DATABASE RESOURCES PRICING ABOUT US

{"id": "B8C124EE4E419DE7F41A9CB0246E9FF21300C4C9A2734EF999830B9906B65133", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: Multiple Vulnerabilities identified in IBM StoredIQ", "description": "## Summary\n\nMultiple vulnerabilities in bundled software packages affect IBM StoredIQ. IBM StoredIQ has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2009-0217](<https://vulners.com/cve/CVE-2009-0217>) \n**DESCRIPTION: **The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/51716](<https://exchange.xforce.ibmcloud.com/vulnerabilities/51716>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n \n**CVEID: **[CVE-2012-5783](<https://vulners.com/cve/CVE-2012-5783>) \n**DESCRIPTION: **Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/79984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/79984>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n \n**CVEID: **[CVE-2012-2098](<https://vulners.com/cve/CVE-2012-2098>) \n**DESCRIPTION: **Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/75857](<https://exchange.xforce.ibmcloud.com/vulnerabilities/75857>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n**CVEID: **[CVE-2017-3589](<https://vulners.com/cve/CVE-2017-3589>) \n**DESCRIPTION: **Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily \"exploitable\" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124962](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124962>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) \n\n \n**CVEID: **[CVE-2017-3586](<https://vulners.com/cve/CVE-2017-3586>) \n**DESCRIPTION: **Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily \"exploitable\" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). \nCVSS Base score: 6.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/124960](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124960>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) \n\n \n**CVEID: **[CVE-2017-3523](<https://vulners.com/cve/CVE-2017-3523>) \n**DESCRIPTION: **Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H). \nCVSS Base score: 8.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/126183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/126183>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2014-0114](<https://vulners.com/cve/CVE-2014-0114>) \n**DESCRIPTION: **Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92889](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n\n \n**CVEID: **[CVE-2010-1632](<https://vulners.com/cve/CVE-2010-1632>) \n**DESCRIPTION: **Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService. \nCVSS Base score: 5.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/59588](<https://exchange.xforce.ibmcloud.com/vulnerabilities/59588>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P) \n\n \n**CVEID: **[CVE-2009-2625](<https://vulners.com/cve/CVE-2009-2625>) \n**DESCRIPTION: **XMLScanner.java in Apache Xerces2 Java, asused in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/53082](<https://exchange.xforce.ibmcloud.com/vulnerabilities/53082>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n**CVEID: **[CVE-2013-4002](<https://vulners.com/cve/CVE-2013-4002>) \n**DESCRIPTION: **XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause adenial of service via vectors related to XML attribute names. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85260](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85260>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) \n\n \n**CVEID: **[CVE-2012-0881](<https://vulners.com/cve/CVE-2012-0881>) \n**DESCRIPTION: **Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134404>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n \n**CVEID: **[CVE-2015-6420](<https://vulners.com/cve/CVE-2015-6420>) \n**DESCRIPTION: **Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2017-15708](<https://vulners.com/cve/CVE-2017-15708>) \n**DESCRIPTION: **In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/136262](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136262>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2013-0248](<https://vulners.com/cve/CVE-2013-0248>) \n**DESCRIPTION: **The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/82618](<https://exchange.xforce.ibmcloud.com/vulnerabilities/82618>) for the current score. \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:P) \n\n \n**CVEID: **[CVE-2016-1000031](<https://vulners.com/cve/CVE-2016-1000031>) \n**DESCRIPTION: **Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/117957](<https://exchange.xforce.ibmcloud.com/vulnerabilities/117957>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2014-0050](<https://vulners.com/cve/CVE-2014-0050>) \n**DESCRIPTION: **MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/90987](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90987>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n**CVEID: **[CVE-2018-20433](<https://vulners.com/cve/CVE-2018-20433>) \n**DESCRIPTION: **c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/154680](<https://exchange.xforce.ibmcloud.com/vulnerabilities/154680>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n\n \n**CVEID: **[CVE-2019-5427](<https://vulners.com/cve/CVE-2019-5427>) \n**DESCRIPTION: **c3p0 version &lt; 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160025](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160025>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n\n \n**CVEID: **[CVE-2012-5055](<https://vulners.com/cve/CVE-2012-5055>) \n**DESCRIPTION: **DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/80568](<https://exchange.xforce.ibmcloud.com/vulnerabilities/80568>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n \n**CVEID: **[CVE-2016-3093](<https://vulners.com/cve/CVE-2016-3093>) \n**DESCRIPTION: **Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/113686](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113686>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n \n**CVEID: **[CVE-2016-5725](<https://vulners.com/cve/CVE-2016-5725>) \n**DESCRIPTION: **Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\\ (dot dot backslash) in a response to a recursive GET command. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/117122](<https://exchange.xforce.ibmcloud.com/vulnerabilities/117122>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) \n\n \n**CVEID: **[CVE-2018-10237](<https://vulners.com/cve/CVE-2018-10237>) \n**DESCRIPTION: **Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/142508](<https://exchange.xforce.ibmcloud.com/vulnerabilities/142508>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n \n**CVEID: **[CVE-2012-5783](<https://vulners.com/cve/CVE-2012-5783>) \n**DESCRIPTION: **Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/79984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/79984>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n \n**CVEID: **[CVE-2019-5427](<https://vulners.com/cve/CVE-2019-5427>) \n**DESCRIPTION: **c3p0 version &lt; 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/160025](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160025>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n\n \n**CVEID: **[CVE-2012-2098](<https://vulners.com/cve/CVE-2012-2098>) \n**DESCRIPTION: **Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/75857](<https://exchange.xforce.ibmcloud.com/vulnerabilities/75857>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n**CVEID: **[CVE-2014-3578](<https://vulners.com/cve/CVE-2014-3578>) \n**DESCRIPTION: **Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/93774](<https://exchange.xforce.ibmcloud.com/vulnerabilities/93774>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n \n**CVEID: **[CVE-2018-1272](<https://vulners.com/cve/CVE-2018-1272>) \n**DESCRIPTION: **Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141286](<https://exchange.xforce.ibmcloud.com/vulnerabilities/141286>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) \n\n \n**CVEID: **[CVE-2014-3603](<https://vulners.com/cve/CVE-2014-3603>) \n**DESCRIPTION: **The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/164271](<https://exchange.xforce.ibmcloud.com/vulnerabilities/164271>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) \n\n \n**CVEID: **[CVE-2015-1796](<https://vulners.com/cve/CVE-2015-1796>) \n**DESCRIPTION: **The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/105594](<https://exchange.xforce.ibmcloud.com/vulnerabilities/105594>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n \n**CVEID: **[CVE-2017-5645](<https://vulners.com/cve/CVE-2017-5645>) \n**DESCRIPTION: **In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/127479](<https://exchange.xforce.ibmcloud.com/vulnerabilities/127479>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2017-7957](<https://vulners.com/cve/CVE-2017-7957>) \n**DESCRIPTION: **XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"&lt;void/&gt;\") call. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/125800](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125800>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n \n**CVEID: **[CVE-2016-3674](<https://vulners.com/cve/CVE-2016-3674>) \n**DESCRIPTION: **Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/111806](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111806>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n \n**CVEID: **[CVE-2013-7285](<https://vulners.com/cve/CVE-2013-7285>) \n**DESCRIPTION: **Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/90229](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90229>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) \n\n \n**CVEID: **[CVE-2009-2625](<https://vulners.com/cve/CVE-2009-2625>) \n**DESCRIPTION: **XMLScanner.java in Apache Xerces2 Java, asused in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/53082](<https://exchange.xforce.ibmcloud.com/vulnerabilities/53082>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n \n**CVEID: **[CVE-2013-4002](<https://vulners.com/cve/CVE-2013-4002>) \n**DESCRIPTION: **XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause adenial of service via vectors related to XML attribute names. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85260](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85260>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) \n\n \n**CVEID: **[CVE-2012-0881](<https://vulners.com/cve/CVE-2012-0881>) \n**DESCRIPTION: **Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134404>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n \n**CVEID: **[CVE-2015-6420](<https://vulners.com/cve/CVE-2015-6420>) \n**DESCRIPTION: **Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2017-15708](<https://vulners.com/cve/CVE-2017-15708>) \n**DESCRIPTION: **In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/136262](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136262>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2019-12384](<https://vulners.com/cve/CVE-2019-12384>) \n**DESCRIPTION: **FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162849](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162849>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n \n**CVEID: **[CVE-2019-12814](<https://vulners.com/cve/CVE-2019-12814>) \n**DESCRIPTION: **A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/162875](<https://exchange.xforce.ibmcloud.com/vulnerabilities/162875>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nStoredIQ | 7.6.0 \n \n## Remediation/Fixes\n\n_Product_ | _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \nIBM StoredIQ | 7.6.0.0 - 7.6.0.19 | _N/A_ | Apply Fix Pack 7.6.0.20 that is available from Fix Central. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "published": "2020-02-20T12:42:12", "modified": "2020-02-20T12:42:12", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.ibm.com/support/pages/node/3106029", "reporter": "IBM", "references": [], "cvelist": ["CVE-2009-0217", "CVE-2009-2625", "CVE-2010-1632", "CVE-2012-0881", "CVE-2012-2098", "CVE-2012-5055", "CVE-2012-5783", "CVE-2013-0248", "CVE-2013-4002", "CVE-2013-7285", "CVE-2014-0050", "CVE-2014-0114", "CVE-2014-3578", "CVE-2014-3603", "CVE-2015-1796", "CVE-2015-6420", "CVE-2016-1000031", "CVE-2016-3093", "CVE-2016-3674", "CVE-2016-5725", "CVE-2017-15708", "CVE-2017-3523", "CVE-2017-3586", "CVE-2017-3589", "CVE-2017-5645", "CVE-2017-7957", "CVE-2018-10237", "CVE-2018-1272", "CVE-2018-20433", "CVE-2019-12384", "CVE-2019-12814", "CVE-2019-5427"], "immutableFields": [], "lastseen": "2023-02-24T05:44:39", "viewCount": 17, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2019:2720"]}, {"type": "amazon", "idList": ["ALAS-2013-169", "ALAS-2013-235", "ALAS-2013-246", "ALAS-2014-312", "ALAS-2014-344", "ALAS-2014-410", "ALAS-2014-436", "ALAS-2022-1562"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONF-32557", "ATLASSIAN:CONF-37991", "ATLASSIAN:CONFSERVER-32557", "ATLASSIAN:CONFSERVER-37991", "ATLASSIAN:CONFSERVER-59684", "ATLASSIAN:CRUC-8382", "ATLASSIAN:CRUC-8411", "ATLASSIAN:CWD-4355", "ATLASSIAN:FE-7164", "ATLASSIAN:FE-7200", "ATLASSIAN:FE-7345", "CONFSERVER-32557", "CRUC-8382", "CRUC-8411", "CWD-4355", "FE-7164", "FE-7200", "FE-7345"]}, {"type": "attackerkb", "idList": ["AKB:FB2F65B2-D10B-4622-AEE6-41AAD3C1E6E7"]}, {"type": "centos", "idList": ["CESA-2009:1201", "CESA-2009:1428", "CESA-2009:1615", "CESA-2013:0270", "CESA-2013:1447", "CESA-2013:1451", "CESA-2013:1505", "CESA-2014:0429", "CESA-2014:0474", "CESA-2014:0865", "CESA-2014:1319", "CESA-2017:2423"]}, {"type": "cert", "idList": ["VU:466161", "VU:576313", "VU:581311"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2010-201", "CPAI-2014-1094", "CPAI-2014-1480", "CPAI-2014-1535", "CPAI-2015-0358", "CPAI-2017-1216", "CPAI-2018-1066", "CPAI-2019-0232"]}, {"type": "cisa", "idList": ["CISA:848AFE845B4D41B0B59F2090C2571363"]}, {"type": "cisco", "idList": ["CISCO-SA-20151209-JAVA-DESERIALIZATION"]}, {"type": "cve", "idList": ["CVE-2009-0217", "CVE-2009-2625", "CVE-2009-3560", "CVE-2009-3720", "CVE-2010-1632", "CVE-2010-2076", "CVE-2012-0881", "CVE-2012-2098", "CVE-2012-5055", "CVE-2012-5783", "CVE-2012-6153", "CVE-2013-0248", "CVE-2013-2155", "CVE-2013-4002", "CVE-2013-7285", "CVE-2014-0050", "CVE-2014-0114", "CVE-2014-3540", "CVE-2014-3578", "CVE-2014-3603", "CVE-2014-3893", "CVE-2015-1796", "CVE-2015-6420", "CVE-2016-1000031", "CVE-2016-3093", "CVE-2016-3674", "CVE-2016-5725", "CVE-2017-15708", "CVE-2017-3523", "CVE-2017-3586", "CVE-2017-3589", "CVE-2017-5645", "CVE-2017-7957", "CVE-2018-10237", "CVE-2018-1272", "CVE-2018-20433", "CVE-2019-10173", "CVE-2019-12384", "CVE-2019-12814", "CVE-2019-3834", "CVE-2019-5427"]}, {"type": "d2", "idList": ["D2SEC_AXIS"]}, {"type": "debian", "idList": ["DEBIAN:5632FBD318D26EA8A80F3D207C2C37F3:9024E", "DEBIAN:AA8BFC743191D0959985E057DB33B94C:9A0AD", "DEBIAN:DLA-1621-1:66AE9", "DEBIAN:DLA-1621-1:D267E", "DEBIAN:DLA-1831-1:3FBA4", "DEBIAN:DLA-1831-1:5617B", "DEBIAN:DLA-1853-1:A6F5D", "DEBIAN:DLA-2184-1:7B407", "DEBIAN:DLA-222-1:38FAF", "DEBIAN:DLA-504-1:21FF9", "DEBIAN:DLA-504-1:37F35", "DEBIAN:DLA-57-1:29ABF", "DEBIAN:DLA-57-1:6DE0E", "DEBIAN:DLA-611-1:1B900", "DEBIAN:DLA-930-1:3C143", "DEBIAN:DLA-945-1:346D0", "DEBIAN:DLA-945-1:BD1DE", "DEBIAN:DSA-1849-1:89AE0", "DEBIAN:DSA-1921-1:C5EF4", "DEBIAN:DSA-1984-1:C7503", "DEBIAN:DSA-1995-1:C2E93", "DEBIAN:DSA-2856-1:D2DA2", "DEBIAN:DSA-2897-1:13B38", "DEBIAN:DSA-2940-1:494C4", "DEBIAN:DSA-3575-1:A3240", "DEBIAN:DSA-3840-1:214E5", "DEBIAN:DSA-3841-1:B278A", "DEBIAN:DSA-3857-1:6B7D0", "DEBIAN:DSA-4542-1:03F2D", "DEBIAN:DSA-4542-1:432E5", "DEBIAN:EF2D0EA9907B5A3BFB7CC445DCA35794:9024E", "DEBIAN:F036444C1AE88D532E8E6B216967B2CC:9A0AD", "DEBIAN:F036444C1AE88D532E8E6B216967B2CC:C0C8A"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2009-0217", "DEBIANCVE:CVE-2009-2625", "DEBIANCVE:CVE-2009-3560", "DEBIANCVE:CVE-2009-3720", "DEBIANCVE:CVE-2012-0881", "DEBIANCVE:CVE-2012-2098", "DEBIANCVE:CVE-2012-5783", "DEBIANCVE:CVE-2012-6153", "DEBIANCVE:CVE-2013-0248", "DEBIANCVE:CVE-2013-2155", "DEBIANCVE:CVE-2013-7285", "DEBIANCVE:CVE-2014-0050", "DEBIANCVE:CVE-2014-0114", "DEBIANCVE:CVE-2014-3578", "DEBIANCVE:CVE-2016-1000031", "DEBIANCVE:CVE-2016-3674", "DEBIANCVE:CVE-2016-5725", "DEBIANCVE:CVE-2017-3523", "DEBIANCVE:CVE-2017-3586", "DEBIANCVE:CVE-2017-3589", "DEBIANCVE:CVE-2017-5645", "DEBIANCVE:CVE-2017-7957", "DEBIANCVE:CVE-2018-1272", "DEBIANCVE:CVE-2018-20433", "DEBIANCVE:CVE-2019-10173", "DEBIANCVE:CVE-2019-12384", "DEBIANCVE:CVE-2019-12814", "DEBIANCVE:CVE-2019-5427"]}, {"type": "dsquare", "idList": ["E-16"]}, {"type": "exploitdb", "idList": ["EDB-ID:31615", "EDB-ID:39193"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:5F816FAE3FBDB1D267530F19C0426785", "EXPLOITPACK:868FED2D5F6215B2F39518F65E3C1404", "EXPLOITPACK:EB000848EE6583FA3B8F33FA4CDD34C0"]}, {"type": "f5", "idList": ["F5:K15189", "F5:K15364328", "F5:K15580", "F5:K15905", "F5:K16872", "F5:K23173103", "F5:K23432135", "F5:K25206238", "F5:K29042031", "SOL15189", "SOL15282", "SOL15364328", "SOL15580", "SOL15741", "SOL15905", "SOL16872", "SOL23432135"]}, {"type": "fedora", "idList": ["FEDORA:0319E6092537", "FEDORA:04A5C23F7A", "FEDORA:0730C6051059", "FEDORA:094AC10F879", "FEDORA:0AC1C60C76B5", "FEDORA:0D4A66058533", "FEDORA:13FF82114D", "FEDORA:1614F602E7DC", "FEDORA:25F4A2151F", "FEDORA:2ED3A6058506", "FEDORA:309E1233DF", "FEDORA:30E656126A67", "FEDORA:3403F601DEC5", "FEDORA:341EA6057129", "FEDORA:376506075014", "FEDORA:38DE2220D8", "FEDORA:4FB5560427DA", "FEDORA:50818233B7", "FEDORA:53C3261278CC", "FEDORA:53E1D20E9E", "FEDORA:58AC321FC4", "FEDORA:5B904214E6", "FEDORA:5D10B2170F", "FEDORA:5E5506051725", "FEDORA:5FA506092704", "FEDORA:6C2F3226BB", "FEDORA:6E9F46049484", "FEDORA:7366910F875", "FEDORA:758FA61278EA", "FEDORA:76CFD605E21F", "FEDORA:77A9110F865", "FEDORA:787E821133", "FEDORA:7CAA26049492", "FEDORA:882916051CFA", "FEDORA:9013E20C03", "FEDORA:925D410F8B1", "FEDORA:A486D601BFF8", "FEDORA:A8ABE60560A2", "FEDORA:A99066078F69", "FEDORA:AC87610F89F", "FEDORA:BA292604B38E", "FEDORA:CB46E23C05", "FEDORA:D03F7604D0C9", "FEDORA:D5702210FC", "FEDORA:D948D608771F", "FEDORA:DA60861278C0", "FEDORA:E0A096048FD8", "FEDORA:E2EF9604D0CB", "FEDORA:E6ABF605A2A5", "FEDORA:E9B33209C0", "FEDORA:EA6192175F", "FEDORA:EAC816021840", "FEDORA:EE17520E26", "FEDORA:EFDAB6050C3B", "FEDORA:EFE7B60E36E5", "FEDORA:F422110F89A"]}, {"type": "freebsd", "idList": ["18449F92-AB39-11E6-8011-005056925DB4", "3E0507C6-9614-11E3-B3A5-00E0814CAB4E", "708C65A5-7C58-11DE-A994-0030843D3802", "C1265E85-7C95-11E7-93AF-005056925DB4", "C97D7A37-2233-11DF-96DD-001B2134EF46", "D70C9E18-F340-11E8-BE46-0019DBB15B3F"]}, {"type": "gentoo", "idList": ["GLSA-201206-13", "GLSA-201406-32", "GLSA-201408-19", "GLSA-201412-29", "GLSA-201607-09", "GLSA-201612-35", "GLSA-202107-37", "GLSA-202107-39"]}, {"type": "github", "idList": ["GHSA-23VV-V25H-QWQW", "GHSA-2X83-R56G-CV47", "GHSA-2XXH-F8R3-HVVR", "GHSA-334P-WV2M-W3VP", "GHSA-3533-RVPC-6X56", "GHSA-3832-9276-X7GF", "GHSA-383P-XQXX-RRMP", "GHSA-4487-X383-QPPH", "GHSA-4CCH-WXPW-8P28", "GHSA-6FXM-66HQ-FC96", "GHSA-6HGM-866R-3CJV", "GHSA-78FQ-W796-Q537", "GHSA-7HWC-46RM-65JH", "GHSA-7J4H-8WPF-RQFH", "GHSA-7X9J-7223-RG5M", "GHSA-84P2-VF58-XHXV", "GHSA-8HFM-837H-HJG5", "GHSA-CJCF-WM2P-59H5", "GHSA-CMFG-87VQ-G5G4", "GHSA-F554-X222-WGF7", "GHSA-FXPH-Q3J8-MV87", "GHSA-HF23-9PF7-388P", "GHSA-JFVX-7WRX-43FH", "GHSA-MPH4-VHRX-MV67", "GHSA-MVR2-9PJ6-7W5J", "GHSA-MW36-7C6C-Q4Q2", "GHSA-P66X-2CV9-QQ3V", "GHSA-P694-23Q3-RVRC", "GHSA-PWH7-92H3-MQR6", "GHSA-Q446-82VQ-W674", "GHSA-Q485-J897-QC27", "GHSA-RGH3-987H-WPMW", "GHSA-RHCG-RWHX-QJ3J", "GHSA-RM7V-GQFG-P2WC", "GHSA-V8Q2-94F6-6XQ2", "GHSA-VM69-474V-7Q2W", "GHSA-VMQM-G3VH-847M", "GHSA-XX68-JFCG-XMMF"]}, {"type": "githubexploit", "idList": ["25C1C38A-8474-541F-8A69-2CF8DAC80EEB", "C2D99D6A-1A8C-5D55-BBB7-34A978AAC642", "CB6EAA9A-0163-56B4-AB74-82C8674241A0", "DEC27A66-2A52-591A-9AF4-1485144CE6E9"]}, {"type": "hackerone", "idList": ["H1:509315"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20140707-01-STRUTS2"]}, {"type": "ibm", "idList": ["01CFF49A8E945385D7DAF195723AF2400A442375CCE77F93B4CF72774A757E1D", "0241AD14444530836D909285432DE0EF409B9993A9D61A28514B61A052400B84", "0309A53D35EF827194465C9C10BC98B7D4795038C7221686EE2E7A4669562BD7", "031AB80137983FA206B8FD452A65FA0ADD155D250DA679ADC4DC628C2E106C7E", "03BBDC7050471C64169EF3EC23FC2B3C55CC822FFA0D98F53466C52354E175A2", "05F3179CA4EA0BE9438639B8694635EF9ED28DD0883291C40F5B2F720534F38C", "0805E7A2C6036D7FEBAF075EE767AB91B73C933992CD43256425DCE028EA66B7", "08325F6AA0E5D32062B70EC20B7BAC73EDD2082F6016AADE25F93CC5C5945E15", "08A9A96C78CE6D6039407AF7A6CD76E6988199D97E5A5EFD8553052BC133C46D", "08ECBCA670F0B3F435801B7A34A3A7C7EF6315794FDF864F61E57E02C2E3EFDD", "0976C176E97A39F9A89AE40E674AFB87A89A5DB439E2A1C90351D75E792A52BF", "09B89CC8D25586C368092FB677B5A30D9BB75439C83AC02E0B400F381CCB8955", "0A2242182FF9C6E616AD12CDAF12C0AD6141133E4FF262F6CC0FA251C0F7DD9F", "0CF13F8FB4FD77C6593C265FA8F397D0C4324FC1F07F86C436B4937E98B25DBF", "0E9A4AA745E8DA99E68988A52A69F5E79367E37CC08A08A6C2BB73B338AFB4AD", "0F254BE920E96D803CA1A391E1B8A3B0C658E51C8C31B0AC0F95FEDD45279D52", "0F8C9B43069C04EF8D42F75FA8D42A5837D2A01F1B45F132DD6CE116C7562B83", "1029DD6F473AD662889F3629D432E043E9F3053CFAFEA7698ACCBEF97F9ED67E", "1071929E319DA2301B42C192AD319E3B6E2E74FD95170F6C359D22224A6C2385", "109B2E937B3A410E66933C6F6054D7A86640DE62C0F3587F9E376863C105A750", "11AC7F14B60A5C486180C6662F02676A29D51924B42EC510A55CFB87D09F8654", "11DEF8012E28C5EDA3144B78EC3E85C89DD7ECD6EA08B7B7DBCE879455FB0241", "12277D33F023D49A4635EDECB39A0984615C187AFB27843CEEABF15CDF9E0E02", "140E90DD98ED4CC1A8C413867579B2EF4F8885020D8C9B221D7DC0EFA3D20518", "144E2FDA5818BEDF6E97DA8F56942108258B6778FA9472BE0FB6E286C871A08B", "150C26A4B23CEB9D10D6B5FB3E82060606745E070EDD31CF3D53C5969B98B0BF", "15D4D14B41D3C3255E8F557AA0EE3EF0491215FFA7ABAFAF541A6B29C5E8C4BC", "16DB31010331CDA102555C2016C4A080DD57DFC6949CFC06DB82104E0598F7E9", "172E8A857C199BCE10B08A718612B7B83ED02952ADF1DE693EE2C676DADD4B46", "17BDF511CE76D216C5C50BFCBE5312ED54FC6F29640FF47112BEFE568B44B3A5", "18F4CF869D9270FF52F2FF27CBF33B53BE2BBC43390A4ADF07B7E865771F79E1", "19663A6693672015D5E48ABEE9A76AB50A1C71EE9CF0548228C739933A353C88", "1A7668E81452E83AB00678328095567DA17543F8BDE6DB1EE678E96C5B064FD6", "1A977E1D46AE4CB4B7068DB341125931FAD75C28D6703503973FFF9BE917887F", "1B20B239AD3161EAA809736483E5A77E89C656E8407697D1F391193D09E07822", "1B99BE15EF0865EC7D6CAAD98E1510DF110D3FC32411F14658640A57804FCBB5", "1CC43C4A66365486759EFB8BF9ACE86934571B8459B6E66D63A5190659B18DB4", "1D1503F24E44E92641F6FD7110D0B238DC3DBD9F3785FDE9E47FC7D6409424D4", "1E014E7185ECE2676B9171118053A4D1DDB9F759CD3863CCB79D1B3DBD175B95", "1EBC77DA43FD0C2AC1B3FBFCD06096623AB926F98B7AC6367589E5222F2115BC", "1EC9D814A44355A00FF42F8C8587C9E7C452415354E28A889935185CB4613BD7", "1F7A45CD4D73686FA6C9591207830D1B405EB9704E1C5F2BE5F439A0FE018D74", "2043A5155256050F160330C3A6F88A4EF47A0C2DE48EA69299E3599EEF5985A0", "204ADCCC258487D6D5F8C848C95DAB38413055F4AFD05DFCF56FD7435CBF7C69", "20763F2B27C66C722124CBB23FF4ECBE76431735E0AC6E1F94E8999CB3A2CB25", "229A4B43FE77515F8665EB39BE40365AEA78A7E6905A77143AA0029AE91AE79C", "245FEAF3E7F9444B5958781DC69E3F6A353E5088DBEDBC2BC099CD2EDEC0625E", "251C423177798D75830F3F5802954088E3387B66B51C34FCEA1E4482B6FF4B3F", "266AF5CCE2935A1632FAEA2AD2ADEC7D3B1EF6585030A41069E05308C44DE9B2", "269ED09DF8DEC59D6D5C76BBBEC1A3E9EB81FC2A6B977AF71E1341BCCE84CE32", "270059310308ADDF90FB6FA65F9F800BC7784217CB7B74FA653E7420EBD96506", "28CBA14F2DF9254C1445C1338480DCFC0CE9E7605EA9BC20FEE2942EF21E34C9", "2B583BAC13559207D6199DBF313322FD679D7CAC25583ADB0D482CC288326F6B", "2B824167DC3985A17D4B9DD3CF5905F8AAE0DB7D3312C2CC8E1D8F708BFCC90D", "2BBED71EE0BA911A3E002EAA0C18EB3B602904DEA97170D2D6E0034F54600AC5", "2BE1B762E9F077419A696E0C1B88E2D3F236BE3549BFC2182468480E071BF032", "2C89CFD58F3D4EE971D17C1294FCDAF90987B18CD1793833204AB66E2BE29729", "2E91EF7A9948535BD27257CCBF7A6470F5ADBFCFAE1D0B1F706C76B9FF03241A", "2FE97BC0DB8A3B1BCF85FF8F69828770D4396C7CC3ABD37202D8089D2CADF87B", "2FF199638646AE6211E47540E7CE178E9DCA1E8BFA8BC190A0A961F389C35BE0", "2FFDAD2D5FE05A1D3943EC028FB23F061967B243EB759A794CCD7BADB523C5A5", "3029F9535BE20D2A199498B065F599F47A44CCD33B224D2192F5AE06C62BEDAF", "31C0AFB718E47F2565BB2125DFEA05544B924823108F7C7BE892843715FA5571", "31D7DCC8D683A82E44671DA5A38CDC1A58877727926C937FE8D9FD9EE9FD2370", "3230B5C261EC75BE3334755D51C9AB2E3BF3C718B1D0EB81405BE610E871641B", "326912EF4D6CFE46E00FE614008D772B4764A4B092781FECBA0BF97F534B6499", "332EB7C24BEDDB6A08EB1D2E56168DBF8FB7B8EE1E89939D477827DEB2BC62FA", "33E772FE581A9D6941CAFA467B27570A2BFAEDE9621378A1CC43B798A00E48C5", "341A93FC1A45E72ADD48241188A719F3789D0F8084730D93C2ACFB474C42ABB1", "3445126BF24CE561B95746154EC44C95D58A25DD49B46FC202442E6C59083AA5", "35279E005912C3AE0E9F33640BCFD5DF387D4DC519E263BF997D5A7713E37501", "3530DF8DA972875E9B1FD6F767CF9BCE12DD28AEEAAF4F127105D1281DCB6CC5", "353D1C6BCD631024A42E1D490141E816161A8A6A01F6D551CFADA25D97B22F33", "35774A12657731256610BEB1ACB2AE99C105060354AA560F82DED28AE65A8B24", "3582AA92271267A0985635BDFBC8FC9F24691B1A4D1B420CDED32DF204F71D26", "366CE799D9AEE4234CE4D38A22D774A769300127F0319D9238DAEC27C48436E1", "37249F2CB82266F83D2BD38F77D3F4E383A6FFF8A62E52B41EAAE04D0CE04DA4", "376BF79A42FDC2B79EA0ACE3299D7D2BC084C5F6732575256A96FE46F43D836F", "379B42127397DA22B3063ACB9080CA1CDC4DD16E46385EB5871C4E7B8795DE59", "37A865B8A16F0A6EAC8B82722E64A2EAC9B4AB1D6FE4CBA00F40A43E0855F3B9", "37E84D76257762D12F144C420A6FA36A16C6055B49D7AE073144BE16FFF7F0A0", "3851D26A1B7DF88EA8BA11EEB80A7341FC47BF9EE9F99E03682D841ED55868A9", "39D4A3024CD82E0AB1412C8F0B7DE6C9C896CC59E99FBAB7A5A61175586A3211", "39FB3D1F38AC89BD19681FEACE87FB4DAA9E420720F8827CC4AA35F63756931E", "3B659ECA0A3490E43A993E28F17C28259C30674E3C1D43656C4A5B37F135FF29", "3C85B3C7443FFDE0DF64A3D0D4869686417DA52714135E90BD49D23E0331CD9E", "3CB2A092C6436BD79A8612A3CEE188FA093398871DFEB5B958FBEAF056691055", "3CE0DEF06FC9CE41C148F15E374E35024D02AFF49A540400F0AD056CB1C2A1C4", "3D06AFAAD22542FA483AAC68D77E91B7A2B272972D4F386444B504CB4050B732", "3D8540513E9389E52505EF4CCF99C1FC5DC8928BFA49128170D48087D1264725", "3E12BA2CA4DE8574522B4094594F36E64FC844217879773183FA9455EC8D7C55", "3E24178C007E709BA47FFA90778DD34D7B8EB78DA65A804C849ACB792DBEEBB8", "3E3AF8AC7BA63076BEE8FFB670B3A3F27E0903C83526E54496E50EB2DF74B875", "3ED9EC3F8407924DA03D3ABC905C0426524C3277480EB60950F0B1E4F641977E", "3F50B90AA067D7B221DE01833CF094A0A4B8DFCEFA2F20192B47FCC636918D02", "3FC31A2CC7ABF7DA1885EE97783B9D04AD2C6EF31E7B2B06895F95DAD4550593", "40AF05CBD3BBA604933F6C61D164EE39373BD16E9C951A8CF9EE0D2970B196AB", "418A4C8D1E8F2E8A923DFE2C36570B4A5EF7B515E050C0F19513AF3DAE7D2628", "41CB9666A88AE67D4A0558674B8CFDA62F160B6DDCBA3C10576515447887CF12", "43ABDDEF8A51FB28FC8C4825BAD26A0A25F5F21805BFC87561A0AEABFD065F37", "43DA4697F34CF5D5A6799540E74541895D58CA735AF6018C2189B56DA5C5FD59", "440EFFCF162389547EC94BA431325D2B42D5E91C496765EE6F12A65170790BDA", "44D4BE9C6B3A5CA2D7E393A0C6B1DE6752C9B6BDF8F6BC23CA690D4063D3152B", "46FAA835435B75C9ACF0355A61E51FB1D066AB3F9C5269FB30BFFF04C2C7D336", "4777F5C1553B23793B9C264645B77DC8564BD5ADDE40E26C0417DA938016C274", "47F2E96B209FBB6A2D2F949594CD1BDC9761597679B1D5EEF5979F79820561DE", "48F32F0BE81F12977F3F77EC7A1B784BEEE2CB897C3A11E48967C396BAD27436", "49B2D31DCF58D374CE109C74565DE7CAF3EDA1BD011B45B1088730319FDF00D6", "4A40A8584AAA0568BA4769257A7F6F47501E3580494467FB6A90C65631820786", "4B9FC07D99F76E8A079AEC1877622BAC575BCC2DD105CA72EB876D10E2DF7D8B", "4BDE70E43A19F50FF60A2F5CB6ED1C095A92727557F41F17F3F3059A4D00A95B", "4BEC8E9463E4B27C09D4E3ECF5C98A9E0D6D193C06E6EFC3DEDB9F41368D7DC0", "4C0DBF63A15F96E4F2164C15299BAC4C8BB35F5DA0A29941D47EAB5DD8E7F12A", "4C85D2930346AD967159AF4455A7D0489E2962948B89964DEEB838E940D0D79F", "4D4083B3DCF76307CD159ABFA977289BFD623C088D7406C26A2EE54773F4845C", "4D8657752335630DC0A9AA1B58DFDC68B415B530E63E94280262BCED6A83CDF3", "4E9347918C21E4F559D980A317D6335167DD2B191CB648615ED936EB4611D417", "4F441F1EC2D2D7EA1D9033E689E8C62FE264F17CF627C618EF574955EF8C49D0", "4FDDAEF0B75E77A06B8D7597974820AA398F5338DCF044E51EA0222441200F4A", "50E6A01BD478DEED9D4635F64814BCBD9DE715353A82634EA217E4D53F3DC5D2", "519FC45136B546F07851768C8E91945B467263AB1181050DB68A2C1829DD655A", "5248B9256CAD1F8D158CE63A6D338882538AB4CB774063A0FD1F9D65202CEB84", "5286AF354DA84BB562B116A3416B9C765F3ED708765C101691CABFF974122A28", "539FD5A344951CB3146EC1C6256AC3A91344217924BD86DB5242BF2BD9D82C91", "5474D79847A3FCE81B76D3A3025062B823503D87AA571209B4C33FF248E4D056", "55C908DF6E384DFF738E33489ABAD7D21E826199E00E40089C3D64248B3A4B8D", "56B285EA37730B4746FB389027A082A9235462A58A5870D69D30CB85EDCC250C", "56F64AD3D3BE201E4EA426921144989C6499488637E69793792327C0985A13CC", "5C481A34282BF5BFB15AD8A5575FB80CBFFC6C92FDC1CA5E744CFFAEA4644EE3", "5C80F4F5636A0868AC75F2C89F64F0E39575DA7CB728A81C3DC2784A9401D771", "5D1592EF6A8A0487A1F0041E7EB876063521BA5DA4C50816A5A8A2DE3D3E34EF", "5D15E38E41948EBC404C08C90826441AA6EC959B45B5BFD2E68F1BC447FBD762", "5DFB309EEACC06B61D408A7963D4B9522D38B36040304E118E4A9237BCD1B461", "5E963A16D56492D265E3AD4BB10050F73E3DA9DE70902074CA74AFF7B978ADBF", "6090C932221E51ADB229897A416B6CCCF4B92380897751F9E9E7D222C5B6F5AC", "61080EC8A12879FF667AE005F8F9437