logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

2022-04-11T15:17:28

Description

## Summary IBM Data Risk Manager (IDRM) is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. This fix includes Spring Boot 2.6.6 and Spring Framework 5.3.18, and addresses multiple vulnerabilities with an updated version of IDRM 2.0.6.13. Please see the remediation steps below to apply the fix. All customers are encouraged to act quickly to update their systems. ## Vulnerability Details ** CVEID: **[CVE-2022-22942](<https://vulners.com/cve/CVE-2022-22942>) ** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by improper file descriptor handling in the vmwgfx driver. By sending a specially-crafted ioctl call, an attacker could exploit this vulnerability to gain access to files opened by other processes on the system, and use this information to launch further attacks against the affected system. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/218323](<https://exchange.xforce.ibmcloud.com/vulnerabilities/218323>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2021-4155](<https://vulners.com/cve/CVE-2021-4155>) ** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by data leak flaw in the way how XFS_IOC_ALLOCSP IOCTL in the XFS filesystem is allowed for size increase of files with unaligned size. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information on the XFS filesystem, and use this information to launch further attacks against the affected system. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216919](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216919>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2022-23181](<https://vulners.com/cve/CVE-2022-23181>) ** DESCRIPTION: **Apache Tomcat could allow a local authenticated attacker to gain elevated privileges on the system, caused by a time of check, time of use flaw when configured to persist sessions using the FileStore. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to perform actions with the privileges of Tomcat process. CVSS Base score: 7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/218221](<https://exchange.xforce.ibmcloud.com/vulnerabilities/218221>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-35550](<https://vulners.com/cve/CVE-2021-35550>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base score: 5.9 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211627](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211627>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2016-6796](<https://vulners.com/cve/CVE-2016-6796>) ** DESCRIPTION: **Apache Tomcat could allow a local attacker to bypass security restrictions. By modifying configuration parameters for the JSP Servlet, an attacker could exploit this vulnerability to bypass a configured SecurityManager. CVSS Base score: 4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/118404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118404>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2021-3573](<https://vulners.com/cve/CVE-2021-3573>) ** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a use-after-free flaw in the hci_sock_bound_ioctl function. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause the kernel to crash. CVSS Base score: 6.2 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203249](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203249>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-22096](<https://vulners.com/cve/CVE-2021-22096>) ** DESCRIPTION: **VMware Spring Framework could allow a remote attacker to bypass security restrictions. By sending a specially-crafted input, an attacker could exploit this vulnerability to cause the insertion of additional log entries. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/212430](<https://exchange.xforce.ibmcloud.com/vulnerabilities/212430>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2016-1000027](<https://vulners.com/cve/CVE-2016-1000027>) ** DESCRIPTION: **Pivota Spring Framework could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a code injection vulnerability. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 6.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174367](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174367>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) ** CVEID: **[CVE-2021-22118](<https://vulners.com/cve/CVE-2021-22118>) ** DESCRIPTION: **VMware Tanzu Spring Framework could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the WebFlux application. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to read or modify files in the WebFlux application, or overwrite arbitrary files with multipart request data. CVSS Base score: 7.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/202705](<https://exchange.xforce.ibmcloud.com/vulnerabilities/202705>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) ** CVEID: **[CVE-2020-5421](<https://vulners.com/cve/CVE-2020-5421>) ** DESCRIPTION: **VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by improper input validation. By using a specially-crafted jsessionid path parameter, an attacker could exploit this vulnerability to bypass RFD Protection. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188530](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188530>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2018-10237](<https://vulners.com/cve/CVE-2018-10237>) ** DESCRIPTION: **Google Guava is vulnerable to a denial of service, caused by improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering class. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/142508](<https://exchange.xforce.ibmcloud.com/vulnerabilities/142508>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2020-8908](<https://vulners.com/cve/CVE-2020-8908>) ** DESCRIPTION: **Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 5.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192996](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192996>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) ** CVEID: **[CVE-2022-21365](<https://vulners.com/cve/CVE-2022-21365>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the ImageIO component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217659](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217659>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2022-21360](<https://vulners.com/cve/CVE-2022-21360>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the ImageIO component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217654](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217654>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2022-21349](<https://vulners.com/cve/CVE-2022-21349>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217643](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217643>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2022-21341](<https://vulners.com/cve/CVE-2022-21341>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217636](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217636>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2022-21340](<https://vulners.com/cve/CVE-2022-21340>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217635](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217635>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2022-21305](<https://vulners.com/cve/CVE-2022-21305>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the VM component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217600](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217600>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2022-21294](<https://vulners.com/cve/CVE-2022-21294>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217589](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217589>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2022-21293](<https://vulners.com/cve/CVE-2022-21293>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217588](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217588>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2022-21291](<https://vulners.com/cve/CVE-2022-21291>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the VM component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217586](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217586>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2022-21248](<https://vulners.com/cve/CVE-2022-21248>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217543](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217543>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2021-36373](<https://vulners.com/cve/CVE-2021-36373>) ** DESCRIPTION: **Apache Ant is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205311](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205311>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2012-2098](<https://vulners.com/cve/CVE-2012-2098>) ** DESCRIPTION: **Apache Commons Compress and Apache Ant are vulnerable to a denial of service, caused by an error when using bzip2 compression to compress files. By passing specially-crafted input to the BZip2CompressorOutputStream class, a remote attacker could exploit this vulnerability to consume all available resources. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/75857](<https://exchange.xforce.ibmcloud.com/vulnerabilities/75857>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) ** CVEID: **[CVE-2021-31811](<https://vulners.com/cve/CVE-2021-31811>) ** DESCRIPTION: **Apache PDFBox is vulnerable to a denial of service, caused by an out-of-memory exception while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203615](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203615>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-31812](<https://vulners.com/cve/CVE-2021-31812>) ** DESCRIPTION: **Apache PDFBox is vulnerable to a denial of service, caused by an error while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause the system to enter into an infinite loop. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203587](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203587>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-27906](<https://vulners.com/cve/CVE-2021-27906>) ** DESCRIPTION: **Apache PDFBox is vulnerable to a denial of service, caused by an OutOfMemory-Exception flaw. By persuading a victim to open a specially-crafted .PDF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198452](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198452>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-27807](<https://vulners.com/cve/CVE-2021-27807>) ** DESCRIPTION: **Apache PDFBox is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially-crafted .PDF file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198451](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198451>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2022-22950](<https://vulners.com/cve/CVE-2022-22950>) ** DESCRIPTION: **VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223096](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223096>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) ** CVEID: **[CVE-2019-12415](<https://vulners.com/cve/CVE-2019-12415>) ** DESCRIPTION: **Apache POI could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by tool XSSFExportToXml. By sending a specially-crafted document, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/170015](<https://exchange.xforce.ibmcloud.com/vulnerabilities/170015>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2018-14040](<https://vulners.com/cve/CVE-2018-14040>) ** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the collapse data-parent attribute. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/146468](<https://exchange.xforce.ibmcloud.com/vulnerabilities/146468>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2016-10735](<https://vulners.com/cve/CVE-2016-10735>) ** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-target attribute. