron 1.10.7.Final"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-384"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1825714",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1825714"
},
{
"name": "https://security.netapp.com/advisory/ntap-20201223-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20201223-0002/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-10714",
"datePublished": "2020-09-23T12:28:17",
"dateReserved": "2020-03-20T00:00:00",
"dateUpdated": "2024-08-04T11:14:14.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10683 (GCVE-0-2020-10683)
Vulnerability from cvelistv5
Published
2020-05-01 18:55
Modified
2024-08-04 11:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:11.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2020:0719",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dom4j/dom4j/releases/tag/version-2.1.3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200518-0002/"
},
{
"name": "USN-4575-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4575-1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dom4j/dom4j/issues/87"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dom4j/dom4j/commits/version-2.0.3"
},
{
"name": "[velocity-dev] 20201203 Use of external DTDs - CVE-2020-10683",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E"
},
{
"name": "[velocity-dev] 20201203 Re: Use of external DTDs - CVE-2020-10683",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:13:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "openSUSE-SU-2020:0719",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dom4j/dom4j/releases/tag/version-2.1.3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200518-0002/"
},
{
"name": "USN-4575-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4575-1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dom4j/dom4j/issues/87"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dom4j/dom4j/commits/version-2.0.3"
},
{
"name": "[velocity-dev] 20201203 Use of external DTDs - CVE-2020-10683",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3Cdev.velocity.apache.org%3E"
},
{
"name": "[velocity-dev] 20201203 Re: Use of external DTDs - CVE-2020-10683",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3Cdev.velocity.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3Cnotifications.freemarker.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10683",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2020:0719",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html",
"refsource": "MISC",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235"
},
{
"name": "https://github.com/dom4j/dom4j/releases/tag/version-2.1.3",
"refsource": "CONFIRM",
"url": "https://github.com/dom4j/dom4j/releases/tag/version-2.1.3"
},
{
"name": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658",
"refsource": "CONFIRM",
"url": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200518-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200518-0002/"
},
{
"name": "USN-4575-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4575-1/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://github.com/dom4j/dom4j/issues/87",
"refsource": "MISC",
"url": "https://github.com/dom4j/dom4j/issues/87"
},
{
"name": "https://github.com/dom4j/dom4j/commits/version-2.0.3",
"refsource": "MISC",
"url": "https://github.com/dom4j/dom4j/commits/version-2.0.3"
},
{
"name": "[velocity-dev] 20201203 Use of external DTDs - CVE-2020-10683",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E"
},
{
"name": "[velocity-dev] 20201203 Re: Use of external DTDs - CVE-2020-10683",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "[freemarker-notifications] 20210906 [jira] [Created] (FREEMARKER-190) The jar dom4j has known security issue that Freemarker compiles dependend on it",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10683",
"datePublished": "2020-05-01T18:55:25",
"dateReserved": "2020-03-20T00:00:00",
"dateUpdated": "2024-08-04T11:06:11.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1710 (GCVE-0-2020-1710)
Vulnerability from cvelistv5
Published
2020-09-16 14:28
Modified
2024-08-04 06:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Neutralization of CRLF Sequences in HTTP Headers
Summary
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | JBoss Enterprise Application Platform |
Version: EAP 6.4.21 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:46:30.214Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "JBoss Enterprise Application Platform",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "EAP 6.4.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of CRLF Sequences in HTTP Headers",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-16T14:28:20",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-1710",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "JBoss Enterprise Application Platform",
"version": {
"version_data": [
{
"version_value": "EAP 6.4.21"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of CRLF Sequences in HTTP Headers"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-1710",
"datePublished": "2020-09-16T14:28:20",
"dateReserved": "2019-11-27T00:00:00",
"dateUpdated": "2024-08-04T06:46:30.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10693 (GCVE-0-2020-10693)
Vulnerability from cvelistv5
Published
2020-05-06 13:03
Modified
2024-08-04 11:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hibernate | hibernate-validator |
Version: 6.1.2.Final |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:11.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E"
},
{
"name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E"
},
{
"name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hibernate-validator",
"vendor": "Hibernate",
"versions": [
{
"status": "affected",
"version": "6.1.2.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:20:51",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E"
},
{
"name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E"
},
{
"name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-10693",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "hibernate-validator",
"version": {
"version_data": [
{
"version_value": "6.1.2.Final"
}
]
}
}
]
},
"vendor_name": "Hibernate"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E"
},
{
"name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E"
},
{
"name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-10693",
"datePublished": "2020-05-06T13:03:33",
"dateReserved": "2020-03-20T00:00:00",
"dateUpdated": "2024-08-04T11:06:11.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10672 (GCVE-0-2020-10672)
Vulnerability from cvelistv5
Published
2020-03-18 21:17
Modified
2024-08-04 11:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "steelstore_cloud_integrated_storage",
"vendor": "netapp",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "agile_plm",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "9.3.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autovue_for_agile_product_lifecycle_management",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "banking_digital_experience",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "18.3",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.2",
"status": "affected",
"version": "19.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "20.1"
},
{