CBD064979751806084BDB7C5D3EDEAC67", "6109AF1F8D1815678E61E353B816288D20DB8DD1D5C49536DF782435D85C01D2", "615E4369D0B07E7BA358AF447BD05A3ACC0720A255109ADB57E2A2080DB3607A", "61FF6F10F0D76277F85A8A525D2C9989283AB04F3D830BEC0894CE78DF0624A3", "623954A70FECE1147032EEFB914DE7513BD7CFBBF3613D72AE3ADEDF6131D88C", "630F07BCFBA91233BBB559ED997B4656AF3D22DB4D916E90B078150D1E4475A5", "6314721FCE7C49AB631E5F584461838B4B2B9C75884E7077B204317030678015", "635552E99951D8D5AEBD584BBE0C8D1EBBAE770AEE83BA96CDC88B692C2A1891", "639162FDF1F868B89BEC92BD6649146812BA3EC6E2918FE4CCE113215EE729B2", "63C0560C61FE9A9777F6402C4988E794A31F66C8118AFA944D2596065F5D0454", "63C0B2B3226E3E98449887AA89E81C9B35F422CFE5D67FF9577B4EC869D9F5EB", "65C6CEE2220BD8F2BF06A7DA52FAE31B05C72037D4DF4346A594A14F3DBA2AF1", "65F813DC5834BD7231C1E9BF8B4FA806B1F0B3DE4A4DE502EFD79E3DF631B9B4", "66190F86169601FFE437A37A0B9AD09EA1B8961389683892ADA7DE4D3DFADC50", "681418AA2780D10FE3FE75923CF33BFCB1F9F3C8FD6FEF47FC5127CBC92BB2A5", "68E7DB3D7E398B2706226213F9B1A94ACD374A065EE9538BCE2CF140B065CB08", "69C147CB642B39AA3250947FC1868ED542CC9C2C3BED4BA821CAD9BA0F178E84", "6A211412F2D10EF21E599E5E233A8338C185096623353D79DC919935D1D1ED5B", "6A8FB2890AF2EBFB497D7D6CCC198FF3FF0E22BD184AAB460E05F9B5E0B6A4DF", "6BD6355030BE86F4E188BDB745E0B585AE117958CAAE5235F8A7ACA01F38955D", "6F9B3E5D97FDBB41059AA8C4DDC3F8C6E337642756FF537C16A61C7599D523B9", "704897FEF5CE3D4AA35FF51AE237FF23A83A38E10F9597332BAF89DF648929A5", "70F7C16B884F3CA0489B9235F3CDA3FE2C0B53C46BD3767440928787F2FADAF1", "7132B1A6A39415493DDFD601886FF75ACEE8C05C271D92CE5432D5A08C11740E", "71A0E260D835E4FB784163408D486ADEA9933D2BF29E0D594920C0DE72D440F2", "71A473993D401FAFDA20A063C958EB3785E06B0F2833BBEB5FA0B1E2E3123139", "71F5E8A084745AB734B8FCCE61B83AB4D2A798A72CDA2AD70DFA1E43A457F4E5", "74A64D86F481DEE0890B283DD0C93883DCD1F9CD9011875F5CCF194BC49A6A89", "74ECBB84CE8413AF6DA93062925AAA87DD5232E1319904ACEC3D5A509E59A9F3", "75D402B2CEA61D69C553141E08DFD9743DA1DE8E0FE50384A99E9AD4F4E5B618", "7623EF01FDC9829334B2D3D28DD6B6F03B2A42D3B32CC0CE319C386E91549037", "76322F4FDE913CCFF696E95021198B9D1B68711EA0FBA9EE3CF9E433336206FD", "77352C82A30EA733694B5D88C0D7D12ED4F6B39811776EF99E8E73A7C6CD693F", "77C6BF921A5EE4D83AAD3E81B0714C7F02AA72F5A80BC01802CC6F1440DE7948", "78F585E499684A44D21982BB07C498E010C527FBE1866DD676965E7AAD25664A", "790AEE8158E5072311EE0B1D8C1CACC2CAE27CA8C7B75F39AD990B40790CFB8C", "7911EC80C28F7BE157F66EC6B3E35B2999E41F97F4299CD83723DE004A5C5CC2", "7948B558E9BBB9D7B19D137E1C7944C490BD5D26DB24595F235B080A97AD570E", "795D3F68D07925B1C9C765AAF8DA73C30C8A6490AD9D7941029C418A30C9FF2C", "79F87BA72892577A0BC3F38CF5FEDB0E85D288E3A0106ABF797792995FC7E5A6", "7BE38BC9D9063F34BE9B8AEC73F5518E1D7B0EC8F35109DB2E64EBA48061A6DB", "7D46658778E442AD0D43B74E767B5638C73A3147A2AD662C6A1BAB31343A96D2", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7EFB522319684542D37BC81717D35991CE91F1752F5381EA6BFA2B84165FC89C", "7F074E985E9433293F83AAA7F6DAA1B51640BE0E9CE150599D1BBD7718BDB08F", "80489411CAB04FBDC8043529670BEC2C45004C175864AC8845B7DAE26D981661", "806B11C18985E14C352AABC27B1F7697E3ABBED668EC91AB8DB0565F535048B9", "807F02BF5D04D1D709B1D383A56D073A3E2ABB5E058B819FF145C9C80E083AF4", "8155B091E8A9E365D7BF4DC2FC7DA1113C991153BF54EDFFC2BCC3322D0D6281", "818B433278D5E2420F4213C71C6036E7BA5EA3C87CB6A3BC405627E0A3B9E898", "81D5F6F41E5617EDA7FF694BBE43496FC48B7577BB4C9C238127ECCCB1D40118", "821E1DB28B993B7E69088C09D923B82E365EF4AA8DDDC41C9304F73839818821", "827A45EC614307E6B330A61725CAA7828F168F30C837A1B843CA1525E013ECB2", "829888007050D9C11A7557C40DBAAED034B1097EC4A906EEC0D336ABDA0D0B50", "83DE818C5932FD800E5449ABA82FA7FDCAC7A0E2B41C5C07CC9E5CC56A3B9296", "8491CF1F3DD8116411BD720BFCBC2272BEB04446394152CADFC6BA73F4D21149", "84EE0B6B65D7981E610CE1341D669611BC09147C2C970E1916EE8AF8E9888A55", "85068BA05AFB9468D768F124D70E29FEAA718CF85C40196DF1FFB790C80EABFF", "858896131EA815FB74E9BDD335996EEADB31086755EBD223F4051866A0275C41", "868FA6DB6C0D6319E1B3081CCB6B4C3817A1853F87C138E75E8C43A455725423", "86B993D6503E34FB9416A4008E2B835C55F8299FC3EA8C2C75569BF05DE5B981", "872A188EC4E2613A4C8DAA4C113C491ED5226F5BC56BB46BEC54BB14EB8DB940", "872BD873063FFAF2EF7288B9566A9CA58451B802A0465ADE67F67B5E43921382", "8780BC9CE2BB0677F47E2C4863425F9482973B47E148C25125FC42E69011487A", "87B4000A01C23B6231C463A8E1B3BEC371361C202F46354684899DC113F12BC8", "8843F7CE503D218A7104A239B8A08FB7C4002FAE68063C4FBC08A231C930164F", "885F04A3FD3C5E63563A6B0FBE2153A82674164F9704056EE89628381F42E56C", "88E396C29AABC664ACC3D5B0A3797EDDA0587772D5D9F452A2E356E7CC5BCD5D", "8A242C548ADF3E615FE6BA32C7E6F5B2DB8B1FA250ABF2329DC20A0FB32D3700", "8AEB61826548DDA949641863F93129FEE91E02DC3B949C9D6D3A111A2DF9A0BE", "8C5F9E00411BC48544E09C07DE0A9332CE9F2162272F1C9EE415D926FE3F077D", "8D7ED64456FC169D02750D2AA4A80B16FFC334A2DA71875B22768979B26CAC67", "8D964A6D85AB92A093A54D98B52835DA52D646F29F4FB8F77B0F37827E6FEFB1", "8E4DBE94121ABE32EB52144CFDD57FDF0D6884516B0DEA8E9B75FEDC0CA31C5C", "8EFB8A654D3536DD4481500A7680D75E0B2A04D2F63C829CAE130B12A35D7ED3", "8F7E9BC38CC1D5886DD8998C93E683C9367649830B463A9A5032011B60846A4C", "8FB0EF2BC912FEF8086EDA6A85F6EADBA8F6FD58431B3D97965CB05312955112", "8FC7C09963E1021982F7C5BA835734B549BF1EA0728D7504858416E06E6674F4", "9063463CAF2AE4BCC6359189CB4392BFAE2B04AD50A9C019E56C162ADC24BE22", "90C082277B7693D7D3EA0169825EBE4FFD04904F9C3D49FC9877041A980751F9", "916289CD5D9C8E5E33D7DE91CC4F8F7F5D561CF5D9EE0270AA10F98B4F8E11B1", "91A09BEF644BBEBF5DD286339A6FD55D9C9F00D45A2B3B6CD9E6CAEAA453EC30", "91C2C4E11969518B70A8C8F53536E1FA71DEC6EC24848AC3C98F5843AFBFD45E", "926CD83AAB7DA7EA60F3ED2C60C4D2004D06E2189562B75111B63EE52FE070C2", "939CF579A3478DA004C0DC63764E80A5A7E567E4CDC2FE8D1D3D9C5336892035", "93AF3A0CB685837B7C985687A86604D2436D2B5919B3C105E801C3ADABAF8404", "95CD62FEDAEA72A3108F90B80812DA1D38B9D58498C1F872BB283E27B2E4A609", "96302C1466344A1E09AD9F8BD313E146404CBA442EC8A168D06F9F19721F34E8", "96AA6E96C459B552487D37879C1210BD7926BC641E7FD69543382941733FFB5F", "96B854658FB25B1C41C7953D07DFA40702863F7DF3DA2149F3BC57ED6B4B5CAA", "987312D6FC46CA3F269FCE6582D23DFEE688D79E6FE8D1293ED88A90F27657C7", "9885EF692D10F55B10165D028D563DA2E874C62358D512573E854BC6EF0EF9FE", "9898A3EC8BF1E9FC2EAA662543E6514CFB2C354F067BA2E9DD0CFAE333F8B99F", "9A19B1A61B0A4ADFDBA9E428552BF21656703586B14AC314FFC9B663C7D9BDEB", "9A3C58591C936F5C2DADD29A151E053EE1F4DF40A9F92D94EA83F0D53AFC3F25", "9A4B42181E5D8A9CEA3178AD3E0CFEA6672BA250DEBDA4E822FCC8B9D4F87CF1", "9AEA0427FF2CD82F2B2209106517091DB3152CD2629B4BE8F83D8DC005BD43D1", "9BE1D889C1BD77682655EB00AA0EE21AA5C7CCAA1F93287BB788D1CFC12BBD77", "9CEBA1B39CCB6811A505F9227D3A8589890E3374E0755D8A3C0854B9E7E74B4F", "9D7005B758961DB83E562429E679C1FF93E8A3CBFDA5A6EEC3C6B52C734D2869", "9D9A01E02514803E9E0E5DD88830752E1595E1F1CC50F35B26CA6DC44AE2E184", "9DBEC753D4731F3169755A2E0DB634ADE1D525F4BB9B04BCA0E5932356CCCB75", "9DDD0F190508F2E7A5678CB2D1EED7DBB6DDCF4E86557DF2759A163E2BE27792", "9ED959A552F1F1135D021720BFEF601A33E4FF298A735DCF0648EF0558E731A9", "A04FE2EEFC21C3A9305B1CF7463C731D28C17EB5521A8E54F5F564939C5E91E2", "A10E7A45BAB7A017FB419F00D57064F9A2482F36ECDBC49D11E209F1CC8D8A4C", "A380C4CD3FFEF0D1AD28C9019320AF0085267A1FC55FD33D40E61A6A71DFDFF1", "A4546309800BAB5D9165D01BD2DE818A415744A283A8CAF26FF5FFFB7FAD3368", "A49F8E92510CDD96D8127764BC310529CF44A60596DB14352FF329575652A707", "A4EB252B4F9B1D9E6B670EA990F738AB583192588E1566F20330B6E3CFCB3AA1", "A72E5564BDFAD9E449BF73E363352CDC6113E85F5F2C1391EEAD6F21F5ACB1C1", "A866252B75E912D0B0730469904A7C2D30F443084DF2C8AC2265ED850925178B", "A8A1B567F944BADF2C3904883B086755440DF569158EEB6B0C8C2202276A6F6E", "A8A6B57EE1BC9F1473354B832D22D004059F832458042AA25CC089DAF316B910", "A95F0D6B3CF9A29C76ACC731709CAFC7669E8751464745D7E07486663A6EE993", "A9B608450EE2B2505174F8F497D891A822A15EB84A1C302BA28DE13FA45B34D4", "AA02BE79DCD02EDB1B362BC22E1303156066D6065A6A81B509F48BDDA3058239", "AAFF9E87667B35D62A52D77B8E5C3A000AE2419974F7C14545C23704BDDC171B", "AC328B0BD7747247509DF824A76882A7ABF67BDC8C756027B0F8E60F14B5C2DD", "AC5DE01326AFA37CBA7F799502684F57AF3D9271EC49734648DB7797522AF2E8", "ACE26206FFB4E9BFC947C91835F27A6EA2B5E8DF0FF6B0C69F358731D4D9C900", "ACF951883A0ED678D1734A49BCC0A109E5194A4C26097ED854BCC8C8D5D2FF97", "AD19EAA1EB45FE2ED42C76CD384CD707CD4910D7CB4513C404405DA39B669438", "ADD0F839178755FA4DD912718C067188513D949DB4F98877C9A6309ED84FA4C9", "AEC0722767EA21CDE0F10129C001F976425E48E7F302D7C24108AFF251D12D6D", "AF3CBD718F3297D87FDA4616011F4CD425D9EBE3BB2880108811A5CAEF018EB6", "B09323FD9F65F6065C7B68F00028DEBB77D6AFCCF024832FCF79623893150BE7", "B0A86AE748A5FEB5B28098C199E3AE109F5F415CD018723CC5E174C68579E28F", "B20207E28CD59AC71461F80E164DE4E8EE64E3CBDD6C491952178CAB240C5EA9", "B236D3400A0C6106EC62C77931DC3654EEBAB6EEA563B3344ECFF477FD634E81", "B296DE2C978240783DE76901DE1418342BE45C62777C42A3956DA1B0B1716126", "B2BBD24C894F8D84E7500B060A120D423E9243FFB79A39BCAB9B279001C33A01", "B2EA2FBA4D280351FEA7F9EC1921C448D44F4D9EC613590A87A15467F7D34153", "B30027B67E0900B9C9192B0EB28EA6D42DDFB696208646582631F912C14CE66F", "B32A9F847E997ED597890C99F269D7C3A7DF6F439286500BE56CB08A839D04C7", "B3B45E83BF6B33A0EB69850F973CD378A00F86B0910DCAFB7B4D94EAA2CBF764", "B554CBF7F930D8FC7B1ACFF0862C97C211B3CCA7A2E2C47D1463133E3A5FFE90", "B5810DD31544DECD338CCD71F5C05C78B267068FE3FD01928B5545B05BEE5FA0", "B5B313A73D0B335F18892EC4196F2ABB099764E6FF53E09B6A30800B58EACAB5", "B5B6C4769983441433B811EF3AAED6CFC993849D42BC924ECF1CCA5E34838148", "B62A0DF1BA325616E310706F59A3DD07DD7DC7356D343963E6F99C6D89411ED3", "B63E6539A425EB5AF33E03949CFE0D4340525E6C4EDC7F84EBBBB8743E8CB569", "B657C82FF782BA1258367C6D684FC8D8FB770735CAEAFECE9AC1D670085E21DD", "B6D98686FB4CE3794F12AA810C56116765161F3CB64E9212B301423AF70BBA48", "B7B5A2F4EAC8C54D2F0C9FDCCC4CAA2137D3B197178381FE3F072B00002E30BB", "B8DC16D7984D0BBBA4C1AF32274D163BB6450605EB784C1C3FB1AA833F622DDD", "BA5FC59AD4CA540F948C75EA478904F8A2D0A949B970697DAED42B661E911F37", "BA84392D3F11FD2DE3FE0A8FC9E00B1D08953778839774F716912228DD61BCC2", "BABF5F87446773F486C4241A55805D7AF675A10E3D8F7FB739A641C0B3FD8389", "BAFE1432B61D78F2B29438C3606D2D46643F4DA3DFC6DD0FB0C4962ECD44C150", "BB06E8BD028B2DF581C4E507E45CF66921EDD872018812A67B8FFD9CD3141ABF", "BB533902BA4EBB47C76135065C028B64E9AE235E3599722B647CCA07B04C8611", "BC4CE6FA6231522277B8CDD6EBE913273E804C9EC6F8EA56F64C54D931A5F0A3", "BC559CFD82AD8F6E1AA3E69C2A2B00BC9FB0E3C8FAF083302CBDB8C389180014", "BDADF9A01D9660DA0A520C62C15482DDAD45F4B68F6316BC4F17A7356B308B0E", "BE28B80282A36EB5AE12EA4346DFDEB6572CBBFD3F23A4A31E09F4406B8F71BD", "BECC6F55C479899394C948B41D1583923FD81FCFF2601C2F611481DF3DC4A086", "BF241965E218490C5786B115CB2639A8CA788DC4170BC648A82E9FCC5A5AEBA4", "C034F4A93C7986F86B5276634B82B774DA1796B9A2CC2371DA4859670D82233E", "C08849A00434A559EE1C5504DAE1CDDB28E9D46EDC400E95B2136AC317DFE7A3", "C0FC61A8784EE611FCFA657BDEE4126F9E7F7B7B7D6A18685C775179BF7837BD", "C1B5322190FFAE182FCA6B7B22D3480C9F28AFD12D15A4E7B9F5EBBA1610875F", "C1F769D030FC2C40F30870B89602B6E37C63D9738974975088F5749826F8EED3", "C2172119C7EA3C8DAF5775654958C15FAD557D43BF30EBA7616F82FFB6EA31E2", "C222A8A891F504F40C914F8F66ABB73F5EF9BD26F781A02F39DE0DB06449374A", "C3B05CDEF184BFD293F7EDCB8C5A430A32B9D04DDF8336E289D0609D021B85C2", "C3B567818F0068A4E76BF412FA5CD0354D004804480FA49A2095407B12E1C65E", "C43D2CB156B7BD39FC113EAD22568306F95463D3E29CC3A697EB085F142533BB", "C44E07EA5086C9BEBD0E896839F7E52E6DE1B379F604FBD6F4A29FB1A0D32827", "C5BECC1FF633D3A61CC27E6C697004609D2D53037AA1A203924F83717DF01AC2", "C5C3A875E50DB700220E26BE110391D11F736F71096D75C525AE9DDA14ABD8F7", "C5C7D84C444F9CFB8E5CCE24264C09F1C183065FCCD248E0A1BBAD57CCD8C3D6", "C71A5DBCF370F048EB817F4959165CFDC0441EDB671093F1047A96EEA8FB7126", "C7D5275CE22EF1E77C2DE0FC048F002DC6C6C43730D8E85E12B6D4635562E537", "C9DF9C64EA1901A4A73100734E733E276B2C17AF4A3093D142E5F13C918BC741", "C9E756FDC2D170A759D074368FA581B4BDE59726C48E93D77387BFF9A0BD269B", "CA9DCF531A11B03DA139506DC9F6319E49C554DF0F64E8DEC99E49C30FB2656F", "CB8C3B738F38745C5B57C0DA3F05DADCF513EF6086091B71D291C2300F0DCD7D", "CC5089F9744A6B5AF776C8A1234A9BCA32E0798D396B5C631C8D215B02EA08AB", "CCE8671153F728CAB0724783796D490FA3C198DC9AAF1E254ACD2D021433E8D7", "CCFD0AA6FE0B04D655CB682E840C88D56CFE6066B6B9B349560AFB2C6DFBCB00", "CD8271F1E3A620207AA3EAC35F944E1453EFEBC4728A88B9C3D9D0DA7F511F56", "CEF23955780B797D3E4DFF7B2586F5C1F6FE284FDC236FD6F838681B4A03628B", "CF40E075F0CA8C41C3924D8CAD12B7A9304B4AB57BABA03002EF8225FEFC457E", "D006FC5774ADF4AA80F3952715EDDA472FE39E68ACF3E0BE82C85E08EB7037BF", "D073E08AD140CB6620590BE3498F8D2736D636AB608813B1FECA6FBC21280451", "D0934964E9B56702CBED525517F4EA576FF2F33A8BA6C800C34ECA9B7FE90236", "D09ABF92F9241537F2411A406C8EBC7E6385C510450FCBD8E4BEA2A58ED1A1F8", "D222C68A9F9279A22A6D872628487DC4677D4BD829C33171CED7B9CDFF159C1B", "D2C2FAA59189FC355096429F31F4AD0BE546851207D1F9D74226059031643143", "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "D33BBD3C5F74DBFB7700F90DA29C0A0F17319D5EFCD29BE614C5EEA53697BBA1", "D3960A5391CDBC3EFE71D2AF6765F7AAC5104A881ACFC37A5D48C02CA2E26DF0", "D4211B02FBAB148D2434B40D5A6AB3817B90113685B8EB84B8D8021D3D23E01C", "D44FF07C4CEEF1D8111D18A8384E2F0954F7C773B38780A9490BBF0C62A95618", "D4F9AE28EA501CF2A176391E0E920E7B7FC3A2D7D8CE5319FAE6CA44DF5B1E04", "D5919B6CD8669E3C1244D77D154E9ED92A7E8BDD6C207C135B98CD381580BDEE", "D5934C683F70DCBE4AED04C1CC98975A5321914D3F2282A47A2535F0FC4F1834", "D5A2AAF6AAB21EACC2A6F0566C16684CB493777C1E7DBE59B892CAE7784E438F", "D66B903250F05C7E6F628063E46BB788B758ACF5470BDBDCE9A7DDCF98ED3362", "D69CAB0B695FDB3F4A13D03095C9000050A31CA1EEA0F9ED3CBD01DC6FA43F1A", "D6A278AD53F24F8C2A141B0CE86714271C028E265EA5E488D59254EE85EA8F0B", "D6F03E0612A845167F666CCA1A7409D6B9CBC3342DE65CEA3FBEC5E9C8EB6C09", "D7390B667F4610840B7DBEE48217CEDFF56BC7B9577E1551835932F49BE6F920", "D755592724D4D2D085C0F8C6603BF802C8BF652DA20950835B7F98F62B82CB52", "D9B0611A8528A63B8202AA688252759B26930DB9480FE7C48ABDCE8B48665B48", "DA1C836B75E42E2FB996F536143556E210EC992AA28EE772F420C8E630A9779F", "DAB88099018B311F83DAFDB9431625A326A00FF72BE126856DCECA1262D7C308", "DB53C7C295FC394865150CA5853523B1FA54709666A98F3C90B7B2FA4539EF15", "DB866DC8DC23646847AE5E9E25C02B2DF2A195A414B2734DCAA102E637957BAF", "DBEEBEA67BF53D06F2B67D1EC250BC6DC481E7E1D95538F33DA149848FB8D480", "DD5BF5116E5741EB672335643731F4B54ACDBD92F34C019A128C14DD0EF87E44", "DDAE44367545E909F1C5E82BA6B48DEA1D51F717CEAE6CED7805AFEA883D85F1", "DEAFA2DB54593AA80919E191E6F6089E8FC07DD6414224DF7420DF6F55DF4BC8", "DED899C681C4F01F658F5349E77058BDF8C51E88FADBC17AC63AAD856B4CADE5", "DF4E8F31FE043E3CFA77E41A2F0CE2691BCEBF5ACB3B2A8B13BD91911951419D", "DFC186E0BC4C38FE63E8100B59