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155339](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155339>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2019-8331](<https://vulners.com/cve/CVE-2019-8331>) ** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the tooltip or popover data-template. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/157409](<https://exchange.xforce.ibmcloud.com/vulnerabilities/157409>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2018-14042](<https://vulners.com/cve/CVE-2018-14042>) ** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the data-container property of tooltip. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/146466](<https://exchange.xforce.ibmcloud.com/vulnerabilities/146466>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2018-20676](<https://vulners.com/cve/CVE-2018-20676>) ** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the tooltip data-viewport attribute. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155338](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155338>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2018-20677](<https://vulners.com/cve/CVE-2018-20677>) ** DESCRIPTION: **Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the affix configuration target property. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155337](<https://exchange.xforce.ibmcloud.com/vulnerabilities/155337>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2019-10202](<https://vulners.com/cve/CVE-2019-10202>) ** DESCRIPTION: **Red Hat JBoss Enterprise Application Platform (EAP) could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization in Codehaus. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168251](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168251>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-39145](<https://vulners.com/cve/CVE-2021-39145>) ** DESCRIPTION: **XStream could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208113](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208113>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2020-26217](<https://vulners.com/cve/CVE-2020-26217>) ** DESCRIPTION: **XStream could allow a remote attacker to execute arbitrary code on the system, caused by flaws in the XStream.java and SecurityVulnerabilityTest.java scripts. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192210](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192210>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) ** CVEID: **[CVE-2021-39140](<https://vulners.com/cve/CVE-2021-39140>) ** DESCRIPTION: **XStream is vulnerable to a denial of service, caused by an infinite loop flaw. By manipulating the processed input stream, a remote authenticated attacker could exploit this vulnerability to allocate 100% CPU time on the target system, and results in a denial of service condition. CVSS Base score: 6.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208110](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208110>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-29505](<https://vulners.com/cve/CVE-2021-29505>) ** DESCRIPTION: **XStream XStream could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by improper input validation. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base score: 8.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/202795](<https://exchange.xforce.ibmcloud.com/vulnerabilities/202795>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-39144](<https://vulners.com/cve/CVE-2021-39144>) ** DESCRIPTION: **XStream could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by an unsafe deserialization flaw. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208112](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208112>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2021-39149](<https://vulners.com/cve/CVE-2021-39149>) ** DESCRIPTION: **XStream could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208117](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208117>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2021-21348](<https://vulners.com/cve/CVE-2021-21348>) ** DESCRIPTION: **XStream is vulnerable to a denial of service, caused by a regular expression denial of service flaw (ReDos). By using a specially-crafted regular expression input, a remote attacker could exploit this vulnerability to consume maximum CPU time. CVSS Base score: 5.9 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198625](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198625>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-39151](<https://vulners.com/cve/CVE-2021-39151>) ** DESCRIPTION: **XStream could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208119](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208119>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2021-21344](<https://vulners.com/cve/CVE-2021-21344>) ** DESCRIPTION: **XStream could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when processing stream at unmarshalling time. By manipulating the processed input stream and replace or inject objects, an attacker could exploit this vulnerability to execute arbitrary code from a remote server. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198621](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198621>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-21342](<https://vulners.com/cve/CVE-2021-21342>) ** DESCRIPTION: **XStream is vulnerable to server-side request forgery, caused by a flaw when processing stream at unmarshalling time. By manipulating the processed input stream and replace or inject objects, an attacker could exploit this vulnerability to conduct SSRF attack o access data streams from an arbitrary URL referencing a resource in an intranet or the local host. CVSS Base score: 7.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198619](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198619>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) ** CVEID: **[CVE-2021-21343](<https://vulners.com/cve/CVE-2021-21343>) ** DESCRIPTION: **XStream could allow a remote attacker to bypass security restrictions, caused by a flaw when processing stream at unmarshalling time. By manipulating the processed input stream and replace or inject objects, an attacker could exploit this vulnerability to delete arbitrary files on the system. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198620](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198620>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) ** CVEID: **[CVE-2020-26258](<https://vulners.com/cve/CVE-2020-26258>) ** DESCRIPTION: **XStream is vulnerable to server-side request forgery, caused by a flaw when unmarshalling. By manipulating the processed input stream, a remote attacker could exploit this vulnerability to obtain sensitive data. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193525](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193525>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2021-39153](<https://vulners.com/cve/CVE-2021-39153>) ** DESCRIPTION: **XStream could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208121](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208121>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2021-39141](<https://vulners.com/cve/CVE-2021-39141>) ** DESCRIPTION: **XStream could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208111](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208111>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2021-39147](<https://vulners.com/cve/CVE-2021-39147>) ** DESCRIPTION: **XStream could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208115](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208115>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2021-39148](<https://vulners.com/cve/CVE-2021-39148>) ** DESCRIPTION: **XStream could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208116](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208116>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2021-21347](<https://vulners.com/cve/CVE-2021-21347>) ** DESCRIPTION: **XStream could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when processing stream at unmarshalling time. By manipulating the processed input stream and replace or inject objects, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198624](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198624>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-21345](<https://vulners.com/cve/CVE-2021-21345>) ** DESCRIPTION: **XStream could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a flaw when processing stream at unmarshalling time. By manipulating the processed input stream and replace or inject objects, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198622](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198622>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2020-26259](<https://vulners.com/cve/CVE-2020-26259>) ** DESCRIPTION: **XStream could allow a remote attacker to delete arbitrary files from the system, caused by improper input sanitization. By manipulating the processed input, an attacker could exploit this vulnerability to delete arbitrary files from the system. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193524](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193524>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) ** CVEID: **[CVE-2021-39146](<https://vulners.com/cve/CVE-2021-39146>) ** DESCRIPTION: **XStream could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208114](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208114>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2021-21349](<https://vulners.com/cve/CVE-2021-21349>) ** DESCRIPTION: **XStream is vulnerable to server-side request forgery, caused by a flaw when processing stream at unmarshalling time. By manipulating the processed input stream and replace or inject objects, an attacker could exploit this vulnerability to conduct SSRF attack to access data streams from an arbitrary URL referencing a resource in an intranet or the local host. CVSS Base score: 8.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198626](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198626>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N) ** CVEID: **[CVE-2021-21350](<https://vulners.com/cve/CVE-2021-21350>) ** DESCRIPTION: **XStream could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when processing stream at unmarshalling time. By manipulating the processed input stream and replace or inject objects, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198627](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198627>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-21351](<https://vulners.com/cve/CVE-2021-21351>) ** DESCRIPTION: **XStream could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when processing stream at unmarshalling time. By manipulating the processed input stream and replace or inject objects, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198628](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198628>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-21346](<https://vulners.com/cve/CVE-2021-21346>) ** DESCRIPTION: **XStream could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when processing stream at unmarshalling time. By manipulating the processed input stream and replace or inject objects, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198623](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198623>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-39154](<https://vulners.com/cve/CVE-2021-39154>) ** DESCRIPTION: **XStream could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208122](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208122>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2021-21341](<https://vulners.com/cve/CVE-2021-21341>) ** DESCRIPTION: **XStream is vulnerable to a denial of service, caused by an endless loop flaw when processing stream at unmarshalling time. By manipulating the processed input stream, a remote attacker could exploit this vulnerability to allocate 100% CPU time. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/198618](<https://exchange.xforce.ibmcloud.com/vulnerabilities/198618>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-39150](<https://vulners.com/cve/CVE-2021-39150>) ** DESCRIPTION: **XStream is vulnerable to server-side request forgery, caused by an unsafe deserialization flaw. By manipulating the processed input stream, an attacker could exploit this vulnerability to conduct SSRF attack to request data from internal resources. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208118](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208118>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2021-39152](<https://vulners.com/cve/CVE-2021-39152>) ** DESCRIPTION: **XStream is vulnerable to server-side request forgery, caused by an unsafe deserialization flaw. By manipulating the processed input stream, an attacker could exploit this vulnerability to conduct SSRF attack to request data from internal resources. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208120](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208120>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2021-39139](<https://vulners.com/cve/CVE-2021-39139>) ** DESCRIPTION: **XStream could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By manipulating the processed input stream, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208108](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208108>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2021-43859](<https://vulners.com/cve/CVE-2021-43859>) ** DESCRIPTION: **XStream is vulnerable to a denial of service, caused by improper input validation. By injecting highly recursive collections or maps, a remote attacker could exploit this vulnerability to allocate 100% CPU time on the system. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/219177](<https://exchange.xforce.ibmcloud.com/vulnerabilities/219177>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) ** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-28657](<https://vulners.com/cve/CVE-2021-28657>) ** DESCRIPTION: **Apache Tika is vulnerable to a denial of service, caused by an infinite loop flaw in the MP3 parser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199112](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199112>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-37714](<https://vulners.com/cve/CVE-2021-37714>) ** DESCRIPTION: **jsoup is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause the HTML and XML parser to get stuck, timeout, or throw unchecked exceptions resulting in a denial of service condition. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/207858](<https://exchange.xforce.ibmcloud.com/vulnerabilities/207858>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2020-36322](<https://vulners.com/cve/CVE-2020-36322>) ** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a flaw in the fuse_do_getattr function in the FUSE filesystem implementation in . By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause the system to crash. CVSS Base score: 6.2 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/200230](<https://exchange.xforce.ibmcloud.com/vulnerabilities/200230>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2022-23437](<https://vulners.com/cve/CVE-2022-23437>) ** DESCRIPTION: **Apache Xerces2 Java XML Parser is vulnerable to a denial of service, caused by an infinite loop in the XML parser. By persuading a victim to open a specially-crafted XML document payloads, a remote attacker could exploit this vulnerability to consume system resources for prolonged duration. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217982](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217982>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2019-10086](<https://vulners.com/cve/CVE-2019-10086>) ** DESCRIPTION: **Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/166353](<https://exchange.xforce.ibmcloud.com/vulnerabilities/166353>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>) ** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92889](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) ** CVEID: **[CVE-2022-27772](<https://vulners.com/cve/CVE-2022-27772>) ** DESCRIPTION: **Spring Boot could allow a local authenticated attacker to gain elevated privileges on the system, caused by temporary directory hijacking in org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. By placing a specially-crafted file, an attacker could exploit this vulnerability to take over the application. CVSS Base score: 7.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223090](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223090>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2021-3752](<https://vulners.com/cve/CVE-2021-3752>) ** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a use-after-free flaw in the Bluetooth module. By sending a specially-crafted payload, a local attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.2 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209448](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209448>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2015-4852](<https://vulners.com/cve/CVE-2015-4852>) ** DESCRIPTION: **The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product. CVSS Base score: 9.8 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2015-6420](<https://vulners.com/cve/CVE-2015-6420>) ** DESCRIPTION: **Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. CVSS Base score: 9.8 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2017-15708](<https://vulners.com/cve/CVE-2017-15708>) ** DESCRIPTION: **Apache Synapse could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Apache Commons Collections. By injecting specially-crafted serialized objects, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/136262](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136262>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2015-7501](<https://vulners.com/cve/CVE-2015-7501>) ** DESCRIPTION: **Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. CVSS Base score: 9.8 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-13116](<https://vulners.com/cve/CVE-2019-13116>) ** DESCRIPTION: **MuleSoft Mule runtime could allow a remote attacker to execute arbitrary code on the system, caused by Java deserialization, related to Apache Commons Collections. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169704](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169704>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-3564](<https://vulners.com/cve/CVE-2021-3564>) ** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a double free memory corruption flaw in the implementation of the BlueTooth subsystem. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause the system to crash. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/202424](<https://exchange.xforce.ibmcloud.com/vulnerabilities/202424>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2015-1796](<https://vulners.com/cve/CVE-2015-1796>) ** DESCRIPTION: **Shibboleth Identity Provider could allow a remote attacker to bypass security restrictions, caused by an error in the PKIX trust component. An attacker could exploit this vulnerability using a certificate issued by the shibmd:KeyAuthority trust anchors to impersonate any eneity. CVSS Base score: 5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/105594](<https://exchange.xforce.ibmcloud.com/vulnerabilities/105594>) for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2020-15522](<https://vulners.com/cve/CVE-2020-15522>) ** DESCRIPTION: **Bouncy Castle BC Java, BC C# .NET, BC-FJA, BC-FNA could allow a remote attacker to obtain sensitive information, caused by a timing issue within the EC math library. By utilize cryptographic attack techniques, an attacker could exploit this vulnerability to obtain the private key information, and use this information to launch further attacks against the affected system. CVSS Base score: 5.9 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/202188](<https://exchange.xforce.ibmcloud.com/vulnerabilities/202188>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2020-26939](<https://vulners.com/cve/CVE-2020-26939>) ** DESCRIPTION: **Legion of the Bouncy Castle BC and Legion of the Bouncy Castle BC-FJA could allow a remote attacker to obtain sensitive information, caused by observable differences in behavior to rrror inputs in org.bouncycastle.crypto.encodings.OAEPEncoding. By using the OAEP Decoder to send invalid ciphertext that decrypts to a short payload, a remote attacker could exploit this vulnerability to obtain sensitive information and use this information to launch further attacks against the affected system. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191108](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191108>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2019-17359](<https://vulners.com/cve/CVE-2019-17359>) ** DESCRIPTION: **Bouncy Castle Crypto is vulnerable to a denial of service, caused by OutOfMemoryError error in ASN.1 parser. By sending specially crafted ASN.1 data, a local attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168581](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168581>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2021-22060](<https://vulners.com/cve/CVE-2021-22060>) ** DESCRIPTION: **VMware Tanzu Spring Framework could allow a remote authenticated attacker to bypass security restrictions, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to insert additional log entries. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217183>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2020-25704](<https://vulners.com/cve/CVE-2020-25704>) ** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the perf_event_parse_addr_filter function. By executing a specially-crafted program, a local attacker could exploit this vulnerability to exhaust available memory on the system. CVSS Base score: 6.2 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191348](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191348>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2022-0330](<https://vulners.com/cve/CVE-2022-0330>) ** DESCRIPTION: **Linux Kernel could allow a local attacker to obtain sensitive information, caused by a security sensitive bug in the i915 kernel driver. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause random memory corruption. CVSS Base score: 5.9 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/218086](<https://exchange.xforce.ibmcloud.com/vulnerabilities/218086>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) ** CVEID: **[CVE-2021-35515](<https://vulners.com/cve/CVE-2021-35515>) ** DESCRIPTION: **Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw in the construction of the list of codecs that decompress an entry. By persuading a victim to open a specially-crafted 7Z archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' sevenz package. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205304](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205304>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2019-12402](<https://vulners.com/cve/CVE-2019-12402>) ** DESCRIPTION: **Apache Commons Compress is vulnerable to a denial of service, caused by an error in the internal file name encoding algorithm. By choosing the file names inside of a specially crafted archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165956](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165956>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2021-35517](<https://vulners.com/cve/CVE-2021-35517>) ** DESCRIPTION: **Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error when allocating large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' tar package. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205307](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205307>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2018-1324](<https://vulners.com/cve/CVE-2018-1324>) ** DESCRIPTION: **Apache Commons Compress is vulnerable to a denial of service, caused by an error in the extra field parser used by the ZipFile and ZipArchiveInputStream classes. By persuading a victim to open a specially crafted ZIP archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/140401](<https://exchange.xforce.ibmcloud.com/vulnerabilities/140401>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2021-36090](<https://vulners.com/cve/CVE-2021-36090>) ** DESCRIPTION: **Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' zip package. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205310](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205310>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2018-11771](<https://vulners.com/cve/CVE-2018-11771>) ** DESCRIPTION: **Apache Commons Compress is vulnerable to a denial of service, caused by the failure to return the correct EOF indication after the end of the stream has been reached by the ZipArchiveInputStream method. By reading a specially crafted ZIP archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 3.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/148429](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148429>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2021-35516](<https://vulners.com/cve/CVE-2021-35516>) ** DESCRIPTION: **Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted 7Z archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' sevenz package. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/205306](<https://exchange.xforce.ibmcloud.com/vulnerabilities/205306>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-23222](<https://vulners.com/cve/CVE-2021-23222>) ** DESCRIPTION: **PostgreSQL is vulnerable to a man-in-the-middle attack, caused by improper validation of user-supplied input by libpq. A remote attacker could exploit this vulnerability to launch a man-in-the-middle attack to inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/218383](<https://exchange.xforce.ibmcloud.com/vulnerabilities/218383>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2020-9492](<https://vulners.com/cve/CVE-2020-9492>) ** DESCRIPTION: **Apache Hadoop could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper validation of SPNEGO authorization header. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to trigger services to send server credentials to a webhdfs path for capturing the service principal. CVSS Base score: 8.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/195656](<https://exchange.xforce.ibmcloud.com/vulnerabilities/195656>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2018-8009](<https://vulners.com/cve/CVE-2018-8009>) ** DESCRIPTION: **Apache Hadoop could could allow a remote attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing "dot dot slash" sequences (../), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as "Zip-Slip" CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/150617](<https://exchange.xforce.ibmcloud.com/vulnerabilities/150617>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) ** CVEID: **[CVE-2020-13936](<https://vulners.com/cve/CVE-2020-13936>) ** DESCRIPTION: **Apache Velocity could allow a remote attacker to execute arbitrary code on the system, caused by a sandbox bypass flaw. By modifying the Velocity templates, an attacker could exploit this vulnerability to execute arbitrary code with the same privileges as the account running the Servlet container. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/197993](<https://exchange.xforce.ibmcloud.com/vulnerabilities/197993>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-10683](<https://vulners.com/cve/CVE-2020-10683>) ** DESCRIPTION: **dom4j could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending specially crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181356](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181356>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2021-35603](<https://vulners.com/cve/CVE-2021-35603>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211676](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211676>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2020-13956](<https://vulners.com/cve/CVE-2020-13956>) ** DESCRIPTION: **Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189572](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189572>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2021-40690](<https://vulners.com/cve/CVE-2021-40690>) ** DESCRIPTION: **Apache Santuario XML Security for Java could allow a remote attacker to bypass security restrictions, caused by the improper passing of the "secureValidation" property when creating a KeyInfo from a KeyInfoReference element. An attacker could exploit this vulnerability to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209586](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209586>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2014-3604](<https://vulners.com/cve/CVE-2014-3604>) ** DESCRIPTION: **Not-Yet-Commons-SSL could allow a remote attacker to bypass security restrictions, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the SSL certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, a remote attacker could exploit this vulnerability using man-in-the-middle techniques to cause the victim to impersonate trusted servers. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/97659](<https://exchange.xforce.ibmcloud.com/vulnerabilities/97659>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2020-28052](<https://vulners.com/cve/CVE-2020-28052>) ** DESCRIPTION: **Legion of the Bouncy Castle BC Java could allow a remote attacker to bypass security restrictions. The OpenBSDBCrypt.checkPassword utility method compares incorrect data when checking the password. By using brute force techniques, an attacker could exploit this vulnerability to allow incorrect passwords to indicate they were matching with previously hashed ones that were different. CVSS Base score: 9 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/193563](<https://exchange.xforce.ibmcloud.com/vulnerabilities/193563>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) ** CVEID: **[CVE-2014-3643](<https://vulners.com/cve/CVE-2014-3643>) ** DESCRIPTION: **Jersey could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by jersey SAX parser. By sending a specially-crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174788](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174788>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2012-5783](<https://vulners.com/cve/CVE-2012-5783>) ** DESCRIPTION: **Apache Commons HttpClient, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/79984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/79984>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2022-23596](<https://vulners.com/cve/CVE-2022-23596>) ** DESCRIPTION: **Junrar is vulnerable to a denial of service, caused by an infinite loop when extracting RAR files. By persuading a victim to open a specially-crafted RAR file, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 5.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/218764](<https://exchange.xforce.ibmcloud.com/vulnerabilities/218764>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-29425](<https://vulners.com/cve/CVE-2021-29425>) ** DESCRIPTION: **Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199852](<https://exchange.xforce.ibmcloud.com/vulnerabilities/199852>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2017-18640](<https://vulners.com/cve/CVE-2017-18640>) ** DESCRIPTION: **SnakeYAML is vulnerable to a denial of service, caused by an entity expansion in Alias feature during a load operation. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174331](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174331>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2021-22569](<https://vulners.com/cve/CVE-2021-22569>) ** DESCRIPTION: **Google Protocol Buffer (protobuf-java) is vulnerable to a denial of service, caused by an issue with allow interleaving of com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open a specially-crafted content, a remote attacker could exploit this vulnerability to cause a timeout in ProtobufFuzzer function, and results in a denial of service condition. CVSS Base score: 3.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216851](<https://exchange.xforce.ibmcloud.com/vulnerabilities/216851>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2020-7746](<https://vulners.com/cve/CVE-2020-7746>) ** DESCRIPTION: **Node.js chart.js moudle is vulnerable to a denial of service, caused by a prototype pollution flaw when processing the options parameter. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/190880](<https://exchange.xforce.ibmcloud.com/vulnerabilities/190880>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-38153](<https://vulners.com/cve/CVE-2021-38153>) ** DESCRIPTION: **Apache Kafka could allow a remote attacker to obtain sensitive information, caused by a timing attack flaw due to the use of "Arrays.equals" to validate a password or key. By utilizing brute-force attack techniques, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/209762](<https://exchange.xforce.ibmcloud.com/vulnerabilities/209762>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2020-13954](<https://vulners.com/cve/CVE-2020-13954>) ** DESCRIPTION: **Apache CXF is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the services listing page. A remote attacker could exploit this vulnerability using the styleSheetPath in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191650](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191650>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) ** IBM X-Force ID: **220313 ** DESCRIPTION: **PostgreSQL JDBC Driver could allow a remote attacker to gain unauthorized access to the system, caused by the exposure of the connection properties for configuring a pgjdbc connection. By specifying arbitrary connection properties, a remote attacker could exploit this vulnerability to gain unauthorized access to the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/220313 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/220313>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** IBM X-Force ID: **220912 ** DESCRIPTION: **Apache HttpComponents Client could allow a remote attacker to traverse directories on the system, caused by improper validation of user requests. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view files on the system. CVSS Base score: 5.3 CVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/220912 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/220912>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ## Affected Products and Versions Affected Product(s)| Version(s) ---|--- IBM DRM| 2.0.6.12 ## Remediation/Fixes To obtain fixes for all reported issues, customers are advised first to upgrade to v2.0.6.12, and then apply the latest FixPack 2.0.6.13. _Product_| _VRMF_| _APAR _| _Remediation / First Fix_ ---|---|---|--- IBM Data Risk Manager| 2.0.6.12| - | 1) Apply [DRM_2.0.6.13_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.12&platform=Linux&function=all>) ---|---|---|--- ## Workarounds and Mitigations None ##