"lessThanOrEqual": "2.9.0",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_calendar_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.0.5.0",
"status": "affected",
"version": "8.0.0.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_diameter_signaling_router",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_element_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_evolved_communications_application_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "7.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_instant_messaging_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "10.0.1.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "6.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_session_route_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "enterprise_manager_base_platform",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "13.4.0.0",
"status": "affected",
"version": "13.3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_analytical_applications_infrastructure",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_institutional_performance_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
},
{
"status": "affected",
"version": "8.0.7"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_price_creation_and_discovery",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.7",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_retail_customer_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "global_lifecycle_management_opatch",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.0.1.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "insurance_policy_administration_j2ee",
"vendor": "oracle",
"versions": [
{
"lessThan": "11.1.0.15",
"status": "affected",
"version": "11.0.2.25",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jd_edwards_enterpriseone_orchestrator",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "9.2.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "primavera_unifier",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "16.1"
},
{
"status": "affected",
"version": "16.2"
},
{
"lessThanOrEqual": "17.12",
"status": "affected",
"version": "17.7",
"versionType": "custom"
},
{
"status": "affected",
"version": "18.8"
},
{
"status": "affected",
"version": "19.12"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_merchandising_system",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_sales_audit",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_service_backbone",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
},
{
"status": "affected",
"version": "15.0"
},
{
"status": "affected",
"version": "16.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_xstore_point_of_service",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "19.0",
"status": "affected",
"version": "15.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "weblogic_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.1.4.0",
"status": "affected",
"version": "12.2.1.3.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:fasterxml:jackson-databind:2.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jackson-databind",
"vendor": "fasterxml",
"versions": [
{
"lessThan": "2.9.10.4",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-10672",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-25T04:00:48.872316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T19:56:32.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:11.143Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[debian-lts-announce] 20200322 [SECURITY] [DLA 2153-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2659"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200403-0002/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-20T10:38:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[debian-lts-announce] 20200322 [SECURITY] [DLA 2153-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2659"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200403-0002/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10672",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[debian-lts-announce] 20200322 [SECURITY] [DLA 2153-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"
},
{
"name": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/2659",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/2659"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200403-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200403-0002/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10672",
"datePublished": "2020-03-18T21:17:43",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-04T11:06:11.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10718 (GCVE-0-2020-10718)
Vulnerability from cvelistv5
Published
2020-09-16 18:06
Modified
2024-08-04 11:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Exposed Dangerous Method or Function
Summary
A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from this vulnerability is to confidentiality.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:14:14.762Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828476"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Wildfly",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "before wildfly-embedded-13.0.0.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from this vulnerability is to confidentiality."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Exposed Dangerous Method or Function",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-16T18:06:26",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828476"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-10718",
"datePublished": "2020-09-16T18:06:26",
"dateReserved": "2020-03-20T00:00:00",
"dateUpdated": "2024-08-04T11:14:14.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10673 (GCVE-0-2020-10673)
Vulnerability from cvelistv5
Published
2020-03-18 21:17
Modified
2025-05-01 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "8.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "steelstore_cloud_integrated_storage",
"vendor": "netapp",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "agile_plm",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "9.3.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "autovue_for_agile_product_lifecycle_management",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "banking_digital_experience",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "18.3",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "19.2",
"status": "affected",
"version": "19.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "20.1"
},
{
"lessThanOrEqual": "2.9.0",
"status": "affected",
"version": "2.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_calendar_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.0.5.0",
"status": "affected",
"version": "8.0.0.4.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_diameter_signaling_router",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_element_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_evolved_communications_application_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "7.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_instant_messaging_server",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "10.0.1.4.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "6.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_network_charging_and_control",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "communications_session_route_manager",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "8.2.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "enterprise_manager_base_platform",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "13.4.0.0",