AEA0B01E674D693A8B6BBFEFD8481F100D92D3", "E05BB8F45DC047A2895F7AC85F4B8A9F55D22D985F0D4F65E95F3141873851DC", "E089CD8F4E1283BE8ED3A30F96421499F2E0C3F867875E0345CFFE45A636E65E", "E143583639D054AA8FE69FA00A9B2C711903F95581EE6F26FFBD1FCD98532960", "E298AFAE6C10545EEFE2EDCB1E58ACEB81769C82FC173BB89206A046496B5501", "E31CD1CAA68AD6659A7C459337F50C896A6D30B1CC25BEF6FC361000F2ACE0D4", "E3ED6372925BCAC993AA655D3323B4FAF6379B6E95CFFD74950603130CB1A17D", "E472DE505C96419516AEFE62313E85E4E907BADF9E49C6E7E7D5A4719C5D4565", "E56E2B116EDD9B36BA0E0A6BEA7E46A462817EFD720A53E8AAFDF37AE51F6FF6", "E593E12AB7D6E26E07598ADF3963FAD201BAABDA173B0C2AE81C1AAB831FBC26", "E775C68CA18D51E91E688F1880BD5AF1955B5F4DF7397FA28CC721E37DAFB99A", "E77EC6F45B7D6E8BB278E220AB25F28DDD520313254120E5AA95ABE42DD9D030", "E9402FC09A28106AF2485DB38FE701AD9E89189CD8A1924DECD9BC2BFC341007", "E9DA194448794AF1B23D93C4E29F91BF89DFB6B4B3FE0F10E5AC715596720FB9", "EB2D86A7BBA252757A65C0A0A0329A0AD6B47B01B8C03C060D72D11BD2074A52", "EB488D986A623E81C07D5F38DFFA754649938084B72DDAA698DEA6B41BB73C49", "EC68A07B2C3DAE1C815890F259C28E42A77D5A3444423C6A6324A3D881B16265", "EDFA9D5968081EDE399774767050C178F730BD070533CFA73DE5F24F7E8E7A52", "EF19812C84470AEB6A0CF3BBC9556CCFD28E143AA068E0296EE6333C41FEAE51", "EFAFEB4BBDCD09CB8092BF34BF1DF6E8940256BA8189C4734656E48E9BEAB09A", "EFC446973169CE75A82B0414B6EEF35DEF3A2D4A3904DF4C568A776C1F269E2C", "F06557E676BEE33840ABDCBC8B63800AEF257D21E96813D19608264A0DF5ED04", "F0757274DB5D8329D95D7A6D4A3997DE0A00111E7975DD730038A4C7F5615F5B", "F0D697BCEF4A8A1CF04A7209C24CFB2E3B80AA3B9D8BB629D8DCBD87B58FB387", "F10B278BFBFA868C361722B3DE18CDFFBEA415174A88751DEB4AB93FA4D5705C", "F10FA6D57A7E8D9E7ABDCE22CFDA45519C923BEFD2EBE417EB91AA4039224559", "F15BA9EC0C1FC4624C7DDC90D046A7A3558B86CF13B121A8778B5BA8562491DC", "F1EC5D4551244A16FA4089F1A2978123216790C3873FA1FE248F1579895E1483", "F43AC4AD74C202F4FEB76EA0BC3429642A773A92CA519668F55C67ABFA59AEB0", "F4B9D71D3FABEC6658928AA2A337B66B863636EDAA889DCF19CDC196449826D5", "F4CA880341B94608CA96ABB2752E8B1E313AAF497D8551E7FBFF02076E793142", "F6BC10354A07CCD87F52BAC1053D9E1403CC47698D49BA1AAD057CE5C0DE00EB", "F6C2D7B519A05770991554475891717CAC8A17440E6CE3D0FD4BCFA2DABBDF41", "F7297DEE78789012F7802C00A7D437B06424929237D39542808A1D9905687922", "F976E6D48149579C30755509014967F1B6A7163FEAAB9453EBE9572696C3DDDD", "F9ED99C3F4B2D868A3826BA34135EFCC7EF1978329C535488F23E6CF98DA913D", "FB301BD274079F5B2C88A19B0C86981A277D606738CBEB57758A65ED178BA0FC", "FB50FC72D1ADF03C64135E473D71F8FDDDF0FBB202D69511A7EA94874CC168D1", "FC2BEDDC9B0A20E14CE30F6B90D14256565AADCC69A534CA0557D8F35594D108", "FCBB05868C528D5C5F3698A9D6575F89F9D3408565D13F740AC2603D8C6E3686", "FD769070DC8BB2EB714E9469886683E0B5018E711B2D3783310FE26D53451411", "FE252D131D8F7560832F857A2E94C6660B4590940855E6B811C5BA4036C7A5C4", "FE290C07593DDFF4F7931CAAF905B7070C33FC48DAEC98D949841899598B4732"]}, {"type": "ics", "idList": ["ICSMA-20-184-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7"]}, {"type": "jvn", "idList": ["JVN:14876762", "JVN:19118282", "JVN:30962312", "JVN:49154900"]}, {"type": "mageia", "idList": ["MGASA-2013-0199", "MGASA-2013-0322", "MGASA-2013-0323", "MGASA-2014-0056", "MGASA-2014-0100", "MGASA-2014-0109", "MGASA-2014-0110", "MGASA-2014-0219", "MGASA-2014-0398", "MGASA-2016-0164", "MGASA-2016-0311", "MGASA-2017-0382", "MGASA-2020-0051", "MGASA-2021-0153"]}, {"type": "mskb", "idList": ["KB981343"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785372", "MYHACK58:62201785395", "MYHACK58:62201995222"]}, {"type": "nessus", "idList": ["5339.PRM", "9699.PRM", "ACTIVEMQ_5_15_5.NASL", "ALA_ALAS-2013-169.NASL", "ALA_ALAS-2013-235.NASL", "ALA_ALAS-2013-246.NASL", "ALA_ALAS-2014-312.NASL", "ALA_ALAS-2014-344.NASL", "ALA_ALAS-2014-410.NASL", "ALA_ALAS-2014-436.NASL", "ALA_ALAS-2022-1562.NASL", "ARTIFACTORY_3_1_1_1.NASL", "CENTOS8_RHSA-2019-2720.NASL", "CENTOS_RHSA-2009-1201.NASL", "CENTOS_RHSA-2009-1428.NASL", "CENTOS_RHSA-2009-1615.NASL", "CENTOS_RHSA-2013-0270.NASL", "CENTOS_RHSA-2013-1447.NASL", "CENTOS_RHSA-2013-1451.NASL", "CENTOS_RHSA-2013-1505.NASL", "CENTOS_RHSA-2014-0429.NASL", "CENTOS_RHSA-2014-0474.NASL", "CENTOS_RHSA-2014-0865.NASL", "CENTOS_RHSA-2014-1319.NASL", "CENTOS_RHSA-2017-2423.NASL", "CISCO_CUCM_CSCUX34835.NASL", "CISCO_PRIME_LMS_JAVA_DESER.NASL", "CISCO_SECURITY_JAVA_DESER.NASL", "DEBIAN_DLA-1621.NASL", "DEBIAN_DLA-1831.NASL", "DEBIAN_DLA-1853.NASL", "DEBIAN_DLA-2184.NASL", "DEBIAN_DLA-222.NASL", "DEBIAN_DLA-504.NASL", "DEBIAN_DLA-57.NASL", "DEBIAN_DLA-611.NASL", "DEBIAN_DLA-930.NASL", "DEBIAN_DLA-945.NASL", "DEBIAN_DSA-1849.NASL", "DEBIAN_DSA-1921.NASL", "DEBIAN_DSA-1984.NASL", "DEBIAN_DSA-1995.NASL", "DEBIAN_DSA-2856.NASL", "DEBIAN_DSA-2897.NASL", "DEBIAN_DSA-2940.NASL", "DEBIAN_DSA-3575.NASL", "DEBIAN_DSA-3840.NASL", "DEBIAN_DSA-3841.NASL", "DEBIAN_DSA-3857.NASL", "DEBIAN_DSA-4542.NASL", "DOMINO_8_5_3FP5.NASL", "DOMINO_9_0_1.NASL", "DOMINO_9_0_1_FP1.NASL", "EULEROS_SA-2017-1213.NASL", "EULEROS_SA-2017-1214.NASL", "EULEROS_SA-2020-1812.NASL", "EULEROS_SA-2020-1889.NASL", "EULEROS_SA-2020-2068.NASL", "EULEROS_SA-2020-2277.NASL", "EULEROS_SA-2020-2405.NASL", "EULEROS_SA-2021-1099.NASL", "EULEROS_SA-2021-1215.NASL", "EULEROS_SA-2021-1331.NASL", "F5_BIGIP_SOL15189.NASL", "F5_BIGIP_SOL15905.NASL", "F5_BIGIP_SOL16872.NASL", "F5_BIGIP_SOL23432135.NASL", "FEDORA_2009-8121.NASL", "FEDORA_2009-8157.NASL", "FEDORA_2009-8329.NASL", "FEDORA_2009-8337.NASL", "FEDORA_2009-8456.NASL", "FEDORA_2009-8473.NASL", "FEDORA_2012-8428.NASL", "FEDORA_2012-8465.NASL", "FEDORA_2013-1189.NASL", "FEDORA_2013-1203.NASL", "FEDORA_2013-1289.NASL", "FEDORA_2013-5530.NASL", "FEDORA_2013-5546.NASL", "FEDORA_2013-5548.NASL", "FEDORA_2014-10617.NASL", "FEDORA_2014-10626.NASL", "FEDORA_2014-10649.NASL", "FEDORA_2014-2175.NASL", "FEDORA_2014-2183.NASL", "FEDORA_2014-2340.NASL", "FEDORA_2014-2372.NASL", "FEDORA_2014-9380.NASL", "FEDORA_2014-9539.NASL", "FEDORA_2014-9581.NASL", "FEDORA_2015-10175.NASL", "FEDORA_2015-10235.NASL", "FEDORA_2016-175B56BB05.NASL", "FEDORA_2016-250042B8A6.NASL", "FEDORA_2016-DE909CC333.NASL", "FEDORA_2017-11EDC0D6C3.NASL", "FEDORA_2017-2CCFBD650A.NASL", "FEDORA_2017-511EBFA8A3.NASL", "FEDORA_2017-7E0FF7F73A.NASL", "FEDORA_2017-8348115ACD.NASL", "FEDORA_2017-B8358CDA24.NASL", "FEDORA_2018-54A5BCC7E4.NASL", "FEDORA_2018-BF292E6CDF.NASL", "FEDORA_2018-DB8F322BB0.NASL", "FEDORA_2018-E4C2507720.NASL", "FEDORA_2019-063672154A.NASL", "FEDORA_2019-99FF6AA32C.NASL", "FEDORA_2019-AE6A703B8F.NASL", "FEDORA_2019-CB14E234FC.NASL", "FEDORA_2019-FB23ECCC03.NASL", "FREEBSD_PKG_18449F92AB3911E68011005056925DB4.NASL", "FREEBSD_PKG_3E0507C6961411E3B3A500E0814CAB4E.NASL", "FREEBSD_PKG_708C65A57C5811DEA9940030843D3802.NASL", "FREEBSD_PKG_C1265E857C9511E793AF005056925DB4.NASL", "FREEBSD_PKG_C97D7A37223311DF96DD001B2134EF46.NASL", "FREEBSD_PKG_D70C9E18F34011E8BE460019DBB15B3F.NASL", "GENTOO_GLSA-201206-13.NASL", "GENTOO_GLSA-201406-32.NASL", "GENTOO_GLSA-201408-19.NASL", "GENTOO_GLSA-201412-29.NASL", "GENTOO_GLSA-201607-09.NASL", "GENTOO_GLSA-201612-35.NASL", "GENTOO_GLSA-202107-37.NASL", "GENTOO_GLSA-202107-39.NASL", "JENKINS_1_551.NASL", "JFROG_ARTIFACTORY_7_10_1.NASL", "JUNIPER_NSM_JSA10642.NASL", "JUNIPER_SPACE_JSA_10838.NASL", "LOTUS_DOMINO_8_5_3_FP5.NASL", "LOTUS_DOMINO_9_0_1.NASL", "LOTUS_DOMINO_9_0_1_FP1.NASL", "LOTUS_NOTES_8_5_3_FP5.NASL", "LOTUS_NOTES_9_0_1_FP1.NASL", "MACOSX_JAVA_10_5_UPDATE5.NASL", "MACOSX_JAVA_10_6_UPDATE17.NASL", "MACOSX_JAVA_2013-005.NASL", "MACOSX_JAVA_2014-001.NASL", "MANDRIVA_MDVSA-2009-209.NASL", "MANDRIVA_MDVSA-2009-211.NASL", "MANDRIVA_MDVSA-2009-212.NASL", "MANDRIVA_MDVSA-2009-213.NASL", "MANDRIVA_MDVSA-2009-214.NASL", "MANDRIVA_MDVSA-2009-215.NASL", "MANDRIVA_MDVSA-2009-217.NASL", "MANDRIVA_MDVSA-2009-218.NASL", "MANDRIVA_MDVSA-2009-219.NASL", "MANDRIVA_MDVSA-2009-220.NASL", "MANDRIVA_MDVSA-2009-267.NASL", "MANDRIVA_MDVSA-2009-268.NASL", "MANDRIVA_MDVSA-2009-269.NASL", "MANDRIVA_MDVSA-2009-316.NASL", "MANDRIVA_MDVSA-2009-318.NASL", "MANDRIVA_MDVSA-2009-322.NASL", "MANDRIVA_MDVSA-2011-108.NASL", "MANDRIVA_MDVSA-2013-267.NASL", "MANDRIVA_MDVSA-2014-056.NASL", "MANDRIVA_MDVSA-2014-095.NASL", "MANDRIVA_MDVSA-2014-193.NASL", "MANDRIVA_MDVSA-2015-084.NASL", "MYSQL_ENTERPRISE_MONITOR_2_3_17.NASL", "MYSQL_ENTERPRISE_MONITOR_3_0_11.NASL", "MYSQL_ENTERPRISE_MONITOR_3_4_8.NASL", "OPENOFFICE_32.NASL", "OPENSUSE-2013-161.NASL", "OPENSUSE-2013-304.NASL", "OPENSUSE-2013-305.NASL", "OPENSUSE-2013-847.NASL", "OPENSUSE-2014-297.NASL", "OPENSUSE-2014-298.NASL", "OPENSUSE-2018-248.NASL", "OPENSUSE-2019-1399.NASL", "ORACLELINUX_ELSA-2009-1201.NASL", "ORACLELINUX_ELSA-2009-1428.NASL", "ORACLELINUX_ELSA-2009-1615.NASL", "ORACLELINUX_ELSA-2011-0858.NASL", "ORACLELINUX_ELSA-2013-0270.NASL", "ORACLELINUX_ELSA-2013-1447.NASL", "ORACLELINUX_ELSA-2013-1451.NASL", "ORACLELINUX_ELSA-2013-1505.NASL", "ORACLELINUX_ELSA-2014-0429.NASL", "ORACLELINUX_ELSA-2014-0474.NASL", "ORACLELINUX_ELSA-2014-0865.NASL", "ORACLELINUX_ELSA-2014-1319.NASL", "ORACLELINUX_ELSA-2017-2423.NASL", "ORACLELINUX_ELSA-2022-9419.NASL", "ORACLE_APPLICATION_SERVER_PCI.NASL", "ORACLE_BI_PUBLISHER_APR_2020_CPU.NASL", "ORACLE_BI_PUBLISHER_OCT_2018_CPU.NASL", "ORACLE_EDQ_OCT_2014_CPU.NASL", "ORACLE_EIDS_CPU_OCT_2014.NASL", "ORACLE_ENTERPRISE_MANAGER_CPU_JAN_2021.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2018_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_APR_2019_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_JUL_2020_CPU_UI.NASL", "ORACLE_GOLDENGATE_CPU_OCT_2021.NASL", "ORACLE_GOLDENGATE_FOR_BIG_DATA_CPU_JAN_2019.NASL", "ORACLE_HTTP_SERVER_CPU_JAN_2018.NASL", "ORACLE_IDENTITY_MANAGEMENT_CPU_OCT_2014.NASL", "ORACLE_IDENTITY_MANAGEMENT_CPU_OCT_2018.NASL", "ORACLE_JAVA_CPU_OCT_2013.NASL", "ORACLE_JAVA_CPU_OCT_2013_UNIX.NASL", "ORACLE_OAAM_CPU_OCT_2014.NASL", "ORACLE_OATS_CPU_JUL_2018.NASL", "ORACLE_OATS_CPU_JUL_2019.NASL", "ORACLE_OATS_CPU_JUL_2020.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_APR_2021.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JUL_2020.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_APR_2019.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2019.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2020.NASL", "ORACLE_RDBMS_CPU_JUL_2020.NASL", "ORACLE_RDBMS_CPU_OCT_2014.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_JAN_2018_CPU.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_APR_2018.NBIN", "ORACLE_WEBCENTER_PORTAL_CPU_APR_2019.NBIN", "ORACLE_WEBCENTER_SITES_APR_2015_CPU.NASL", "ORACLE_WEBCENTER_SITES_JUL_2019_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2018.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JAN_2021.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2020.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2014.NBIN", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2021.NASL", "PHOTONOS_PHSA-2020-3_0-0141_COMMONS.NASL", "REDHAT-RHSA-2009-1199.NASL", "REDHAT-RHSA-2009-1200.NASL", "REDHAT-RHSA-2009-1201.NASL", "REDHAT-RHSA-2009-1236.NASL", "REDHAT-RHSA-2009-1428.NASL", "REDHAT-RHSA-2009-1505.NASL", "REDHAT-RHSA-2009-1582.NASL", "REDHAT-RHSA-2009-1615.NASL", "REDHAT-RHSA-2009-1636.NASL", "REDHAT-RHSA-2009-1637.NASL", "REDHAT-RHSA-2009-1649.NASL", "REDHAT-RHSA-2009-1650.NASL", "REDHAT-RHSA-2009-1662.NASL", "REDHAT-RHSA-2009-1694.NASL", "REDHAT-RHSA-2010-0043.NASL", "REDHAT-RHSA-2011-0858.NASL", "REDHAT-RHSA-2012-1537.NASL", "REDHAT-RHSA-2013-0270.NASL", "REDHAT-RHSA-2013-0680.NASL", "REDHAT-RHSA-2013-1059.NASL", "REDHAT-RHSA-2013-1060.NASL", "REDHAT-RHSA-2013-1081.NASL", "REDHAT-RHSA-2013-1440.NASL", "REDHAT-RHSA-2013-1447.NASL", "REDHAT-RHSA-2013-1451.NASL", "REDHAT-RHSA-2013-1505.NASL", "REDHAT-RHSA-2014-0224.NASL", "REDHAT-RHSA-2014-0253.NASL", "REDHAT-RHSA-2014-0389.NASL", "REDHAT-RHSA-2014-0414.NASL", "REDHAT-RHSA-2014-0429.NASL", "REDHAT-RHSA-2014-0474.NASL", "REDHAT-RHSA-2014-0500.NASL", "REDHAT-RHSA-2014-0525.NASL", "REDHAT-RHSA-2014-0526.NASL", "REDHAT-RHSA-2014-0865.NASL", "REDHAT-RHSA-2014-1162.NASL", "REDHAT-RHSA-2014-1319.NASL", "REDHAT-RHSA-2014-1320.NASL", "REDHAT-RHSA-2014-1321.NASL", "REDHAT-RHSA-2014-1818.NASL", "REDHAT-RHSA-2014-1821.NASL", "REDHAT-RHSA-2014-1822.NASL", "REDHAT-RHSA-2017-1801.NASL", "REDHAT-RHSA-2017-2423.NASL", "REDHAT-RHSA-2017-2635.NASL", "REDHAT-RHSA-2017-2636.NASL", "REDHAT-RHSA-2017-2637.NASL", "REDHAT-RHSA-2017-2638.NASL", "REDHAT-RHSA-2017-2808.NASL", "REDHAT-RHSA-2017-2809.NASL", "REDHAT-RHSA-2017-2811.NASL", "REDHAT-RHSA-2017-3399.NASL", "REDHAT-RHSA-2018-2423.NASL", "REDHAT-RHSA-2018-2424.NASL", "REDHAT-RHSA-2018-2643.NASL", "REDHAT-RHSA-2018-2741.NASL", "REDHAT-RHSA-2018-2743.NASL", "REDHAT-RHSA-2018-2927.NASL", "REDHAT-RHSA-2019-2720.NASL", "REDHAT-RHSA-2019-2935.NASL", "REDHAT-RHSA-2019-2936.NASL", "REDHAT-RHSA-2019-2937.NASL", "REDHAT-RHSA-2019-3044.NASL", "REDHAT-RHSA-2019-3045.NASL", "REDHAT-RHSA-2019-3046.NASL", "SLACKWARE_SSA_2011-041-02.NASL", "SL_20090806_JAVA_1_6_0_OPENJDK_ON_SL5_3.NASL", "SL_20090824_JAVA__JDK_1_6_0__ON_SL4_X.NASL", "SL_20090908_XMLSEC1_ON_SL4_X.NASL", "SL_20091130_XERCES_J2_ON_SL5_X.NASL", "SL_20110608_XERCES_J2_ON_SL6_X.NASL", "SL_20130219_JAKARTA_COMMONS_HTTPCLIENT_ON_SL5_X.NASL", "SL_20131021_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "SL_20131022_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "SL_20131105_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "SL_20140423_TOMCAT6_ON_SL6_X.NASL", "SL_20140507_STRUTS_ON_SL5_X.NASL", "SL_20140709_TOMCAT6_ON_SL6_X.NASL", "SL_20140929_XERCES_J2_ON_SL6_X.NASL", "SL_20170807_LOG4J_ON_SL7_X.NASL", "SMB_NT_MS10-041.NASL", "SOLARIS10_119166.NASL", "SOLARIS10_124672-20.NASL", "SOLARIS10_124672.NASL", "SOLARIS10_125136-71.NASL", "SOLARIS10_125136-75.NASL", "SOLARIS10_125136.NASL", "SOLARIS10_128640-30.NASL", "SOLARIS10_128640.NASL", "SOLARIS10_141709-03.NASL", "SOLARIS10_141709.NASL", "SOLARIS10_X86_119167-43.NASL", "SOLARIS10_X86_119167.NASL", "SOLARIS10_X86_124673-20.NASL", "SOLARIS10_X86_124673.NASL", "SOLARIS10_X86_128641-30.NASL", "SOLARIS10_X86_128641.NASL", "SOLARIS10_X86_141710-03.NASL", "SOLARIS10_X86_141710.NASL", "SOLARIS11_ANT_20130430.NASL", "SOLARIS8_119166.NASL", "SOLARIS8_124672.NASL", "SOLARIS8_125136.NASL", "SOLARIS9_119166.NASL", "SOLARIS9_124672.NASL", "SOLARIS9_125136.NASL", "SOLARIS9_128640.NASL", "SOLARIS9_141709.NASL", "SOLARIS9_X86_119167.NASL", "SOLARIS9_X86_124673.NASL", "SOLARIS9_X86_128641.NASL", "SOLARIS9_X86_141710.NASL", "STRUTS_2_3_16_1.NASL", "STRUTS_2_3_16_1_WIN_LOCAL.NASL", "STRUTS_2_3_28_WIN_LOCAL.NASL", "STRUTS_2_3_36_FILEUPLOAD.NASL", "STRUTS_2_5_12.NASL", "STRUTS_CLASSLOADER_MANIPULATION.NASL", "SUN_JAVA_JRE_263408.NASL", "SUN_JAVA_JRE_263408_UNIX.NASL", "SUN_JAVA_WEB_SERVER_7_0_27.NASL", "SUSE9_12511.NASL", "SUSE9_12591.NASL", "SUSE9_12600.NASL", "SUSE_11_0_JAVA-1_6_0-OPENJDK-090826.NASL", "SUSE_11_0_JAVA-1_6_0-OPENJDK-090920.NASL", "SUSE_11_0_LIBEXPAT0-100220.NASL", "SUSE_11_0_LIBPYTHON2_6-1_0-100328.NASL", "SUSE_11_0_OPENOFFICE_ORG-100211.NASL", "SUSE_11_0_XERCES-J2-090820.NASL", "SUSE_11_1_JAVA-1_6_0-OPENJDK-090827.NASL", "SUSE_11_1_JAVA-1_6_0-OPENJDK-090922.NASL", "SUSE_11_1_KOMPOZER-090827.NASL", "SUSE_11_1_LIBEXPAT0-100220.NASL", "SUSE_11_1_LIBPYTHON2_6-1_0-100330.NASL", "SUSE_11_1_OPENOFFICE_ORG-BASE-DRIVERS-POSTGRESQL-100211.NASL", "SUSE_11_1_XERCES-J2-090820.NASL", "SUSE_11_2_LIBEXPAT0-100220.NASL", "SUSE_11_2_LIBPYTHON2_6-1_0-100329.NASL", "SUSE_11_2_OPENOFFICE_ORG-BASE-DRIVERS-POSTGRESQL-100216.NASL", "SUSE_11_JAVA-1_4_2-IBM-090924.NASL", "SUSE_11_JAVA-1_6_0-IBM-091102.NASL", "SUSE_11_JAVA-1_6_0-IBM-100105.NASL", "SUSE_11_JAVA-1_6_0-IBM-130723.NASL", "SUSE_11_JAVA-1_6_0-OPENJDK-131129.NASL", "SUSE_11_JAVA-1_7_0-IBM-130723.NASL", "SUSE_11_JAVA-1_7_0-OPENJDK-131104.NASL", "SUSE_11_LIBPYTHON2_6-1_0-100323.NASL", "SUSE_11_OPENOFFICE_ORG-100225.NASL", "SUSE_11_OPENOFFICE_ORG-100226.NASL", "SUSE_11_XERCES-J2-090820.NASL", "SUSE_JAVA-1_4_2-IBM-6508.NASL", "SUSE_JAVA-1_4_2-IBM-6523.NASL", "SUSE_JAVA-1_5_0-IBM-8653.NASL", "SUSE_JAVA-1_6_0-IBM-8657.NASL", "SUSE_LIBICECORE-6857.NASL", "SUSE_LIBICECORE-6862.NASL", "SUSE_OPENOFFICE_ORG-6883.NASL", "SUSE_OPENOFFICE_ORG-6884.NASL", "SUSE_PYTHON-6946.NASL", "SUSE_SU-2013-1256-1.NASL", "SUSE_SU-2013-1669-1.NASL", "SUSE_SU-2019-14044-1.NASL", "SUSE_XERCES-J2-6445.NASL", "SUSE_XERCES-J2-6449.NASL", "SYNAPSE_3_0_0.NASL", "TOMCAT_7_0_52.NASL", "TOMCAT_8_0_3.NASL", "UBUNTU_USN-2033-1.NASL", "UBUNTU_USN-2089-1.NASL", "UBUNTU_USN-2130-1.NASL", "UBUNTU_USN-2769-1.NASL", "UBUNTU_USN-5293-1.NASL", "UBUNTU_USN-814-1.NASL", "UBUNTU_USN-826-1.NASL", "UBUNTU_USN-890-1.NASL", "UBUNTU_USN-890-2.NASL", "UBUNTU_USN-890-3.NASL", "UBUNTU_USN-890-4.NASL", "UBUNTU_USN-890-5.NASL", "UBUNTU_USN-890-6.NASL", "UBUNTU_USN-903-1.NASL", "VCENTER_OPERATIONS_MANAGER_VMSA_2014-0007.NASL", "VMWARE_MULTIPLE_VMSA_2008_0008.NASL", "VMWARE_ORCHESTRATOR_APPLIANCE_VMSA_2014_0007.NASL", "VMWARE_ORCHESTRATOR_VMSA_2014_0007.NASL", "VMWARE_VCENTER_VMSA-2014-0008.NASL", "VMWARE_VMSA-2009-0016.NASL", "VMWARE_VMSA-2009-0016_REMOTE.NASL", "VMWARE_VMSA-2010-0002.NASL", "VMWARE_VMSA-2010-0002_REMOTE.NASL", "VMWARE_VMSA-2014-0008.NASL", "WEBSPHERE_301027.NASL", "WEBSPHERE_6453091.NASL", "WEBSPHERE_6_1_0_47.NASL", "WEBSPHERE_711865.NASL", "WEBSPHERE_711867.NASL", "WEBSPHERE_7_0_0_13.NASL", "WEBSPHERE_7_0_0_31.NASL", "WEBSPHERE_7_0_0_33.NASL", "WEBSPHERE_8_0_0_7.NASL", "WEBSPHERE_8_0_0_9.NASL", "WEBSPHERE_8_5_5_1.NASL", "WEBSPHERE_8_5_5_2.NASL", "WEBSPHERE_PORTAL_7_0_0_2_CF29.NASL", "WEBSPHERE_PORTAL_8_0_0_1_CF12.NASL", "WEBSPHERE_PORTAL_8_5_0_0_CF02.NASL", "WEBSPHERE_PORTAL_CVE-2014-0050.NASL", "WEBSPHERE_PORTAL_CVE-2014-0114.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:102043", "OPENVAS:1361412562310100814", "OPENVAS:1361412562310102043", "OPENVAS:1361412562310103919", "OPENVAS:1361412562310105086", "OPENVAS:1361412562310105087", "OPENVAS:1361412562310105088", "OPENVAS:1361412562310108626", "OPENVAS:1361412562310108627", "OPENVAS:1361412562310120079", "OPENVAS:1361412562310120121", "OPENVAS:1361412562310120197", "OPENVAS:1361412562310120345", "OPENVAS:1361412562310120359", "OPENVAS:1361412562310120384", "OPENVAS:1361412562310120469", "OPENVAS:1361412562310121235", "OPENVAS:1361412562310121263", "OPENVAS:1361412562310121315", "OPENVAS:1361412562310122149", "OPENVAS:1361412562310122416", "OPENVAS:1361412562310122459", "OPENVAS:1361412562310123297", "OPENVAS:1361412562310123417", "OPENVAS:1361412562310123422", "OPENVAS:1361412562310123534", "OPENVAS:1361412562310123546", "OPENVAS:1361412562310123549", "OPENVAS:1361412562310123724", "OPENVAS:1361412562310131288", "OPENVAS:1361412562310141668", "OPENVAS:136141256231064542", "OPENVAS:136141256231064545", "OPENVAS:136141256231064561", "OPENVAS:136141256231064581", "OPENVAS:136141256231064589", "OPENVAS:136141256231064590", "OPENVAS:136141256231064591", "OPENVAS:136141256231064613", "OPENVAS:136141256231064615", "OPENVAS:136141256231064621", "OPENVAS:136141256231064623", "OPENVAS:136141256231064660", "OPENVAS:136141256231064672", "OPENVAS:136141256231064681", "OPENVAS:136141256231064683", "OPENVAS:136141256231064684", "OPENVAS:136141256231064685", "OPENVAS:136141256231064686", "OPENVAS:136141256231064687", "OPENVAS:136141256231064688", "OPENVAS:136141256231064689", "OPENVAS:136141256231064690", "OPENVAS:136141256231064691", "OPENVAS:136141256231064692", "OPENVAS:136141256231064809", "OPENVAS:136141256231064823", "OPENVAS:136141256231064901", "OPENVAS:136141256231065171", "OPENVAS:136141256231065711", "OPENVAS:136141256231065728", "OPENVAS:136141256231065736", "OPENVAS:136141256231065737", "OPENVAS:136141256231065764", "OPENVAS:136141256231065850", "OPENVAS:136141256231066011", "OPENVAS:136141256231066023", "OPENVAS:136141256231066025", "OPENVAS:136141256231066026", "OPENVAS:136141256231066059", "OPENVAS:136141256231066107", "OPENVAS:136141256231066145", "OPENVAS:136141256231066230", "OPENVAS:136141256231066242", "OPENVAS:136141256231066317", "OPENVAS:136141256231066361", "OPENVAS:136141256231066383", "OPENVAS:136141256231066385", "OPENVAS:136141256231066389", "OPENVAS:136141256231066391", "OPENVAS:136141256231066400", "OPENVAS:136141256231066408", "OPENVAS:136141256231066410", "OPENVAS:136141256231066415", "OPENVAS:136141256231066543", "OPENVAS:136141256231066617", "OPENVAS:136141256231067053", "OPENVAS:136141256231068152", "OPENVAS:136141256231068923", "OPENVAS:1361412562310702856", "OPENVAS:1361412562310702897", "OPENVAS:1361412562310702940", "OPENVAS:1361412562310703575", "OPENVAS:1361412562310703840", "OPENVAS:1361412562310703841", "OPENVAS:1361412562310703857", "OPENVAS:1361412562310704542", "OPENVAS:136141256231071580", "OPENVAS:1361412562310804251", "OPENVAS:1361412562310807012", "OPENVAS:1361412562310807039", "OPENVAS:1361412562310807751", "OPENVAS:1361412562310807953", "OPENVAS:1361412562310808021", "OPENVAS:1361412562310808267", "OPENVAS:1361412562310809053", "OPENVAS:1361412562310814409", "OPENVAS:1361412562310830781", "OPENVAS:1361412562310830782", "OPENVAS:1361412562310830784", "OPENVAS:1361412562310830786", "OPENVAS:1361412562310831417", "OPENVAS:1361412562310840375", "OPENVAS:1361412562310840376", "OPENVAS:1361412562310840377", "OPENVAS:1361412562310840380", "OPENVAS:1361412562310840391", "OPENVAS:1361412562310840394", "OPENVAS:1361412562310840422", "OPENVAS:1361412562310841636", "OPENVAS:1361412562310841692", "OPENVAS:1361412562310841741", "OPENVAS:1361412562310842488", "OPENVAS:1361412562310850130", "OPENVAS:1361412562310850747", "OPENVAS:1361412562310852501", "OPENVAS:1361412562310864280", "OPENVAS:1361412562310864383", "OPENVAS:1361412562310865277", "OPENVAS:1361412562310865280", "OPENVAS:1361412562310865298", "OPENVAS:1361412562310865608", "OPENVAS:1361412562310865612", "OPENVAS:1361412562310867519", "OPENVAS:1361412562310867523", "OPENVAS:1361412562310867530", "OPENVAS:1361412562310867544", "OPENVAS:1361412562310868112", "OPENVAS:1361412562310868129", "OPENVAS:1361412562310868132", "OPENVAS:1361412562310868205", "OPENVAS:1361412562310868207", "OPENVAS:1361412562310869839", "OPENVAS:1361412562310869842", "OPENVAS:1361412562310869848", "OPENVAS:1361412562310869849", "OPENVAS:1361412562310870688", "OPENVAS:1361412562310870917", "OPENVAS:1361412562310871057", "OPENVAS:1361412562310871060", "OPENVAS:1361412562310871062", "OPENVAS:1361412562310871159", "OPENVAS:1361412562310871164", "OPENVAS:1361412562310871200", "OPENVAS:1361412562310871252", "OPENVAS:1361412562310871877", "OPENVAS:1361412562310872637", "OPENVAS:1361412562310872638", "OPENVAS:1361412562310872757", "OPENVAS:1361412562310872759", "OPENVAS:1361412562310874441", "OPENVAS:1361412562310874463", "OPENVAS:1361412562310874538", "OPENVAS:1361412562310874589", "OPENVAS:1361412562310876429", "OPENVAS:1361412562310876434", "OPENVAS:1361412562310876828", "OPENVAS:1361412562310876829", "OPENVAS:1361412562310876830", "OPENVAS:1361412562310876832", "OPENVAS:1361412562310876833", "OPENVAS:1361412562310876834", "OPENVAS:1361412562310876835", "OPENVAS:1361412562310876837", "OPENVAS:1361412562310876898", "OPENVAS:1361412562310877109", "OPENVAS:1361412562310877127", "OPENVAS:1361412562310877141", "OPENVAS:1361412562310877251", "OPENVAS:1361412562310880711", "OPENVAS:1361412562310880823", "OPENVAS:1361412562310880916", "OPENVAS:1361412562310880948", "OPENVAS:1361412562310881604", "OPENVAS:1361412562310881806", "OPENVAS:1361412562310881814", "OPENVAS:1361412562310881819", "OPENVAS:1361412562310881822", "OPENVAS:1361412562310881927", "OPENVAS:1361412562310881933", "OPENVAS:1361412562310881960", "OPENVAS:1361412562310882043", "OPENVAS:1361412562310882045", "OPENVAS:1361412562310890930", "OPENVAS:1361412562310890945", "OPENVAS:1361412562310891621", "OPENVAS:1361412562310891831", "OPENVAS:1361412562310891853", "OPENVAS:1361412562310892184", "OPENVAS:1361412562310902193", "OPENVAS:1361412562311220171213", "OPENVAS:1361412562311220171214", "OPENVAS:64542", "OPENVAS:64545", "OPENVAS:64561", "OPENVAS:64581", "OPENVAS:64589", "OPENVAS:64590", "OPENVAS:64591", "OPENVAS:64613", "OPENVAS:64615", "OPENVAS:64621", "OPENVAS:64623", "OPENVAS:64654", "OPENVAS:64660", "OPENVAS:64672", "OPENVAS:64681", "OPENVAS:64683", "OPENVAS:64684", "OPENVAS:64685", "OPENVAS:64686", "OPENVAS:64687", "OPENVAS:64688", "OPENVAS:64689", "OPENVAS:64690", "OPENVAS:64691", "OPENVAS:64692", "OPENVAS:64782", "OPENVAS:64809", "OPENVAS:64823", "OPENVAS:64901", "OPENVAS:65171", "OPENVAS:65711", "OPENVAS:65728", "OPENVAS:65736", "OPENVAS:65737", "OPENVAS:65764", "OPENVAS:65850", "OPENVAS:66011", "OPENVAS:66023", "OPENVAS:66025", "OPENVAS:66026", "OPENVAS:66059", "OPENVAS:66107", "OPENVAS:66145", "OPENVAS:66230", "OPENVAS:66242", "OPENVAS:66317", "OPENVAS:66361", "OPENVAS:66383", "OPENVAS:66385", "OPENVAS:66389", "OPENVAS:66391", "OPENVAS:66400", "OPENVAS:66408", "OPENVAS:66410", "OPENVAS:66415", "OPENVAS:66543", "OPENVAS:66617", "OPENVAS:67053", "OPENVAS:68152", "OPENVAS:68923", "OPENVAS:702856", "OPENVAS:702897", "OPENVAS:702940", "OPENVAS:703575", "OPENVAS:703840", "OPENVAS:703841", "OPENVAS:703857", "OPENVAS:71580", "OPENVAS:830781", "OPENVAS:830782", "OPENVAS:830784", "OPENVAS:830786", "OPENVAS:831417", "OPENVAS:840375", "OPENVAS:840376", "OPENVAS:840377", "OPENVAS:840380", "OPENVAS:840391", "OPENVAS:840394", "OPENVAS:840422", "OPENVAS:841636", "OPENVAS:841692", "OPENVAS:841741", "OPENVAS:850130", "OPENVAS:864280", "OPENVAS:864383", "OPENVAS:865277", "OPENVAS:865280", "OPENVAS:865298", "OPENVAS:865608", "OPENVAS:865612", "OPENVAS:867519", "OPENVAS:867523", "OPENVAS:867530", "OPENVAS:867544", "OPENVAS:870688", "OPENVAS:870917", "OPENVAS:871057", "OPENVAS:871060", "OPENVAS:871062", "OPENVAS:871159", "OPENVAS:871164", "OPENVAS:880711", "OPENVAS:880823", "OPENVAS:880916", "OPENVAS:880948", "OPENVAS:881604", "OPENVAS:881806", "OPENVAS:881814", "OPENVAS:881819", "OPENVAS:881822", "OPENVAS:881927", "OPENVAS:881933", "OPENVAS:902193"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2015", "ORACLE:CPUAPR2017", "ORACLE:CPUAPR2018", "ORACLE:CPUAPR2019", "ORACLE:CPUAPR2020", "ORACLE:CPUAPR2021", "ORACLE:CPUJAN2010-084891", "ORACLE:CPUJAN2015", "ORACLE:CPUJAN2016", "ORACLE:CPUJAN2018", "ORACLE:CPUJAN2019", "ORACLE:CPUJAN2020", "ORACLE:CPUJAN2021", "ORACLE:CPUJUL2009-091332", "ORACLE:CPUJUL2010-155308", "ORACLE:CPUJUL2014-1972956", "ORACLE:CPUJUL2018", "ORACLE:CPUJUL2019", "ORACLE:CPUJUL2020", "ORACLE:CPUJUL2021", "ORACLE:CPUOCT2009-096303", "ORACLE:CPUOCT2013-1899837", "ORACLE:CPUOCT2014-1972960", "ORACLE:CPUOCT2015", "ORACLE:CPUOCT2016", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2018", "ORACLE:CPUOCT2019", "ORACLE:CPUOCT2020", "ORACLE:CPUOCT2021"]}, {"type": "oraclelinux", "idList": ["ELSA-2009-1201", "ELSA-2009-1428", "ELSA-2009-1615", "ELSA-2011-0858", "ELSA-2013-0270", "ELSA-2013-1447", "ELSA-2013-1451", "ELSA-2013-1505", "ELSA-2014-0429", "ELSA-2014-0474", "ELSA-2014-0686", "ELSA-2014-0865", "ELSA-2014-1319", "ELSA-2017-2247", "ELSA-2017-2423", "ELSA-2019-2720", "ELSA-2020-0194", "ELSA-2022-9419"]}, {"type": "osv", "idList": ["OSV:DLA-1621-1", "OSV:DLA-1831-1", "OSV:DLA-1853-1", "OSV:DLA-2184-1", "OSV:DLA-222-1", "OSV:DLA-504-1", "OSV:DLA-57-1", "OSV:DLA-611-1", "OSV:DLA-930-1", "OSV:DLA-945-1", "OSV:DSA-1849-1", "OSV:DSA-1984-1", "OSV:DSA-1995-1", "OSV:DSA-2856-1", "OSV:DSA-2897-1", "OSV:DSA-2940-1", "OSV:DSA-3575-1", "OSV:DSA-3840-1", "OSV:DSA-3841-1", "OSV:DSA-3857-1", "OSV:GHSA-23VV-V25H-QWQW", "OSV:GHSA-2X83-R56G-CV47", "OSV:GHSA-2XXH-F8R3-HVVR", "OSV:GHSA-334P-WV2M-W3VP", "OSV:GHSA-3533-RVPC-6X56", "OSV:GHSA-3832-9276-X7GF", "OSV:GHSA-383P-XQXX-RRMP", "OSV:GHSA-4487-X383-QPPH", "OSV:GHSA-4CCH-WXPW-8P28", "OSV:GHSA-6FXM-66HQ-FC96", "OSV:GHSA-6HGM-866R-3CJV", "OSV:GHSA-78FQ-W796-Q537", "OSV:GHSA-7HWC-46RM-65JH", "OSV:GHSA-7J4H-8WPF-RQFH", "OSV:GHSA-7X9J-7223-RG5M", "OSV:GHSA-84P2-VF58-XHXV", "OSV:GHSA-8HFM-837H-HJG5", "OSV:GHSA-CJCF-WM2P-59H5", "OSV:GHSA-CMFG-87VQ-G5G4", "OSV:GHSA-F554-X222-WGF7", "OSV:GHSA-FXPH-Q3J8-MV87", "OSV:GHSA-HF23-9PF7-388P", "OSV:GHSA-JFVX-7WRX-43FH", "OSV:GHSA-MPH4-VHRX-MV67", "OSV:GHSA-MVR2-9PJ6-7W5J", "OSV:GHSA-MW36-7C6C-Q4Q2", "OSV:GHSA-P66X-2CV9-QQ3V", "OSV:GHSA-P694-23Q3-RVRC", "OSV:GHSA-PWH7-92H3-MQR6", "OSV:GHSA-Q446-82VQ-W674", "OSV:GHSA-Q485-J897-QC27", "OSV:GHSA-RGH3-987H-WPMW", "OSV:GHSA-RHCG-RWHX-QJ3J", "OSV:GHSA-RM7V-GQFG-P2WC", "OSV:GHSA-V8Q2-94F6-6XQ2", "OSV:GHSA-VM69-474V-7Q2W", "OSV:GHSA-VMQM-G3VH-847M", "OSV:GHSA-XX68-JFCG-XMMF"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:135150", "PACKETSTORM:149050"]}, {"type": "pentestit", "idList": ["PENTESTIT:30AA332D5D04A4C69FDE4D187314152E"]}, {"type": "photon", "idList": ["PHSA-2020-0141", "PHSA-2020-3.0-0141"]}, {"type": "redhat", "idList": ["RHSA-2009:1199", "RHSA-2009:1200", "RHSA-2009:1201", "RHSA-2009:1236", "RHSA-2009:1428", "RHSA-2009:1505", "RHSA-2009:1551", "RHSA-2009:1582", "RHSA-2009:1615", "RHSA-2009:1649", "RHSA-2009:1662", "RHSA-2009:1694", "RHSA-2010:0043", "RHSA-2011:0858", "RHSA-2012:1537", "RHSA-2013:0270", "RHSA-2013:0649", "RHSA-2013:0679", "RHSA-2013:0680", "RHSA-2013:0682", "RHSA-2013:1006", "RHSA-2013:1059", "RHSA-2013:1060", "RHSA-2013:1081", "RHSA-2013:1440", "RHSA-2013:1447", "RHSA-2013:1451", "RHSA-2013:1505", "RHSA-2013:1853", "RHSA-2014:0216", "RHSA-2014:0224", "RHSA-2014:0252", "RHSA-2014:0253", "RHSA-2014:0294", "RHSA-2014:0323", "RHSA-2014:0371", "RHSA-2014:0372", "RHSA-2014:0374", "RHSA-2014:0389", "RHSA-2014:0400", "RHSA-2014:0401