Affected Software


CPE Name Name Version
ibm data risk manager 2.0.6.12

Related


ibm
software

Security Bulletin: Vulnerabilities in XStream affect IBM Spectrum Copy Data Management

2021-12-11T00:37:03
ibm
software

Security Bulletin: IBM Security Verify Governance is vulnerable to multiple security threats due to use of XStream

2022-11-22T16:29:37
ibm
software

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream

2022-04-27T23:05:41
ibm
software

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream

2021-10-01T06:19:43
ibm
software

Security Bulletin: Vulnerabilities in XStream affect IBM Spectrum Protect Plus

2021-12-10T20:38:36
ibm
software

Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to XStream, Apache Xerces2, Jackson, OpenSSL, and Java SE

2022-05-26T07:31:20
ibm
software

Security Bulletin: Due to use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to arbitrary code execution attack

2023-01-24T14:30:09
ibm
software

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream

2021-07-08T19:08:29
ibm
software

Security Bulletin: XStream (Publicly disclosed vulnerability)

2021-08-23T05:52:50
ibm
software

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream

2021-05-14T01:38:05
ibm
software

Security Bulletin: Multiple vulnerabilites affect IBM Engineering Test Management product due to XStream

2022-07-26T06:38:02
ibm
software

Security Bulletin: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating

2021-04-13T21:10:50
ibm
software

Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights - Quaterly Java update, CVE-2021-35603 and CVE-2021-35550

2022-12-30T15:09:22
ibm
software

Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthenticated attacker obtaining sensitive information and other attacks due to multiple vulnerabilities.

2022-06-02T20:54:33
ibm
software

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Java

2022-04-27T14:53:08
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime which affects IBM Integration Bus and IBM App Connect Enterprise

2022-04-27T10:39:35
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester

2022-03-23T07:10:55
ibm
software

Security Bulletin: Multiple vulnerabilities in Java SE affect IBM TXSeries for Multiplatforms

2022-06-15T15:49:41
ibm
software

Security Bulletin: Multiple vulnerabilities in Java SE affect IBM CICS TX Advanced

2023-02-14T21:04:36
ibm
software

Security Bulletin: Multiple vulnerabilities in Java SE affect IBM CICS TX Standard

2023-02-14T21:14:53
ibm
software

Security Bulletin: Multiple vulnerabilities have been identified in IBM Java 8 shipped with IBM® Intelligent Operations Center (CVE-2022-21365, CVE-2022-21360, CVE-2022-21349, CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-20)

2022-09-07T12:15:32
ibm
software

Security Bulletin: Vulnerabilities in the Java JDK affect IBM Event Streams (CVE-2022-21365, CVE-2022-21360, CVE-2022-21349, CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21294, CVE-2022-21293, CVE-2022-21291, CVE-2022-21248)

2022-06-27T10:32:59
ibm
software

Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2022 - Includes Oracle® January 2022 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time

2022-06-22T02:20:49
ibm
software

Security Bulletin: IBM Sterling Connect:Direct Browser User Interface has multiple vulnerabilities due to IBM Java

2022-06-21T20:13:13
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional

2022-04-01T06:22:35
ibm
software

Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service

2022-04-25T15:54:22
ibm
software

Security Bulletin: IBM Rational Build Forge is vulnerable to unspecified vulnerabilities due to the use of IBM Java.

2022-07-21T05:22:47
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server January 2022 CPU that is bundled with IBM WebSphere Application Server Patterns

2022-06-21T22:19:04
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Business Service Manager

2022-06-22T04:07:46
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact

2022-06-29T17:54:48
ibm
software

Security Bulletin: Multiple vulnerabilities exist in the IBM® SDK, Java™ Technology Edition affecting IBM Tivoli Network Manager

2022-05-24T10:09:56
ibm
software

Security Bulletin: June 2022 :Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway

2022-06-21T15:23:30
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8, affect IBM Workload Scheduler.

