logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities

Description

## Summary The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. IBM has addressed the relevant CVEs. ## Vulnerability Details ** CVEID: **[CVE-2019-12086](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a Polymorphic Typing issue that occurs due to missing com.mysql.cj.jdbc.admin.MiniAdmin validation. By sending a specially-crafted JSON message, a remote attacker could exploit this vulnerability to read arbitrary local files on the server. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161256](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161256>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2019-12384](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the failure to block the logback-core class from polymorphic deserialization. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162849](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162849>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-12814](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue. By sending a specially-crafted JSON message, an attacker could exploit this vulnerability to read arbitrary local files on the server. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162875>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2019-14379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the SubTypeValidator.java. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165286>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-14439](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue when Default Typing is enabled. A remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164744](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164744>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2019-14540](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariConfig. A remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167354>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2019-14892](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14892>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using commons-configuration 1 and 2 JNDI classes. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177106](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177106>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-14893](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when using the xalan JNDI gadget. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177108](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177108>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-16335](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16335>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariDataSource. A remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167205>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2019-16942](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the commons-dbcp class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168254](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168254>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-16943](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue in the p6spy class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168255](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168255>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-17267](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17267>) ** DESCRIPTION: **FasterXML jackson-databind could provide weaker than expected security, caused by a polymorphic typing issue in the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. A remote attacker could exploit this vulnerability to launch further attacks on the system. CVSS Base score: 7.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168514>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) ** CVEID: **[CVE-2019-17531](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a polymorphic typing issue when Default Typing is enabled. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169073](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169073>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-20330](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330>) ** DESCRIPTION: **A lacking of certain net.sf.ehcache blocking in FasterXML jackson-databind has an unknown impact and attack vector. CVSS Base score: 7.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173897](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173897>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) ** CVEID: **[CVE-2020-10672](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10672>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178104](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178104>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-10673](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10673>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in com.caucho.config.types.ResourceRef (aka caucho-quercus). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178107](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178107>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-10968](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10968>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178544](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178544>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-10969](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10969>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in javax.swing.JEditorPane. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178546](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178546>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-11111](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11111>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178901](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178901>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-11112](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11112>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178902](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178902>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-11113](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178903](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178903>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-11619](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11619>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179430](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179430>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-11620](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11620>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in org.apache.commons.jelly.impl.Embedded (aka commons-jelly). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179431](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179431>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-14060](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14060>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183422](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183422>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-14061](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14061>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183424](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183424>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-14062](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14062>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183425](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183425>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-14195](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14195>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in rg.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183495](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183495>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-24616](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24616>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/187229](<https://exchange.xforce.ibmcloud.com/vulnerabilities/187229>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-24750](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24750>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188470](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188470>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-25649](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25649>) ** DESCRIPTION: **FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192648](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192648>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) ** CVEID: **[CVE-2020-35490](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35490>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193391](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193391>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-35491](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35491>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193394](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193394>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-35728](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35728>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193843](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193843>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36179](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36179>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194374](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194374>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36180](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36180>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194375](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194375>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36181](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36181>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194376](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194376>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36182](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36182>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194377](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194377>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36183](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36183>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194378](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194378>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36184](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36184>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194379>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36185](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36185>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194380](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194380>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36186](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36186>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194381](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194381>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36187](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36187>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194382](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194382>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36188](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36188>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194383](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194383>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-36189](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36189>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194384](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194384>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-8840](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840>) ** DESCRIPTION: **Multiple Huawei products could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data without proper validation. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185699>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2020-9546](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177102](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177102>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-9547](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177103>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-9548](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177104](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177104>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-20190](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20190>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to a class(es) of JDK Swing. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/195243](<https://exchange.xforce.ibmcloud.com/vulnerabilities/195243>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-27568](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27568>) ** DESCRIPTION: **Netplex json-smart-v1 and json-smart-v2 are vulnerable to a denial of service, caused by an uncaught exception flaw in NumberFormatException. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause the library to crash or obtain sensitive information. CVSS Base score: 9.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197316](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197316>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) ** CVEID: **[CVE-2019-17195](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17195>) ** DESCRIPTION: **Connect2id Nimbus JOSE+JWT is vulnerable to a denial of service, caused by the throwing of various uncaught exceptions while parsing a JWT. An attacker could exploit this vulnerability to crash the application or obtain sensitive information. CVSS Base score: 6.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169514>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) ** CVEID: **[CVE-2012-2733](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2733>) ** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by the improper verification of the request headers by the parseHeaders() function. A remote attacker could exploit this vulnerability using specially-crafted headers to cause an out-of-memory exception. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/79806](<https://exchange.xforce.ibmcloud.com/vulnerabilities/79806>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** CVEID: **[CVE-2012-3544](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3544>) ** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by the failure to properly handle chunk extensions in chunked transfer coding. By streaming data, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84952](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84952>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** CVEID: **[CVE-2012-3546](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3546>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by an error in the FormAuthenticator component during FORM authentication. By leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI, an attacker could exploit his vulnerability to bypass the authentication mechanism and gain unauthorized access to the system. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/80517](<https://exchange.xforce.ibmcloud.com/vulnerabilities/80517>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2012-4431](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4431>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by an error in the doFilter() method. By sending a specially-crafted request to a protected source without a session identifier present in the request, an attacker could exploit this vulnerability to bypass the CSRF prevention filter and gain unauthorized access to the system. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/80518](<https://exchange.xforce.ibmcloud.com/vulnerabilities/80518>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2012-4534](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4534>) ** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by an error when using the NIO connector with sendfile and HTTPS enabled. A remote attacker could exploit this vulnerability to cause the application to enter an infinite loop and consume all available CPU resources. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/80516](<https://exchange.xforce.ibmcloud.com/vulnerabilities/80516>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** CVEID: **[CVE-2012-5885](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5885>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the tracking of cnonce values instead of nonce and nc values by the replay-countermeasure functionality in the HTTP Digest Access Authentication implementation. By sniffing the network, a remote attacker could exploit this vulnerability to bypass security restrictions. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/80408](<https://exchange.xforce.ibmcloud.com/vulnerabilities/80408>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2012-5886](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5886>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the caching of information about the authenticated user within the session state by the HTTP Digest Access Authentication implementation. A remote attacker could exploit this vulnerability to bypass security restrictions. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/80407](<https://exchange.xforce.ibmcloud.com/vulnerabilities/80407>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2012-5887](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5887>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the failure to properly check server nonces by the DIGEST authentication mechanism. A remote attacker could exploit this vulnerability to gain unauthorized access to the system. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/79809](<https://exchange.xforce.ibmcloud.com/vulnerabilities/79809>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2013-2067](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2067>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to hijack a valid user's session, caused by the improper validation of session cookies by the FormAuthenticator module. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to hijack another user's session and possibly launch further attacks on the system. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84154](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84154>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2013-2185](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2185>) ** DESCRIPTION: **Red Hat JBoss Enterprise Application Platform could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions by the implementation of the DiskFileItem class. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability using serialized instance of the DiskFileItem class to upload a file containing a NULL byte, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. CVSS Base score: 6 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/87273](<https://exchange.xforce.ibmcloud.com/vulnerabilities/87273>) for the current score. CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P) ** CVEID: **[CVE-2013-4286](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286>) ** DESCRIPTION: **Apache Tomcat is vulnerable to HTTP request smuggling, caused by an incomplete fix related to the handling of malicious request. By sending a specially-crafted request in a Transfer-Encoding: chunked header and a Content-length header to the Apache HTTP server that will be reassembled with the original Content-Length header value, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/91426](<https://exchange.xforce.ibmcloud.com/vulnerabilities/91426>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2013-4322](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322>) ** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by an incomplete fix related to the processing of chunked transfer coding without properly handling a large total amount of chunked data or whitespace characters in an HTTP header value. A remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/91625](<https://exchange.xforce.ibmcloud.com/vulnerabilities/91625>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** CVEID: **[CVE-2013-4444](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4444>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions by the File Upload feature. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious JSP, which could allow the attacker to execute arbitrary JSP code on the vulnerable system. CVSS Base score: 6 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/95876](<https://exchange.xforce.ibmcloud.com/vulnerabilities/95876>) for the current score. CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P) ** CVEID: **[CVE-2013-4590](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when running untrusted web applications. By sending a specially-crafted request, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/91424](<https://exchange.xforce.ibmcloud.com/vulnerabilities/91424>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) ** CVEID: **[CVE-2014-0033](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0033>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to hijack a valid user's session, caused by an error even when disableURLRewriting is enabled. By persuading a victim to visit a specially-crafted link and log into the application, a remote attacker could exploit this vulnerability to hijack another user's account and possibly launch further attacks on the system. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/91423](<https://exchange.xforce.ibmcloud.com/vulnerabilities/91423>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2014-0075](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0075>) ** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by an integer overflow in the parseChunkHeader function. A remote attacker could exploit this vulnerability using a malformed chunk size as part of a chunked request to consume all available resources. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/93365](<https://exchange.xforce.ibmcloud.com/vulnerabilities/93365>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** CVEID: **[CVE-2014-0096](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0096>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data by the default server. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/93367](<https://exchange.xforce.ibmcloud.com/vulnerabilities/93367>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) ** CVEID: **[CVE-2014-0099](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0099>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to check for overflows when parsing content length headers. By sending specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/93369](<https://exchange.xforce.ibmcloud.com/vulnerabilities/93369>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) ** CVEID: **[CVE-2014-0119](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0119>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the replacement of the XML parsers used to process XSLTs for the default servlet. An attacker could exploit this vulnerability using a specially-crafted application to obtain sensitive information. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/93368](<https://exchange.xforce.ibmcloud.com/vulnerabilities/93368>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) ** CVEID: **[CVE-2014-0227](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227>) ** DESCRIPTION: **Apache Tomcat is vulnerable to HTTP request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/100751](<https://exchange.xforce.ibmcloud.com/vulnerabilities/100751>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2014-0230](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0230>) ** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by an error when an HTTP response is returned before the entire request body is fully read. An attacker could exploit this vulnerability using a series of aborted upload attempts to cause a denial of service. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/102131](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102131>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** CVEID: **[CVE-2014-7810](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the use of expression language. An attacker could exploit this vulnerability to bypass the protections of a Security Manager. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/103155](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103155>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2015-5174](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) in the getResource(), getResourceAsStream() and getResourcePaths() ServletContext methods to obtain a directory listing for the directory. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/110860](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110860>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2015-5345](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an error when accessing a protected directory. By redirecting to the URL, an attacker could exploit this vulnerability to determine the presence of a directory. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/110857](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110857>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2016-0706](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the loading of the StatusManagerServlet during the configuration of a security manager. An attacker could exploit this vulnerability to obtain deployed applications and other sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/110855](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110855>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2016-0714](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by an error in multiple session persistence mechanisms. By placing a malicious object into a session, an attacker could exploit this vulnerability to bypass a security manager and possibly execute arbitrary code on the system. CVSS Base score: 7.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/110856](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110856>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) ** CVEID: **[CVE-2016-0762](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to process the user supplied password if the specified user name does not exist by the Realm implementation. An attacker could exploit this vulnerability to conduct a timing attack and determine valid usernames on the system. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/118407](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118407>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2016-5018](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5018>) ** DESCRIPTION: **Apache Tomcat could allow a local attacker to bypass security restrictions. An attacker could exploit this vulnerability using a Tomcat utility method to bypass a configured SecurityManager. CVSS Base score: 4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/118406](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118406>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2016-5388](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to redirect HTTP traffic of CGI application, caused by the failure to protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable. By using a specially-crafted Proxy header in a HTTP request, an attacker could exploit this vulnerability to redirect outbound HTTP traffic to arbitrary proxy server. This is also known as the "HTTPOXY" vulnerability. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/115091](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115091>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2016-6794](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6794>) ** DESCRIPTION: **Apache Tomcat could allow a local attacker to obtain sensitive information, caused by an error in the system property replacement feature. An attacker could exploit this vulnerability to bypass the SecurityManager and read system properties. CVSS Base score: 4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/118405](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118405>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2016-6796](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6796>) ** DESCRIPTION: **Apache Tomcat could allow a local attacker to bypass security restrictions. By modifying configuration parameters for the JSP Servlet, an attacker could exploit this vulnerability to bypass a configured SecurityManager. CVSS Base score: 4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/118404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118404>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2016-6797](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6797>) ** DESCRIPTION: **Apache Tomcat could allow a local attacker to gain unauthorized access to the system, caused by an error in the ResourceLinkFactory. An attacker could exploit this vulnerability to gain access to arbitrary global JNDI resources. CVSS Base score: 4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/118403](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118403>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2016-6816](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816>) ** DESCRIPTION: **Apache Tomcat is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/119158](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119158>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2016-8735](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by an error in the JmxRemoteLifecycleListener. By sending specially crafted data to a JMX port, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges. CVSS Base score: 7.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/119157](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119157>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) ** CVEID: **[CVE-2017-5647](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5647>) ** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an error in the processing of pipelined requests in send file. An attacker could exploit this vulnerability to obtain sensitive information from the wrong response. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124400](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124400>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2020-8022](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8022>) ** DESCRIPTION: **tomcat package for openSUSE could allow a local authenticated attacker to gain elevated privileges on the system, caused by an incorrect default permission flaw. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges as root. CVSS Base score: 7.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184110](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184110>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-29425](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425>) ** DESCRIPTION: **Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199852](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199852>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2018-10237](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237>) ** DESCRIPTION: **Google Guava is vulnerable to a denial of service, caused by improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering class. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/142508](<https://exchange.xforce.ibmcloud.com/vulnerabilities/142508>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2020-8908](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908>) ** DESCRIPTION: **Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 5.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192996](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192996>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) ** CVEID: **[CVE-2021-33813](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33813>) ** DESCRIPTION: **JDOM is vulnerable to a denial of service, caused by an XXE issue in SAXBuilder. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to cause the a denial of service. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203804](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203804>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ## Affected Products and Versions **Affected Product(s)**| **Version(s)** ---|--- Disconnected Log Collector| 1.0 - 1.7.2 ## Remediation/Fixes IBM encourages customers to update their systems promptly. To obtain the fixed version, visit Fix Central: [IBM Disconnected Log Collector v1.7.3.](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=Linux&function=fixId&fixids=DLC-1.7.3&includeRequisites=1&includeSupersedes=0&downloadMethod=http> "IBM Disconnected Log Collector v1.6" ) ## Workarounds and Mitigations None ## Get Notified about Future Security Bulletins Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this. ### References [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" ) [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" ) Off ## Related Information [IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) [IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>) ## Change History 30 May 2022: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. ## Disclaimer Review the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment. ## Document Location Worldwide [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]


Affected Software


CPE Name Name Version
ibm qradar siem 10.0

Related