", "RHSA-2014:0414", "RHSA-2014:0429", "RHSA-2014:0452", "RHSA-2014:0459", "RHSA-2014:0474", "RHSA-2014:0497", "RHSA-2014:0498", "RHSA-2014:0500", "RHSA-2014:0511", "RHSA-2014:0525", "RHSA-2014:0526", "RHSA-2014:0527", "RHSA-2014:0528", "RHSA-2014:0865", "RHSA-2014:1007", "RHSA-2014:1059", "RHSA-2014:1162", "RHSA-2014:1319", "RHSA-2014:1320", "RHSA-2014:1321", "RHSA-2014:1818", "RHSA-2014:1821", "RHSA-2014:1822", "RHSA-2014:1904", "RHSA-2015:0234", "RHSA-2015:0235", "RHSA-2015:0675", "RHSA-2015:0720", "RHSA-2015:0765", "RHSA-2015:0773", "RHSA-2015:0850", "RHSA-2015:0851", "RHSA-2015:1009", "RHSA-2015:1176", "RHSA-2015:1177", "RHSA-2015:1888", "RHSA-2016:2822", "RHSA-2016:2823", "RHSA-2017:0868", "RHSA-2017:1417", "RHSA-2017:1801", "RHSA-2017:1802", "RHSA-2017:1832", "RHSA-2017:2423", "RHSA-2017:2633", "RHSA-2017:2635", "RHSA-2017:2636", "RHSA-2017:2637", "RHSA-2017:2638", "RHSA-2017:2808", "RHSA-2017:2809", "RHSA-2017:2810", "RHSA-2017:2811", "RHSA-2017:2888", "RHSA-2017:2889", "RHSA-2017:3115", "RHSA-2017:3244", "RHSA-2017:3399", "RHSA-2017:3400", "RHSA-2018:1320", "RHSA-2018:2423", "RHSA-2018:2424", "RHSA-2018:2425", "RHSA-2018:2428", "RHSA-2018:2598", "RHSA-2018:2643", "RHSA-2018:2669", "RHSA-2018:2740", "RHSA-2018:2741", "RHSA-2018:2742", "RHSA-2018:2743", "RHSA-2018:2927", "RHSA-2019:1545", "RHSA-2019:1820", "RHSA-2019:1822", "RHSA-2019:1823", "RHSA-2019:2720", "RHSA-2019:2804", "RHSA-2019:2858", "RHSA-2019:2935", "RHSA-2019:2936", "RHSA-2019:2937", "RHSA-2019:2938", "RHSA-2019:2995", "RHSA-2019:2998", "RHSA-2019:3044", "RHSA-2019:3045", "RHSA-2019:3046", "RHSA-2019:3050", "RHSA-2019:3149", "RHSA-2019:3200", "RHSA-2019:3292", "RHSA-2019:3297", "RHSA-2019:3892", "RHSA-2019:3901", "RHSA-2019:4117", "RHSA-2019:4352", "RHSA-2020:0727", "RHSA-2020:0983", "RHSA-2020:2562", "RHSA-2021:3140"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-3093", "RH:CVE-2017-3523", "RH:CVE-2017-3586", "RH:CVE-2017-3589", "RH:CVE-2017-5645", "RH:CVE-2018-10237", "RH:CVE-2018-1272", "RH:CVE-2018-20433", "RH:CVE-2019-10173", "RH:CVE-2019-12384", "RH:CVE-2019-12814", "RH:CVE-2019-17571", "RH:CVE-2019-3834", "RH:CVE-2019-5427", "RH:CVE-2020-26258", "RH:CVE-2020-26259"]}, {"type": "rocky", "idList": ["RLBA-2019:3416", "RLSA-2019:2720"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22178", "SECURITYVULNS:DOC:22294", "SECURITYVULNS:DOC:22665", "SECURITYVULNS:DOC:23035", "SECURITYVULNS:DOC:24023", "SECURITYVULNS:DOC:24227", "SECURITYVULNS:DOC:29176", "SECURITYVULNS:DOC:29495", "SECURITYVULNS:DOC:30435", "SECURITYVULNS:DOC:30528", "SECURITYVULNS:DOC:30529", "SECURITYVULNS:DOC:30881", "SECURITYVULNS:DOC:31186", "SECURITYVULNS:DOC:32033", "SECURITYVULNS:DOC:32494", "SECURITYVULNS:DOC:32573", "SECURITYVULNS:VULN:10077", "SECURITYVULNS:VULN:10137", "SECURITYVULNS:VULN:10337", "SECURITYVULNS:VULN:10514", "SECURITYVULNS:VULN:10917", "SECURITYVULNS:VULN:10999", "SECURITYVULNS:VULN:12399", "SECURITYVULNS:VULN:13423", "SECURITYVULNS:VULN:13578", "SECURITYVULNS:VULN:13701", "SECURITYVULNS:VULN:13845", "SECURITYVULNS:VULN:13868", "SECURITYVULNS:VULN:14011", "SECURITYVULNS:VULN:14031", "SECURITYVULNS:VULN:14233", "SECURITYVULNS:VULN:14393", "SECURITYVULNS:VULN:14470", "SECURITYVULNS:VULN:14755"]}, {"type": "seebug", "idList": ["SSV:12005", "SSV:12447", "SSV:19839", "SSV:60155", "SSV:60668", "SSV:61443", "SSV:84935", "SSV:92965", "SSV:96979"]}, {"type": "slackware", "idList": ["SSA-2011-041-02"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1399-1", "SUSE-SA:2009:053", "SUSE-SA:2010:004", "SUSE-SA:2010:017", "SUSE-SU-2013:1255-1", "SUSE-SU-2013:1255-2", "SUSE-SU-2013:1255-3", "SUSE-SU-2013:1256-1", "SUSE-SU-2013:1257-1", "SUSE-SU-2013:1263-1", "SUSE-SU-2013:1263-2", "SUSE-SU-2013:1293-1", "SUSE-SU-2013:1305-1", "SUSE-SU-2013:1666-1", "SUSE-SU-2013:1669-1", "SUSE-SU-2014:0548-1", "SUSE-SU-2014:0902-1"]}, {"type": "symantec", "idList": ["SMNTC-109664", "SMNTC-1329", "SMNTC-93604", "SMNTC-97702"]}, {"type": "thn", "idList": ["THN:90DC43ADC5123FED500235ACDF6D6277", "THN:D7C30FB307A1DC524FADFFBF2D1BEAB1"]}, {"type": "threatpost", "idList": ["THREATPOST:40B4CEF304ADBCA0734F292661E7810B", "THREATPOST:71CFE98EE69CB32A2F1F115FCB3ACF21", "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "THREATPOST:DA06EE238F79D261C0FCB61902F3CDBD"]}, {"type": "tomcat", "idList": ["TOMCAT:60B7F846069FB29989715E62FE185ECA", "TOMCAT:720D06DA167834DEDCCF6CCE7DD28826"]}, {"type": "ubuntu", "idList": ["USN-2033-1", "USN-2089-1", "USN-2130-1", "USN-2769-1", "USN-4766-1", "USN-4774-1", "USN-4813-1", "USN-5293-1", "USN-5293-2", "USN-814-1", "USN-826-1", "USN-890-1", "USN-890-2", "USN-890-3", "USN-890-4", "USN-890-5", "USN-890-6", "USN-903-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2009-0217", "UB:CVE-2009-2625", "UB:CVE-2009-3560", "UB:CVE-2009-3720", "UB:CVE-2010-1632", "UB:CVE-2012-0881", "UB:CVE-2012-2098", "UB:CVE-2012-5055", "UB:CVE-2012-5783", "UB:CVE-2012-6153", "UB:CVE-2013-0248", "UB:CVE-2013-2155", "UB:CVE-2013-4002", "UB:CVE-2013-7285", "UB:CVE-2014-0050", "UB:CVE-2014-0114", "UB:CVE-2014-3578", "UB:CVE-2014-3603", "UB:CVE-2015-1796", "UB:CVE-2016-1000031", "UB:CVE-2016-3093", "UB:CVE-2016-3674", "UB:CVE-2016-5725", "UB:CVE-2017-3523", "UB:CVE-2017-3586", "UB:CVE-2017-3589", "UB:CVE-2017-5645", "UB:CVE-2017-7957", "UB:CVE-2018-1272", "UB:CVE-2018-20433", "UB:CVE-2019-10173", "UB:CVE-2019-12384", "UB:CVE-2019-12814", "UB:CVE-2019-5427"]}, {"type": "veracode", "idList": ["VERACODE:13488", "VERACODE:23753"]}, {"type": "vmware", "idList": ["VMSA-2009-0016", "VMSA-2009-0016.6", "VMSA-2010-0002", "VMSA-2010-0002.4", "VMSA-2014-0007", "VMSA-2014-0007.2", "VMSA-2014-0008", "VMSA-2014-0008.2"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:78B5A23A8C5AE14F8F16C0F0A2134851"]}, {"type": "zdi", "idList": ["ZDI-16-570"]}, {"type": "zdt", "idList": ["1337DAY-ID-21887", "1337DAY-ID-24818", "1337DAY-ID-24847", "1337DAY-ID-27400"]}]}, "score": {"value": 2.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "amazon", "idList": ["ALAS-2014-344", "ALAS-2014-436", "ALAS-2022-1562"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-59684"]}, {"type": "attackerkb", "idList": ["AKB:FB2F65B2-D10B-4622-AEE6-41AAD3C1E6E7"]}, {"type": "centos", "idList": ["CESA-2017:2423"]}, {"type": "cert", "idList": ["VU:466161"]}, {"type": "cisa", "idList": ["CISA:848AFE845B4D41B0B59F2090C2571363"]}, {"type": "cisco", "idList": ["CISCO-SA-20151209-JAVA-DESERIALIZATION"]}, {"type": "cve", "idList": ["CVE-2009-0217", "CVE-2015-6420", "CVE-2016-1000031", "CVE-2017-5645", "CVE-2018-1272", "CVE-2019-5427"]}, {"type": "d2", "idList": ["D2SEC_AXIS"]}, {"type": "debian", "idList": ["DEBIAN:DLA-57-1:29ABF", "DEBIAN:DLA-57-1:6DE0E", "DEBIAN:DLA-930-1:3C143", "DEBIAN:DLA-945-1:BD1DE", "DEBIAN:DSA-2940-1:494C4", "DEBIAN:DSA-3840-1:214E5", "DEBIAN:DSA-3841-1:B278A", "DEBIAN:DSA-3857-1:6B7D0", "DEBIAN:F036444C1AE88D532E8E6B216967B2CC:9A0AD"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-5645", "DEBIANCVE:CVE-2018-20433", "DEBIANCVE:CVE-2019-5427"]}, {"type": "exploitdb", "idList": ["EDB-ID:39193"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:EB000848EE6583FA3B8F33FA4CDD34C0"]}, {"type": "f5", "idList": ["F5:K15364328", "F5:K29042031", "SOL15189", "SOL15282", "SOL15580", "SOL15741", "SOL15905", "SOL16872"]}, {"type": "fedora", "idList": ["FEDORA:0319E6092537", "FEDORA:0AC1C60C76B5", "FEDORA:1614F602E7DC", "FEDORA:341EA6057129", "FEDORA:376506075014", "FEDORA:5FA506092704", "FEDORA:76CFD605E21F", "FEDORA:A99066078F69", "FEDORA:E0A096048FD8", "FEDORA:EE17520E26", "FEDORA:EFDAB6050C3B"]}, {"type": "freebsd", "idList": ["3E0507C6-9614-11E3-B3A5-00E0814CAB4E", "708C65A5-7C58-11DE-A994-0030843D3802", "C97D7A37-2233-11DF-96DD-001B2134EF46"]}, {"type": "gentoo", "idList": ["GLSA-202107-37"]}, {"type": "github", "idList": ["GHSA-4487-X383-QPPH", "GHSA-84P2-VF58-XHXV", "GHSA-CMFG-87VQ-G5G4", "GHSA-MPH4-VHRX-MV67", "GHSA-Q485-J897-QC27"]}, {"type": "githubexploit", "idList": ["25C1C38A-8474-541F-8A69-2CF8DAC80EEB", "C2D99D6A-1A8C-5D55-BBB7-34A978AAC642", "CB6EAA9A-0163-56B4-AB74-82C8674241A0", "DEC27A66-2A52-591A-9AF4-1485144CE6E9"]}, {"type": "ibm", "idList": ["0F8C9B43069C04EF8D42F75FA8D42A5837D2A01F1B45F132DD6CE116C7562B83", "1A7668E81452E83AB00678328095567DA17543F8BDE6DB1EE678E96C5B064FD6", "1EBC77DA43FD0C2AC1B3FBFCD06096623AB926F98B7AC6367589E5222F2115BC", "3530DF8DA972875E9B1FD6F767CF9BCE12DD28AEEAAF4F127105D1281DCB6CC5", "539FD5A344951CB3146EC1C6256AC3A91344217924BD86DB5242BF2BD9D82C91", "639162FDF1F868B89BEC92BD6649146812BA3EC6E2918FE4CCE113215EE729B2", "77C6BF921A5EE4D83AAD3E81B0714C7F02AA72F5A80BC01802CC6F1440DE7948", "9DBEC753D4731F3169755A2E0DB634ADE1D525F4BB9B04BCA0E5932356CCCB75", "C034F4A93C7986F86B5276634B82B774DA1796B9A2CC2371DA4859670D82233E", "D006FC5774ADF4AA80F3952715EDDA472FE39E68ACF3E0BE82C85E08EB7037BF", "EB488D986A623E81C07D5F38DFFA754649938084B72DDAA698DEA6B41BB73C49", "FC2BEDDC9B0A20E14CE30F6B90D14256565AADCC69A534CA0557D8F35594D108", "FE252D131D8F7560832F857A2E94C6660B4590940855E6B811C5BA4036C7A5C4"]}, {"type": "ics", "idList": ["ICSMA-20-184-01"]}, {"type": "jvn", "idList": ["JVN:19118282"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/IBM-WAS-CVE-2018-10237/", "MSF:ILITIES/ORACLE-WEBLOGIC-CVE-2018-10237/", "MSF:ILITIES/REDHAT-OPENSHIFT-CVE-2018-10237/", "MSF:ILITIES/RED_HAT-JBOSS_EAP-CVE-2018-10237/"]}, {"type": "mskb", "idList": ["KB981343"]}, {"type": "myhack58", "idList": ["MYHACK58:62201785372"]}, {"type": "nessus", "idList": ["ALA_ALAS-2013-169.NASL", "ALA_ALAS-2013-246.NASL", "CISCO_PRIME_LMS_JAVA_DESER.NASL", "DEBIAN_DSA-1849.NASL", "FEDORA_2013-1203.NASL", "FEDORA_2015-10175.NASL", "FEDORA_2017-11EDC0D6C3.NASL", "FEDORA_2017-B8358CDA24.NASL", "JUNIPER_NSM_JSA10642.NASL", "LOTUS_DOMINO_9_0_1_FP1.NASL", "MANDRIVA_MDVSA-2015-084.NASL", "ORACLELINUX_ELSA-2009-1428.NASL", "ORACLELINUX_ELSA-2017-2423.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2020.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2021.NASL", "REDHAT-RHSA-2009-1582.NASL", "REDHAT-RHSA-2013-0270.NASL", "REDHAT-RHSA-2017-2423.NASL", "SLACKWARE_SSA_2011-041-02.NASL", "SL_20131022_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "SL_20170807_LOG4J_ON_SL7_X.NASL", "SUSE_11_1_JAVA-1_6_0-OPENJDK-090922.NASL", "SUSE_11_1_LIBPYTHON2_6-1_0-100330.NASL", "SUSE_11_XERCES-J2-090820.NASL", "SUSE_XERCES-J2-6449.NASL", "TOMCAT_8_0_3.NASL", "UBUNTU_USN-2089-1.NASL", "UBUNTU_USN-890-1.NASL", "UBUNTU_USN-890-6.NASL", "VMWARE_VMSA-2009-0016_REMOTE.NASL", "WEBSPHERE_7_0_0_13.NASL", "WEBSPHERE_PORTAL_7_0_0_2_CF29.NASL", "WEBSPHERE_PORTAL_8_0_0_1_CF12.NASL", "WEBSPHERE_PORTAL_CVE-2014-0050.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310123297", "OPENVAS:1361412562310123422", "OPENVAS:1361412562310123534", "OPENVAS:136141256231064542", "OPENVAS:136141256231064561", "OPENVAS:136141256231064590", "OPENVAS:136141256231064615", "OPENVAS:136141256231064623", "OPENVAS:136141256231064809", "OPENVAS:136141256231065711", "OPENVAS:136141256231066026", "OPENVAS:1361412562310702856", "OPENVAS:1361412562310703840", "OPENVAS:1361412562310703841", "OPENVAS:1361412562310703857", "OPENVAS:1361412562310808021", "OPENVAS:1361412562310830782", "OPENVAS:1361412562310830784", "OPENVAS:1361412562310841741", "OPENVAS:1361412562310865277", "OPENVAS:1361412562310870917", "OPENVAS:1361412562310871062", "OPENVAS:1361412562310872637", "OPENVAS:1361412562310872638", "OPENVAS:1361412562310872757", "OPENVAS:1361412562310872759", "OPENVAS:1361412562310880916", "OPENVAS:1361412562310902193", "OPENVAS:64621", "OPENVAS:64623", "OPENVAS:64654", "OPENVAS:64681", "OPENVAS:64686", "OPENVAS:68152", "OPENVAS:68923", "OPENVAS:703840", "OPENVAS:703841", "OPENVAS:703857", "OPENVAS:840394", "OPENVAS:864383"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2015"]}, {"type": "oraclelinux", "idList": ["ELSA-2009-1615", "ELSA-2014-0474", "ELSA-2017-2423"]}, {"type": "pentestit", "idList": ["PENTESTIT:30AA332D5D04A4C69FDE4D187314152E"]}, {"type": "photon", "idList": ["PHSA-2020-3.0-0141"]}, {"type": "redhat", "idList": ["RHSA-2012:1537", "RHSA-2013:1447", "RHSA-2013:1451", "RHSA-2014:1162", "RHSA-2015:0675", "RHSA-2017:2423", "RHSA-2017:2889", "RHSA-2019:3045", "RHSA-2019:3149"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-3093", "RH:CVE-2017-5645", "RH:CVE-2018-1272", "RH:CVE-2018-20433", "RH:CVE-2019-5427"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29176"]}, {"type": "seebug", "idList": ["SSV:92965"]}, {"type": "slackware", "idList": ["SSA-2011-041-02"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1399-1", "SUSE-SU-2013:1255-3", "SUSE-SU-2013:1257-1"]}, {"type": "symantec", "idList": ["SMNTC-109664"]}, {"type": "thn", "idList": ["THN:D7C30FB307A1DC524FADFFBF2D1BEAB1"]}, {"type": "threatpost", "idList": ["THREATPOST:DA06EE238F79D261C0FCB61902F3CDBD"]}, {"type": "ubuntu", "idList": ["USN-2033-1", "USN-2769-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2012-5783", "UB:CVE-2015-1796", "UB:CVE-2018-1272", "UB:CVE-2018-20433", "UB:CVE-2019-12384", "UB:CVE-2019-12814", "UB:CVE-2019-5427"]}, {"type": "vmware", "idList": ["VMSA-2009-0016", "VMSA-2014-0007.2"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:78B5A23A8C5AE14F8F16C0F0A2134851"]}, {"type": "zdi", "idList": ["ZDI-16-570"]}, {"type": "zdt", "idList": ["1337DAY-ID-24818", "1337DAY-ID-27400"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "storediq", "version": 