2022-08-31T17:26:51
ibm
software

Security Bulletin: Multiple vulnerabbilities exists in the IBM® SDK, Java™ Technology Edition affect IBM Tivoli Network Configuration Manager

2022-05-24T10:18:34
ibm
software

Security Bulletin: June 2022 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition

2023-03-13T16:06:17
ibm
software

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java

2022-06-01T11:30:27
ibm
software

Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities

2022-11-08T16:41:49
ibm
software

Security Bulletin: Vulnerabilities in MongoDB, Node.js, Docker, and XStream affect IBM Spectrum Protect Plus

2021-06-28T20:25:47
ibm
software

Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition

2022-02-22T17:06:50
ibm
software

Security Bulletin: Multiple vulnerabilities in Apache Commons Collections affect IBM InfoSphere Information Server

2022-10-14T22:00:35
ibm
software

Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to use of Apache Commons Collections (multiple vulnerabilities)

2022-11-22T16:37:00
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK (January 2022) affects IBM InfoSphere Information Server

2022-06-08T23:26:53
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer

2022-06-24T13:23:20
ibm
software

Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021

2022-06-27T19:53:35
ibm
software

Security Bulletin: IBM Security Risk Manager on CP4S is affected by multiple vulnerabilities

2021-10-18T14:25:08
ibm
software

Security Bulletin: Watson Explorer is affected by Apache PDFBox vulnerabilities (CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812)

2021-07-19T09:24:11
ibm
software

Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM

2022-07-19T18:38:06
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights

2022-11-29T12:48:52
ibm
software

Security Bulletin: IBM Content Navigator is vulnerable to a denial of service vulnerabilty.

2021-08-19T16:20:09
ibm
software

Security Bulletin: IBM InfoSphere Information Server is affected by a denial of service vulnerability in Apache Commons Compress

2021-10-29T22:16:45
ibm
software

Security Bulletin: Apache commons-compress security vulnerabilities in IBM Content Manager

2022-01-14T23:47:05
ibm
software

Security Bulletin: Apache Commons as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2021-35515, CVE-2021-35516, CVE-2021-36090, CVE-2021-35517)

2022-06-06T18:14:44
ibm
software

Security Bulletin: Multiple vulnerabilities in Apache Commons* affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)

2021-10-28T23:12:16
ibm
software

Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow -CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090

2021-12-17T18:41:15
ibm
software

Security Bulletin: Apache Commons as used by IBM Tivoli Network Manager is vulnerable to denial of service (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)

2022-07-04T12:55:48
ibm
software

Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Apache Commons Compress

2022-08-22T16:39:58
ibm
software

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Commons Compress

2021-10-01T06:22:55
ibm
software

Security Bulletin: Multiple vulnerabilities in Apache Commons* affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)

2021-09-19T23:41:44
ibm
software

Security Bulletin: IBM Security Verify Governance is vulnerable to denial of service due to use of Apache Commons Compress (CVE-2021-35517, CVE-2021-36090, CVE-2021-35515, CVE-2021-35516)

2023-01-03T12:05:38
ibm
software

Security Bulletin: IBM B2B Advanced Communications is vulnerable to multiple issues due to Apache Commons Compress

2023-02-20T06:25:38
ibm
software

Security Bulletin: IBM Sterling B2B Integrator is vulnerable to multiple vulnerabilities due to Xstream

2022-05-13T14:58:22
ibm
software

Security Bulletin: Multiple Vulnerabilities in Rational Synergy 7.2.2.4

2022-09-30T08:52:40
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections

2022-06-09T07:51:12
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections

2022-06-09T07:26:18
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections

2022-06-09T07:48:35
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections

2022-06-09T07:50:02
ibm
software

Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition

2022-06-01T10:22:38
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect SPSS Collaboration and Deployment Services

2022-03-23T04:11:50
ibm
software

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for April 2022

2022-04-29T10:04:28
ibm
software

Security Bulletin: IBM MQ is vulnerable to multiple issues within IBM® Runtime Environment Java™ Technology Edition, Versions 7 and 8 (CVE-2021-35603, CVE-2022-21305, CVE-2022-21291, CVE-2021-35550)

2022-11-16T11:30:07
ibm
software

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream

2021-05-08T01:23:09
ibm
software

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream

2021-02-27T03:41:18
ibm
software

Security Bulletin: Vulnerabilities in Node.js, XStream and Apache Commons affect IBM Spectrum Control

2021-08-31T08:17:26
ibm
software

Security Bulletin: Multiple vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow, and IBM Business Process Manager Java CPU January 2022

2022-09-14T15:28:14
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jan 2022 CPU (CVE-2022-21248, CVE-2022-21293, CVE-2022-21294, CVE-2022-21341)

2022-06-10T08:13:41
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jan 2022 CPU (CVE-2022-21248, CVE-2022-21293, CVE-2022-21294, CVE-2022-21341)

2022-06-10T08:08:30
ibm
software

Security Bulletin: Vulnerability in IBM SDK, Java Technology (CVE-2022-21341, CVE-2022-21294, CVE-2022-21293 and CVE-2022-21248) affects Power HMC

2022-05-30T06:53:37
ibm
software

Security Bulletin: Vulnerabilities in XStream, Java, OpenSSL, WebSphere Application Server Liberty and Node.js affect IBM Spectrum Control

2021-05-20T08:07:38
ibm
software

Security Bulletin: An Unspecified Vulnerability in Java runtime affects Predictive Maintenance and Quality and Predictive Maintenance Insights (CVE-2021-35603)

2022-09-23T14:27:47
ibm
software

Security Bulletin: Vulnerability exists for Spring Framework in Watson Explorer (CVE-2021-22060, CVE-2022-22965, CVE-2022-22950)

2022-04-22T11:43:07
ibm
software

Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs)

2022-07-07T17:40:13
ibm
software

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX

2022-11-14T16:23:08
nessus
scanner

Debian DSA-5004-1 : libxstream-java - security update

2021-11-12T00:00:00
nessus
scanner

Debian DLA-2769-1 : libxstream-java - LTS security update

2021-10-01T00:00:00
nessus
scanner

openSUSE 15 Security Update : xstream (openSUSE-SU-2021:3476-1)

2021-10-21T00:00:00
nessus
scanner

SUSE SLED15 / SLES15 Security Update : xstream (SUSE-SU-2021:3476-1)

2021-10-21T00:00:00
nessus
scanner

Oracle Linux 7 : xstream (ELSA-2021-3956)

2021-10-26T00:00:00
nessus
scanner

RHEL 7 : xstream (RHSA-2021:3956)

2021-10-26T00:00:00
nessus
scanner

openSUSE 15 Security Update : xstream (openSUSE-SU-2021:1401-1)

2021-11-01T00:00:00
nessus
scanner

Amazon Linux 2 : xstream (ALAS-2021-1729)

