Search
Total
7 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-9484 | 7 Apache, Canonical, Debian and 4 more | 26 Tomcat, Ubuntu Linux, Debian Linux and 23 more | 2022-07-25 | 4.4 MEDIUM | 7.0 HIGH |
| When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. | |||||
| CVE-2019-0227 | 2 Apache, Oracle | 37 Axis, Agile Engineering Data Management, Agile Product Lifecycle Management Framework and 34 more | 2022-07-25 | 5.4 MEDIUM | 7.5 HIGH |
| A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue. | |||||
| CVE-2018-11040 | 3 Debian, Oracle, Vmware | 28 Debian Linux, Agile Product Lifecycle Management, Application Testing Suite and 25 more | 2022-06-23 | 4.3 MEDIUM | 7.5 HIGH |
| Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. | |||||
| CVE-2018-1258 | 4 Netapp, Oracle, Pivotal Software and 1 more | 42 Oncommand Insight, Oncommand Unified Manager, Oncommand Workflow Automation and 39 more | 2021-12-16 | 6.5 MEDIUM | 8.8 HIGH |
| Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. | |||||
| CVE-2019-0190 | 3 Apache, Openssl, Oracle | 6 Http Server, Openssl, Enterprise Manager Ops Center and 3 more | 2021-07-20 | 5.0 MEDIUM | 7.5 HIGH |
| A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts. | |||||
| CVE-2018-2604 | 1 Oracle | 1 Hospitality Guest Access | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Vulnerability in the Oracle Hospitality Guest Access component of Oracle Hospitality Applications (subcomponent: Base). The supported version that is affected is 4.2.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality Guest Access. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality Guest Access accessible data. CVSS 3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2017-10372 | 1 Oracle | 1 Hospitality Guest Access | 2019-10-03 | 5.5 MEDIUM | 8.7 HIGH |
| Vulnerability in the Oracle Hospitality Guest Access component of Oracle Hospitality Applications (subcomponent: Base). Supported versions that are affected are 4.2.0 and 4.2.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hospitality Guest Access. While the vulnerability is in Oracle Hospitality Guest Access, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hospitality Guest Access accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hospitality Guest Access. CVSS 3.0 Base Score 8.7 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H). | |||||