7}]}, "epss": [{"cve": "CVE-2009-0217", "epss": "0.973330000", "percentile": "0.997700000", "modified": "2023-03-17"}, {"cve": "CVE-2009-2625", "epss": "0.007940000", "percentile": "0.789320000", "modified": "2023-03-17"}, {"cve": "CVE-2010-1632", "epss": "0.012180000", "percentile": "0.831880000", "modified": "2023-03-17"}, {"cve": "CVE-2012-0881", "epss": "0.006690000", "percentile": "0.766420000", "modified": "2023-03-17"}, {"cve": "CVE-2012-2098", "epss": "0.035570000", "percentile": "0.901460000", "modified": "2023-03-17"}, {"cve": "CVE-2012-5055", "epss": "0.003160000", "percentile": "0.656800000", "modified": "2023-03-17"}, {"cve": "CVE-2012-5783", "epss": "0.002380000", "percentile": "0.600970000", "modified": "2023-03-17"}, {"cve": "CVE-2013-0248", "epss": "0.000420000", "percentile": "0.056410000", "modified": "2023-03-17"}, {"cve": "CVE-2013-4002", "epss": "0.011040000", "percentile": "0.822400000", "modified": "2023-03-17"}, {"cve": "CVE-2013-7285", "epss": "0.161250000", "percentile": "0.950870000", "modified": "2023-03-18"}, {"cve": "CVE-2014-0050", "epss": "0.157010000", "percentile": "0.950020000", "modified": "2023-03-17"}, {"cve": "CVE-2014-0114", "epss": "0.973390000", "percentile": "0.997750000", "modified": "2023-03-17"}, {"cve": "CVE-2014-3578", "epss": "0.003010000", "percentile": "0.648020000", "modified": "2023-03-17"}, {"cve": "CVE-2014-3603", "epss": "0.000630000", "percentile": "0.253620000", "modified": "2023-03-18"}, {"cve": "CVE-2015-1796", "epss": "0.003760000", "percentile": "0.685530000", "modified": "2023-03-17"}, {"cve": "CVE-2015-6420", "epss": "0.008800000", "percentile": "0.800330000", "modified": "2023-03-18"}, {"cve": "CVE-2016-1000031", "epss": "0.042270000", "percentile": "0.909150000", "modified": "2023-03-17"}, {"cve": "CVE-2016-3093", "epss": "0.027320000", "percentile": "0.888710000", "modified": "2023-03-17"}, {"cve": "CVE-2016-3674", "epss": "0.001780000", "percentile": "0.532850000", "modified": "2023-03-17"}, {"cve": "CVE-2016-5725", "epss": "0.010310000", "percentile": "0.815770000", "modified": "2023-03-17"}, {"cve": "CVE-2017-15708", "epss": "0.007160000", "percentile": "0.775150000", "modified": "2023-03-17"}, {"cve": "CVE-2017-3523", "epss": "0.001470000", "percentile": "0.489900000", "modified": "2023-03-17"}, {"cve": "CVE-2017-3586", "epss": "0.001180000", "percentile": "0.440970000", "modified": "2023-03-17"}, {"cve": "CVE-2017-3589", "epss": "0.000510000", "percentile": "0.179500000", "modified": "2023-03-17"}, {"cve": "CVE-2017-5645", "epss": "0.022500000", "percentile": "0.878120000", "modified": "2023-03-17"}, {"cve": "CVE-2017-7957", "epss": "0.870380000", "percentile": "0.980050000", "modified": "2023-03-17"}, {"cve": "CVE-2018-10237", "epss": "0.010120000", "percentile": "0.814330000", "modified": "2023-03-17"}, {"cve": "CVE-2018-1272", "epss": "0.003620000", "percentile": "0.679780000", "modified": "2023-03-18"}, {"cve": "CVE-2018-20433", "epss": "0.009270000", "percentile": "0.805790000", "modified": "2023-03-17"}, {"cve": "CVE-2019-12384", "epss": "0.962030000", "percentile": "0.991640000", "modified": "2023-03-17"}, {"cve": "CVE-2019-12814", "epss": "0.006300000", "percentile": "0.757990000", "modified": "2023-03-17"}, {"cve": "CVE-2019-5427", "epss": "0.004670000", "percentile": "0.716930000", "modified": "2023-03-18"}], "vulnersScore": 2.4}, "_state": {"dependencies": 1677217515, "score": 1684013037, "affected_software_major_version": 1677355290, "epss": 1679165106}, "_internal": {"score_hash": "097d5504b9dedfa70b54d11eee824d8d"}, "affectedSoftware": [{"version": "7.6.0", "operator": "eq", "name": "storediq"}]}

{"debian": [{"lastseen": "2021-12-17T16:33:09", "description": "Package : mysql-connector-java\nVersion : 5.1.42-1~deb7u1\nCVE ID : CVE-2017-3523 CVE-2017-3586 CVE-2017-3589\n\nSeveral issues were discovered in mysql-connector-java that allow\nattackers to execute arbitrary code, insert or delete access to some\nof MySQL Connectors accessible data as well as unauthorized read\naccess to a subset of the data.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n5.1.42-1~deb7u1.\n\nWe recommend that you upgrade your mysql-connector-java packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-05-16T22:52:19", "type": "debian", "title": "[SECURITY] [DLA 945-1] mysql-connector-java security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3523", "CVE-2017-3586", "CVE-2017-3589"], "modified": "2017-05-16T22:52:19", "id": "DEBIAN:DLA-945-1:BD1DE", "href": "https://lists.debian.org/debian-lts-announce/2017/05/msg00016.html", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T13:37:41", "description": "Package : mysql-connector-java\nVersion : 5.1.42-1~deb7u1\nCVE ID : CVE-2017-3523 CVE-2017-3586 CVE-2017-3589\n\nSeveral issues were discovered in mysql-connector-java that allow\nattackers to execute arbitrary code, insert or delete access to some\nof MySQL Connectors accessible data as well as unauthorized read\naccess to a subset of the data.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n5.1.42-1~deb7u1.\n\nWe recommend that you upgrade your mysql-connector-java packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-05-16T22:52:19", "type": "debian", "title": "[SECURITY] [DLA 945-1] mysql-connector-java security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3523", "CVE-2017-3586", "CVE-2017-3589"], "modified": "2017-05-16T22:52:19", "id": "DEBIAN:DLA-945-1:346D0", "href": "https://lists.debian.org/debian-lts-announce/2017/05/msg00016.html", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T12:11:58", "description": "Package : jackson-databind\nVersion : 2.4.2-2+deb8u7\nCVE ID : CVE-2019-12384 CVE-2019-12814\nDebian Bug : 930750\n\nMore Polymorphic Typing issues were discovered in jackson-databind. When\nDefault Typing is enabled (either globally or for a specific property)\nfor an externally exposed JSON endpoint and the service has JDOM 1.x or\n2.x or logback-core jar in the classpath, an attacker can send a\nspecifically crafted JSON message that allows them to read arbitrary\nlocal files on the server.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n2.4.2-2+deb8u7.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-06-21T15:09:36", "type": "debian", "title": "[SECURITY] [DLA 1831-1] jackson-databind security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12384", "CVE-2019-12814"], "modified": "2019-06-21T15:09:36", "id": "DEBIAN:DLA-1831-1:5617B", "href": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-01T03:39:34", "description": "Package : jackson-databind\nVersion : 2.4.2-2+deb8u7\nCVE ID : CVE-2019-12384 CVE-2019-12814\nDebian Bug : 930750\n\nMore Polymorphic Typing issues were discovered in jackson-databind. When\nDefault Typing is enabled (either globally or for a specific property)\nfor an externally exposed JSON endpoint and the service has JDOM 1.x or\n2.x or logback-core jar in the classpath, an attacker can send a\nspecifically crafted JSON message that allows them to read arbitrary\nlocal files on the server.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n2.4.2-2+deb8u7.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-06-21T15:09:36", "type": "debian", "title": "[SECURITY] [DLA 1831-1] jackson-databind security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12384", "CVE-2019-12814"], "modified": "2019-06-21T15:09:36", "id": "DEBIAN:DLA-1831-1:3FBA4", "href": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-04T15:33:44", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3857-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nMay 18, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : mysql-connector-java\nCVE ID : CVE-2017-3586 CVE-2017-3589\n\nTwo vulnerabilities have been found in the MySQL Connector/J JDBC driver.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 5.1.42-1~deb8u1.\n\nFor the upcoming stable distribution (stretch), these problems have been\nfixed in version 5.1.42-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 5.1.42-1.\n\nWe recommend that you upgrade your mysql-connector-java packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 6.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.7}, "published": "2017-05-18T20:35:41", "type": "debian", "title": "[SECURITY] [DSA 3857-1] mysql-connector-java security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3586", "CVE-2017-3589"], "modified": "2017-05-18T20:35:41", "id": "DEBIAN:DSA-3857-1:6B7D0", "href": "https://lists.debian.org/debian-security-announce/2017/msg00117.html", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-10-22T13:17:31", "description": "Package : c3p0\nVersion : 0.9.1.2-9+deb8u1\nCVE ID : CVE-2018-20433\nDebian Bug : 917257\n\nA XML External Entity (XXE) vulnerability was discovered in c3p0, a\nlibrary for JDBC connection pooling, that may be used to resolve\ninformation outside of the intended sphere of control.\n\nFor Debian 8 &quot;Jessie&quot;, this problem has been fixed in version\n0.9.1.2-9+deb8u1.\n\nWe recommend that you upgrade your c3p0 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-28T18:58:36", "type": "debian", "title": "[SECURITY] [DLA 1621-1] c3p0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433"], "modified": "2018-12-28T18:58:36", "id": "DEBIAN:DLA-1621-1:D267E", "href": "https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-05T03:41:09", "description": "Package : c3p0\nVersion : 0.9.1.2-9+deb8u1\nCVE ID : CVE-2018-20433\nDebian Bug : 917257\n\nA XML External Entity (XXE) vulnerability was discovered in c3p0, a\nlibrary for JDBC connection pooling, that may be used to resolve\ninformation outside of the intended sphere of control.\n\nFor Debian 8 &quot;Jessie&quot;, this problem has been fixed in version\n0.9.1.2-9+deb8u1.\n\nWe recommend that you upgrade your c3p0 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-28T18:58:36", "type": "debian", "title": "[SECURITY] [DLA 1621-1] c3p0 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433"], "modified": "2018-12-28T18:58:36", "id": "DEBIAN:DLA-1621-1:66AE9", "href": "https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-04T14:59:03", "description": "Package : jsch\nVersion : 0.1.51-1+deb8u1\nCVE ID : CVE-2016-5725\n\n\nIt was discovered that there was a path traversal vulnerability in jsch, a\npure Java implementation of the SSH2 protocol.\n\n\nFor Debian 8 &quot;Jessie&quot;, this problem has been fixed in version\n0.1.51-1+deb8u1.\n\nWe recommend that you upgrade your jsch packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2020-04-25T17:25:49", "type": "debian", "title": "[SECURITY] [DLA 2184-1] jsch security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5725"], "modified": "2020-04-25T17:25:49", "id": "DEBIAN:DLA-2184-1:7B407", "href": "https://lists.debian.org/debian-lts-announce/2020/04/msg00017.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-10-23T21:54:56", "description": "Package : jsch\nVersion : 0.1.42-2+deb7u1\nCVE ID : CVE-2016-5725\n\nIt was discovered that there was a path traversal vulnerability in jsch, a\npure Java implementation of the SSH2 protocol.\n\nFor Debian 7 &quot;Wheezy&quot;, this issue has been fixed in jsch version\n0.1.42-2+deb7u1.\n\nWe recommend that you upgrade your jsch packages.\n\n\nRegards,\n\n- -- \n ,&#x27;&#x27;`.\n : :&#x27; : Chris Lamb\n `. `&#x27;` lamby@debian.org / chris-lamb.co.uk\n `-", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-09-05T18:07:45", "type": "debian", "title": "[SECURITY] [DLA 611-1] jsch security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5725"], "modified": "2016-09-05T18:07:45", "id": "DEBIAN:DLA-611-1:1B900", "href": "https://lists.debian.org/debian-lts-announce/2016/09/msg00004.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-10-22T13:38:02", "description": "Package : libxstream-java\nVersion : 1.4.2-1+deb7u2\nCVE ID : CVE-2017-7957\nDebian Bug : #861521\n\nIt was discovered that there was a remote application crash vulnerability in\nlibxstream-java, a Java library to serialize objects to XML and back again.\nThis was due to mishandled attempts to create an instance of the primitive type\n&#x27;void&#x27; during unmarshalling.\n\nFor Debian 7 &quot;Wheezy&quot;, this issue has been fixed in libxstream-java version\n1.4.2-1+deb7u2.\n\nWe recommend that you upgrade your libxstream-java packages.\n\n\nRegards,\n\n- -- \n ,&#x27;&#x27;`.\n : :&#x27; : Chris Lamb\n `. `&#x27;` lamby@debian.org / chris-lamb.co.uk\n `-", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-05-01T08:57:58", "type": "debian", "title": "[SECURITY] [DLA 930-1] libxstream-java security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7957"], "modified": "2017-05-01T08:57:58", "id": "DEBIAN:DLA-930-1:3C143", "href": "https://lists.debian.org/debian-lts-announce/2017/05/msg00000.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-04T15:34:13", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3841-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nMay 02, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libxstream-java\nCVE ID : CVE-2017-7957\n\nIt was discovered that XStream, a Java library to serialise objects to\nXML and back again, was suspectible to denial of service during\nunmarshalling.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.4.7-2+deb8u2.\n\nFor the upcoming stable distribution (stretch), this problem will be\nfixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.9-2.\n\nWe recommend that you upgrade your libxstream-java packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-02T21:19:12", "type": "debian", "title": "[SECURITY] [DSA 3841-1] libxstream-java", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7957"], "modified": "2017-05-02T21:19:12", "id": "DEBIAN:DSA-3841-1:B278A", "href": "https://lists.debian.org/debian-security-announce/2017/msg00100.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-12-01T04:46:41", "description": "Package : libxstream-java\nVersion : 1.4.2-1+deb7u1\nCVE ID : CVE-2016-3674\nDebian Bug : 819455\n\nIt was discovered that XStream, a Java library to serialize objects to\nXML and back again, was susceptible to XML External Entity attacks.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n1.4.2-1+deb7u1.\n\nWe recommend that you upgrade your libxstream-java packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-06-08T09:16:41", "type": "debian", "title": "[SECURITY] [DLA 504-1] libxstream-java security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2016-06-08T09:16:41", "id": "DEBIAN:DLA-504-1:37F35", "href": "https://lists.debian.org/debian-lts-announce/2016/06/msg00007.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-10-23T22:06:45", "description": "Package : libxstream-java\nVersion : 1.4.2-1+deb7u1\nCVE ID : CVE-2016-3674\nDebian Bug : 819455\n\nIt was discovered that XStream, a Java library to serialize objects to\nXML and back again, was susceptible to XML External Entity attacks.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n1.4.2-1+deb7u1.\n\nWe recommend that you upgrade your libxstream-java packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-06-08T09:16:41", "type": "debian", "title": "[SECURITY] [DLA 504-1] libxstream-java security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2016-06-08T09:16:41", "id": "DEBIAN:DLA-504-1:21FF9", "href": "https://lists.debian.org/debian-lts-announce/2016/06/msg00007.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-02T16:09:12", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3575-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nMay 12, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libxstream-java\nCVE ID : CVE-2016-3674\n\nIt was discovered that XStream, a Java library to serialize objects to\nXML and back again, was susceptible to XML External Entity attacks.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.4.7-2+deb8u1.