"status": "affected",
"version": "13.3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_analytical_applications_infrastructure",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.1.0",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_institutional_performance_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
},
{
"status": "affected",
"version": "8.0.7"
},
{
"status": "affected",
"version": "8.1.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_price_creation_and_discovery",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "8.0.7",
"status": "affected",
"version": "8.0.6",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "financial_services_retail_customer_analytics",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8.0.6"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "global_lifecycle_management_opatch",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.0.1.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "insurance_policy_administration_j2ee",
"vendor": "oracle",
"versions": [
{
"lessThan": "11.1.0.15",
"status": "affected",
"version": "11.0.2.25",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jd_edwards_enterpriseone_orchestrator",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "9.2.4.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "primavera_unifier",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "16.1"
},
{
"status": "affected",
"version": "16.2"
},
{
"lessThanOrEqual": "17.12",
"status": "affected",
"version": "17.7",
"versionType": "custom"
},
{
"status": "affected",
"version": "18.8"
},
{
"status": "affected",
"version": "19.12"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_merchandising_system",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "15.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_sales_audit",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_service_backbone",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "14.1"
},
{
"status": "affected",
"version": "15.0"
},
{
"status": "affected",
"version": "16.0"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "retail_xstore_point_of_service",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "19.0",
"status": "affected",
"version": "15.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "weblogic_server",
"vendor": "oracle",
"versions": [
{
"lessThanOrEqual": "12.2.1.4.0",
"status": "affected",
"version": "12.2.1.3.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:fasterxml:jackson-databind:2.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jackson-databind",
"vendor": "fasterxml",
"versions": [
{
"lessThan": "2.9.10.4",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-10673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": ""
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T03:55:12.060Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:10.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[debian-lts-announce] 20200322 [SECURITY] [DLA 2153-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200403-0002/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2660"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-20T10:38:39.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[debian-lts-announce] 20200322 [SECURITY] [DLA 2153-1] jackson-databind security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200403-0002/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FasterXML/jackson-databind/issues/2660"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10673",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[debian-lts-announce] 20200322 [SECURITY] [DLA 2153-1] jackson-databind security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"
},
{
"name": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"refsource": "MISC",
"url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200403-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200403-0002/"
},
{
"name": "https://github.com/FasterXML/jackson-databind/issues/2660",
"refsource": "MISC",
"url": "https://github.com/FasterXML/jackson-databind/issues/2660"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10673",
"datePublished": "2020-03-18T21:17:26.000Z",
"dateReserved": "2020-03-18T00:00:00.000Z",
"dateUpdated": "2025-05-01T03:55:12.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10687 (GCVE-0-2020-10687)
Vulnerability from cvelistv5
Published
2020-09-23 12:30
Modified
2024-08-04 11:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:11.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785049"
},
{
"name": "[cxf-dev] 20210129 Undertow CVE",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6603513ea8afbf6857fd77ca5888ec8385d0af493baa4250e28c351c%40%3Cdev.cxf.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220210-0015/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Undertow",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Undertow 2.2.0.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-10T09:06:52",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785049"
},
{
"name": "[cxf-dev] 20210129 Undertow CVE",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6603513ea8afbf6857fd77ca5888ec8385d0af493baa4250e28c351c%40%3Cdev.cxf.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220210-0015/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-10687",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Undertow",
"version": {
"version_data": [
{
"version_value": "Undertow 2.2.0.Final"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-444"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1785049",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785049"
},
{
"name": "[cxf-dev] 20210129 Undertow CVE",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6603513ea8afbf6857fd77ca5888ec8385d0af493baa4250e28c351c@%3Cdev.cxf.apache.org%3E"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220210-0015/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220210-0015/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-10687",
"datePublished": "2020-09-23T12:30:43",
"dateReserved": "2020-03-20T00:00:00",
"dateUpdated": "2024-08-04T11:06:11.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-14297 (GCVE-0-2020-14297)
Vulnerability from cvelistv5
Published
2020-07-24 15:37
Modified
2024-10-15 17:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14297"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-14297",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:09:41.879622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T17:14:53.962Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wildfly",
"vendor": "Red Hat",
"versions": [
{
"status": "affected",
"version": "jboss-ejb-client as shipped with Red Hat JBoss EAP 7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was discovered in Wildfly\u0027s EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-24T15:37:25",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14297"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-14297",
"datePublished": "2020-07-24T15:37:25",
"dateReserved": "2020-06-17T00:00:00",
"dateUpdated": "2024-10-15T17:14:53.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…