2021-12-10T00:00:00
nessus
scanner

Scientific Linux Security Update : xstream on SL7.x (noarch) (2021:3956)

2021-10-25T00:00:00
nessus
scanner

Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 : XStream vulnerabilities (USN-4943-1)

2021-05-12T00:00:00
nessus
scanner

Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS : XStream vulnerabilities (USN-5946-1)

2023-03-13T00:00:00
nessus
scanner

Debian DLA-2616-1 : libxstream-java security update

2021-04-05T00:00:00
nessus
scanner

openSUSE Security Update : xstream (openSUSE-2021-832)

2021-06-04T00:00:00
nessus
scanner

openSUSE 15 Security Update : xstream (openSUSE-SU-2021:1840-1)

2021-07-16T00:00:00
nessus
scanner

RHEL 7 : java-1.8.0-ibm (RHSA-2022:0968)

2022-03-21T00:00:00
nessus
scanner

RHEL 7 : java-1.7.1-ibm (RHSA-2022:0969)

2022-03-21T00:00:00
nessus
scanner

RHEL 8 : java-1.8.0-ibm (RHSA-2022:0970)

2022-03-21T00:00:00
nessus
scanner

RHEL 7 : xstream (RHSA-2021:1354)

2021-04-26T00:00:00
nessus
scanner

Oracle Linux 7 : xstream (ELSA-2021-1354)

2021-04-27T00:00:00
nessus
scanner

Amazon Linux 2 : xstream (ALAS-2021-1645)

2021-05-24T00:00:00
nessus
scanner

CentOS 7 : xstream (CESA-2021:1354)

2021-04-30T00:00:00
nessus
scanner

NewStart CGSL CORE 5.05 / MAIN 5.05 : xstream Multiple Vulnerabilities (NS-SA-2022-0033)

2022-05-09T00:00:00
nessus
scanner

NewStart CGSL CORE 5.04 / MAIN 5.04 : xstream Multiple Vulnerabilities (NS-SA-2021-0108)

2021-10-27T00:00:00
nessus
scanner

RHEL 7 : python-XStatic-Bootstrap-SCSS (RHSA-2020:5571)

2020-12-18T00:00:00
nessus
scanner

IBM Java 7.0 < 7.0.11.5 / 7.1 < 7.1.5.5 / 8.0 < 8.0.7.5 Multiple Vulnerabilities

2022-04-29T00:00:00
nessus
scanner

Tenable SecurityCenter < 5.19.0 Multiple XSS Vulnerabilities (TNS-2021-14)

2021-09-03T00:00:00
nessus
scanner

openSUSE 15 Security Update : apache-commons-compress (openSUSE-SU-2021:1115-1)

2021-08-11T00:00:00
nessus
scanner

SUSE SLED15 / SLES15 Security Update : apache-commons-compress (SUSE-SU-2021:2612-1)

2021-08-06T00:00:00
nessus
scanner

openSUSE 15 Security Update : apache-commons-compress (openSUSE-SU-2021:2612-1)

2021-08-06T00:00:00
nessus
scanner

RHEL 8 : RHV Manager (ovirt-engine) [ovirt-4.5.1] (RHSA-2022:5555)

2022-07-15T00:00:00
nessus
scanner

SUSE SLES15 Security Update : java-1_8_0-openjdk (SUSE-SU-2022:0873-1)

2022-03-17T00:00:00
nessus
scanner

openSUSE 15 Security Update : java-1_8_0-openjdk (openSUSE-SU-2022:0873-1)

2022-03-17T00:00:00
nessus
scanner

Debian DLA-2917-1 : openjdk-8 - LTS security update

2022-02-11T00:00:00
nessus
scanner

SUSE SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2022:0871-1)

2022-03-17T00:00:00
nessus
scanner

Amazon Corretto Java 8.x < 8.322.06.1 Multiple Vulnerabilities

2022-04-01T00:00:00
nessus
scanner

EulerOS 2.0 SP3 : java-1.8.0-openjdk (EulerOS-SA-2022-1733)

2022-05-26T00:00:00
nessus
scanner

EulerOS 2.0 SP8 : java-1.8.0-openjdk (EulerOS-SA-2022-1571)

2022-04-25T00:00:00
nessus
scanner

openSUSE Security Update : xstream (openSUSE-2021-140)

2021-01-25T00:00:00
nessus
scanner

Ubuntu 18.04 LTS / 20.04 LTS : XStream vulnerabilities (USN-4714-1)

2021-01-29T00:00:00
nessus
scanner

RHEL 7 : Virtualization Manager (RHSA-2019:3023)

2019-10-15T00:00:00
nessus
scanner

EulerOS 2.0 SP3 : java-1.7.0-openjdk (EulerOS-SA-2022-1732)

2022-05-30T00:00:00
nessus
scanner

OpenJDK 7 <= 7u321 / 8 <= 8u312 / 11.0.0 <= 11.0.13 / 13.0.0 <= 13.0.9 / 15.0.0 <= 15.0.5 / 17.0.0 <= 17.0.1 Multiple Vulnerabilities (2022-01-18

2022-01-19T00:00:00
nessus
scanner

Azul Zulu Java Multiple Vulnerabilities (2022-01-18)

2022-03-07T00:00:00
nessus
scanner

openSUSE 15 Security Update : java-1_8_0-openj9 (openSUSE-SU-2022:0870-1)

2022-03-17T00:00:00
nessus
scanner

RHEL 8 : java-1.8.0-openjdk (RHSA-2022:0305)

2022-01-28T00:00:00
nessus
scanner

Oracle Linux 7 : java-1.8.0-openjdk (ELSA-2022-0306)

2022-01-28T00:00:00
nessus
scanner

Oracle Linux 8 : java-1.8.0-openjdk (ELSA-2022-0307)

2022-01-28T00:00:00
nessus
scanner

Rocky Linux 8 : java-1.8.0-openjdk (RLSA-2022:307)

2022-02-09T00:00:00
nessus
scanner

RHEL 7 : java-1.8.0-openjdk (RHSA-2022:0306)

2022-01-28T00:00:00
debian
unix

[SECURITY] [DSA 5004-1] libxstream-java security update

2021-11-10T20:29:25
debian
unix

[SECURITY] [DSA 5004-1] libxstream-java security update

2021-11-10T20:46:19
debian
unix

[SECURITY] [DSA 5004-1] libxstream-java security update

2021-11-10T20:29:25
debian
unix

[SECURITY] [DLA 2769-1] libxstream-java security update

2021-09-29T23:28:17
debian
unix

[SECURITY] [DLA 2616-1] libxstream-java security update

2021-04-03T19:56:11
debian
unix

[SECURITY] [DLA 2917-1] openjdk-8 security update

2022-02-10T08:51:22
fedora
unix

[SECURITY] Fedora 34 Update: xstream-1.4.18-2.fc34

2021-10-12T23:45:05
fedora
unix

[SECURITY] Fedora 33 Update: xstream-1.4.18-2.fc33

2021-10-12T23:47:14
fedora
unix

[SECURITY] Fedora 35 Update: xstream-1.4.18-2.fc35

2021-10-29T23:18:39
fedora
unix

[SECURITY] Fedora 34 Update: java-1.8.0-openjdk-1.8.0.322.b06-2.fc34

2022-02-11T01:11:34
fedora
unix

[SECURITY] Fedora 35 Update: java-1.8.0-openjdk-1.8.0.322.b06-2.fc35

2022-02-11T01:23:37
suse
unix

Security update for xstream (important)

2021-10-20T00:00:00
suse
unix

Security update for xstream (important)

2021-10-31T00:00:00
suse
unix

Security update for xstream (important)

2021-06-04T00:00:00
suse
unix

Security update for xstream (important)

2021-07-11T00:00:00
suse
unix

Security update for apache-commons-compress (important)

2021-08-10T00:00:00
suse
unix

Security update for apache-commons-compress (important)

2021-08-05T00:00:00
suse
unix

Security update for java-1_8_0-openjdk (important)

2022-03-16T00:00:00
suse
unix

Security update for xstream (important)

2021-01-22T00:00:00
suse
unix

Security update for java-1_8_0-openj9 (important)

2022-03-16T00:00:00
oraclelinux
unix

xstream security update

2021-10-25T00:00:00
oraclelinux
unix

xstream security update

2021-04-27T00:00:00
oraclelinux
unix

java-1.8.0-openjdk security update

2022-01-27T00:00:00
oraclelinux
unix

java-1.8.0-openjdk security and bug fix update

2022-01-27T00:00:00
redhat
unix

(RHSA-2021:3956) Important: xstream security update

2021-10-25T06:30:03
redhat
unix

(RHSA-2021:4918) Moderate: Red Hat Integration Camel-K 1.6 release and security update

2021-12-02T16:13:28
redhat
unix

(RHSA-2022:0297) Moderate: Red Hat Decision Manager 7.12.0 security update

2022-01-26T16:28:59
redhat
unix

(RHSA-2021:2475) Moderate: Red Hat Process Automation Manager 7.11.0 security update

2021-06-17T13:10:44
redhat
unix

(RHSA-2021:2476) Moderate: Red Hat Decision Manager 7.11.0 security update

2021-06-17T13:10:59
redhat
unix

(RHSA-2022:0296) Critical: Red Hat Process Automation Manager 7.12.0 security update

2022-01-26T15:49:06
redhat
unix

(RHSA-2022:0520) Moderate: Red Hat Data Grid 8.3.0 security update

2022-02-14T13:01:56
redhat
unix

(RHSA-2021:4767) Moderate: Red Hat Integration Camel Extensions for Quarkus GA security update

2021-11-23T10:29:48
redhat
unix

(RHSA-2022:0969) Moderate: java-1.7.1-ibm security update

2022-03-21T07:18:57
redhat
unix

(RHSA-2022:0968) Moderate: java-1.8.0-ibm security update

2022-03-21T07:18:38
redhat
unix

(RHSA-2022:0970) Moderate: java-1.8.0-ibm security update

2022-03-21T07:19:20
redhat
unix

(RHSA-2021:2139) Critical: Red Hat Data Grid 8.2.0 security update

2021-05-26T21:45:53
redhat
unix

(RHSA-2021:1354) Important: xstream security update

2021-04-26T05:03:43
redhat
unix

(RHSA-2020:5571) Moderate: python-XStatic-Bootstrap-SCSS security update

2020-12-16T12:54:58
redhat
unix

(RHSA-2022:5555) Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.1] security, bug fix and update

2022-07-14T12:11:20
redhat
unix

(RHSA-2019:3023) Moderate: ovirt-engine-ui-extensions security and bug fix update

2019-10-10T14:49:36
redhat
unix

(RHSA-2022:0304) Moderate: java-1.8.0-openjdk security update

2022-01-27T13:52:51
redhat
unix

(RHSA-2022:0305) Moderate: java-1.8.0-openjdk security update

2022-01-27T13:49:14
redhat
unix

(RHSA-2022:0312) Moderate: java-1.8.0-openjdk security update

2022-01-27T15:48:40
redhat
unix

(RHSA-2022:0321) Moderate: OpenJDK 8u322 Windows builds release and security update

2022-01-27T19:55:12
redhat
unix

(RHSA-2022:0317) Moderate: OpenJDK 8u322 security update for Portable Linux Builds

2022-01-27T19:55:10
redhat
unix

(RHSA-2022:0306) Moderate: java-1.8.0-openjdk security update

2022-01-27T13:54:42
redhat
unix

(RHSA-2022:0307) Moderate: java-1.8.0-openjdk security and bug fix update

2022-01-27T13:47:36
amazon
unix

Important: xstream

2021-12-08T16:28:00
amazon
unix

Important: xstream

2021-05-20T17:10:00
mageia
unix

Updated xstream/xmlpull/mxparser packages fix security vulnerability

2021-10-13T19:39:52
mageia
unix

Updated xstream packages fix security vulnerabilities

2021-07-25T14:45:06
mageia
unix

Updated osgi-core/apache-commons-compress packages fix security vulnerability

2022-01-11T07:12:42
osv
software

libxstream-java - security update

2021-11-10T00:00:00
osv
software

libxstream-java - security update

2021-09-30T00:00:00
osv
software

libxstream-java - security update

2021-04-03T00:00:00
osv
software

openjdk-8 - security update

2022-02-10T00:00:00
ubuntu
unix

XStream vulnerabilities

2021-05-11T00:00:00
ubuntu
unix

XStream vulnerabilities

2023-03-13T00:00:00
ubuntu
unix

XStream vulnerabilities

2021-01-28T00:00:00
centos
unix

xstream security update

2021-04-29T17:56:41
githubexploit
exploit

Exploit for Unrestricted Upload of File with Dangerous Type in Xstream Project Xstream

2021-08-24T06:15:20
githubexploit
exploit

Exploit for OS Command Injection in Xstream Project Xstream

2020-12-13T17:39:11
altlinux
unix

Security fix for the ALT Linux 10 package java-1.8.0-openjdk version 0:1.8.0.322.b06-alt2_1jpp8

2022-04-07T00:00:00
ics
info

Mitsubishi Electric EcoWebServerIII

2022-02-24T12:00:00
f5
software

Multiple Oracle Java SE vulnerabilities

2022-11-24T14:47:00
aix
unix

Multiple vulnerabilities in IBM Java SDK affect AIX

2022-06-14T14:37:05
almalinux
unix

Moderate: java-1.8.0-openjdk security and bug fix update

2022-01-27T13:47:36
rocky
unix

java-1.8.0-openjdk security and bug fix update

2022-02-01T03:36:17