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 1.4.9-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.9-1.\n\nWe recommend that you upgrade your libxstream-java packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-05-12T20:06:14", "type": "debian", "title": "[SECURITY] [DSA 3575-1] libxstream-java security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2016-05-12T20:06:14", "id": "DEBIAN:DSA-3575-1:A3240", "href": "https://lists.debian.org/debian-security-announce/2016/msg00152.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "osv": [{"lastseen": "2022-08-05T05:20:17", "description": "\nSeveral issues were discovered in mysql-connector-java that allow\nattackers to execute arbitrary code, insert or delete access to some\nof MySQL Connectors accessible data as well as unauthorized read\naccess to a subset of the data.\n\n\nFor Debian 7 Wheezy, these problems have been fixed in version\n5.1.42-1~deb7u1.\n\n\nWe recommend that you upgrade your mysql-connector-java packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-05-16T00:00:00", "type": "osv", "title": "mysql-connector-java - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3586", "CVE-2017-3523", "CVE-2017-3589"], "modified": "2022-08-05T05:19:58", "id": "OSV:DLA-945-1", "href": "https://osv.dev/vulnerability/DLA-945-1", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-08-05T05:18:39", "description": "\nMore Polymorphic Typing issues were discovered in jackson-databind. When\nDefault Typing is enabled (either globally or for a specific property)\nfor an externally exposed JSON endpoint and the service has JDOM 1.x or\n2.x or logback-core jar in the classpath, an attacker can send a\nspecifically crafted JSON message that allows them to read arbitrary\nlocal files on the server.\n\n\nFor Debian 8 Jessie, these problems have been fixed in version\n2.4.2-2+deb8u7.\n\n\nWe recommend that you upgrade your jackson-databind packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-06-21T00:00:00", "type": "osv", "title": "jackson-databind - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12814", "CVE-2019-12384"], "modified": "2022-08-05T05:18:30", "id": "OSV:DLA-1831-1", "href": "https://osv.dev/vulnerability/DLA-1831-1", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T07:12:06", "description": "\nTwo vulnerabilities have been found in the MySQL Connector/J JDBC driver.\n\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 5.1.42-1~deb8u1.\n\n\nFor the upcoming stable distribution (stretch), these problems have been\nfixed in version 5.1.42-1.\n\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 5.1.42-1.\n\n\nWe recommend that you upgrade your mysql-connector-java packages.\n\n\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.7}, "published": "2017-05-18T00:00:00", "type": "osv", "title": "mysql-connector-java - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3586", "CVE-2017-3589"], "modified": "2022-08-10T07:12:03", "id": "OSV:DSA-3857-1", "href": "https://osv.dev/vulnerability/DSA-3857-1", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2023-03-28T05:39:14", "description": "DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.", "cvss3": {}, "published": "2022-05-17T05:17:30", "type": "osv", "title": "Exposure of Sensitive Information to an Unauthorized Actor in Spring Security", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5055"], "modified": "2023-03-28T05:39:12", "id": "OSV:GHSA-3533-RVPC-6X56", "href": "https://osv.dev/vulnerability/GHSA-3533-rvpc-6x56", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-21T08:19:03", "description": "\nA XML External Entity (XXE) vulnerability was discovered in c3p0, a\nlibrary for JDBC connection pooling, that may be used to resolve\ninformation outside of the intended sphere of control.\n\n\nFor Debian 8 Jessie, this problem has been fixed in version\n0.9.1.2-9+deb8u1.\n\n\nWe recommend that you upgrade your c3p0 packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-28T00:00:00", "type": "osv", "title": "c3p0 - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433"], "modified": "2022-07-21T05:52:26", "id": "OSV:DLA-1621-1", "href": "https://osv.dev/vulnerability/DLA-1621-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:27:47", "description": "c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-07T19:14:34", "type": "osv", "title": "XML External Entity Reference in mchange:c3p0", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433"], "modified": "2023-04-11T01:27:42", "id": "OSV:GHSA-Q485-J897-QC27", "href": "https://osv.dev/vulnerability/GHSA-q485-j897-qc27", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-11T20:13:26", "description": "Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.", "cvss3": {}, "published": "2022-05-17T02:22:43", "type": "osv", "title": "Improper Input Validation in Apache Axis2", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1632"], "modified": "2022-07-08T18:56:43", "id": "OSV:GHSA-23VV-V25H-QWQW", "href": "https://osv.dev/vulnerability/GHSA-23vv-v25h-qwqw", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:34:08", "description": "Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\\ (dot dot backslash) in a response to a recursive GET command.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-13T01:09:33", "type": "osv", "title": "Improper Limitation of a Pathname to a Restricted Directory in JCraft JSch", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5725"], "modified": "2023-04-11T01:33:39", "id": "OSV:GHSA-Q446-82VQ-W674", "href": "https://osv.dev/vulnerability/GHSA-q446-82vq-w674", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-05T05:19:44", "description": "\nIt was discovered that there was a path traversal vulnerability in jsch, a\npure Java implementation of the SSH2 protocol.\n\n\nFor Debian 7 Wheezy, this issue has been fixed in jsch version\n0.1.42-2+deb7u1.\n\n\nWe recommend that you upgrade your jsch packages.\n\n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-09-05T00:00:00", "type": "osv", "title": "jsch - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5725"], "modified": "2022-08-05T05:19:42", "id": "OSV:DLA-611-1", "href": "https://osv.dev/vulnerability/DLA-611-1", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-05T05:18:48", "description": "\nIt was discovered that there was a path traversal vulnerability in jsch, a\npure Java implementation of the SSH2 protocol.\n\n\nFor Debian 8 Jessie, this problem has been fixed in version\n0.1.51-1+deb8u1.\n\n\nWe recommend that you upgrade your jsch packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2020-04-25T00:00:00", "type": "osv", "title": "jsch - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5725"], "modified": "2022-08-05T05:18:45", "id": "OSV:DLA-2184-1", "href": "https://osv.dev/vulnerability/DLA-2184-1", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-04-11T01:42:53", "description": "In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T18:23:25", "type": "osv", "title": "Remote Code Execution in Apache Synapse", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15708"], "modified": "2023-04-11T01:42:50", "id": "OSV:GHSA-P694-23Q3-RVRC", "href": "https://osv.dev/vulnerability/GHSA-p694-23q3-rvrc", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-21T08:11:55", "description": "\nIt was discovered that there was a remote application crash vulnerability in\nlibxstream-java, a Java library to serialize objects to XML and back again.\nThis was due to mishandled attempts to create an instance of the primitive type\nvoid during unmarshalling.\n\n\nFor Debian 7 Wheezy, this issue has been fixed in libxstream-java version\n1.4.2-1+deb7u2.\n\n\nWe recommend that you upgrade your libxstream-java packages.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-05-01T00:00:00", "type": "osv", "title": "libxstream-java - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7957"], "modified": "2022-07-21T05:55:01", "id": "OSV:DLA-930-1", "href": "https://osv.dev/vulnerability/DLA-930-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-04-11T01:37:09", "description": "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-30T22:48:24", "type": "osv", "title": "Denial of service in XStream", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7957"], "modified": "2023-04-11T01:37:04", "id": "OSV:GHSA-7HWC-46RM-65JH", "href": "https://osv.dev/vulnerability/GHSA-7hwc-46rm-65jh", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-10T07:09:53", "description": "\nIt was discovered that XStream, a Java library to serialise objects to\nXML and back again, was suspectible to denial of service during\nunmarshalling.\n\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.4.7-2+deb8u2.\n\n\nFor the upcoming stable distribution (stretch), this problem will be\nfixed soon.\n\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.9-2.\n\n\nWe recommend that you upgrade your libxstream-java packages.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-05-02T00:00:00", "type": "osv", "title": "libxstream-java - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7957"], "modified": "2022-08-10T07:09:08", "id": "OSV:DSA-3841-1", "href": "https://osv.dev/vulnerability/DSA-3841-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-04-11T01:37:13", "description": "Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-15T18:51:38", "type": "osv", "title": "Denial of service in Apache Xerces2", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0881"], "modified": "2023-04-11T01:37:10", "id": "OSV:GHSA-VMQM-G3VH-847M", "href": "https://osv.dev/vulnerability/GHSA-vmqm-g3vh-847m", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-08-10T07:08:41", "description": "\nIt was discovered that XStream, a Java library to serialize objects to\nXML and back again, was susceptible to XML External Entity attacks.\n\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.4.7-2+deb8u1.\n\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 1.4.9-1.\n\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.9-1.\n\n\nWe recommend that you upgrade your libxstream-java packages.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-05-12T00:00:00", "type": "osv", "title": "libxstream-java - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2022-08-10T07:08:28", "id": "OSV:DSA-3575-1", "href": "https://osv.dev/vulnerability/DSA-3575-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-28T05:44:28", "description": "Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-30T22:48:14", "type": "osv", "title": "XML External Entity Injection in XStream", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2023-03-28T05:44:21", "id": "OSV:GHSA-RGH3-987H-WPMW", "href": "https://osv.dev/vulnerability/GHSA-rgh3-987h-wpmw", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-05T05:19:43", "description": "\nIt was discovered that XStream, a Java library to serialize objects to\nXML and back again, was susceptible to XML External Entity attacks.\n\n\nFor Debian 7 Wheezy, these problems have been fixed in version\n1.4.2-1+deb7u1.\n\n\nWe recommend that you upgrade your libxstream-java packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-06-08T00:00:00", "type": "osv", "title": "libxstream-java - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2022-08-05T05:19:34", "id": "OSV:DLA-504-1", "href": "https://osv.dev/vulnerability/DLA-504-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-04-11T01:24:43", "description": "Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.", "cvss3": {}, "published": "2022-05-13T01:07:05", "type": "osv", "title": "Uncontrolled Resource Consumption in Apache Commons Compress", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2098"], "modified": "2023-04-11T01:24:41", "id": "OSV:GHSA-6FXM-66HQ-FC96", "href": "https://osv.dev/vulnerability/GHSA-6fxm-66hq-fc96", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-04-11T01:40:12", "description": "Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-05-17T03:42:18", "type": "osv", "title": "Improper Input Validation in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3093"], "modified": "2023-04-11T01:40:09", "id": "OSV:GHSA-383P-XQXX-RRMP", "href": "https://osv.dev/vulnerability/GHSA-383p-xqxx-rrmp", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-04-11T01:34:06", "description": "Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.", "cvss3": {}, "published": "2022-05-14T00:56:29", "type": "osv", "title": "Improper Limitation of a Pathname to a Restricted Directory in Spring Framework", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3578"], "modified": "2023-04-11T01:33:36", "id": "OSV:GHSA-RHCG-RWHX-QJ3J", "href": "https://osv.dev/vulnerability/GHSA-rhcg-rwhx-qj3j", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2020-01-29T20:07:21", "description": "Several issues were discovered in mysql-connector-java that allow\nattackers to execute arbitrary code, insert or delete access to some\nof MySQL Connectors accessible data as well as unauthorized read\naccess to a subset of the data.", "cvss3": {}, "published": "2018-01-25T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for mysql-connector-java (DLA-945-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3586", "CVE-2017-3523", "CVE-2017-3589"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310890945", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890945", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.890945\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-3523\", \"CVE-2017-3586\", \"CVE-2017-3589\");\n script_name(\"Debian LTS: Security Advisory for mysql-connector-java (DLA-945-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-25 00:00:00 +0100 (Thu, 25 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/05/msg00016.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"mysql-connector-java on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n5.1.42-1~deb7u1.\n\nWe recommend that you upgrade your mysql-connector-java packages.\");\n\n script_tag(name:\"summary\", value:\"Several issues were discovered in mysql-connector-java that allow\nattackers to execute arbitrary code, insert or delete access to some\nof MySQL Connectors accessible data as well as unauthorized read\naccess to a subset of the data.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libmysql-java\", ver:\"5.1.42-1~deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-06-05T01:40:53", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-05-29T00:00:00", "type": "openvas", "title": "Fedora Update for c3p0 FEDORA-2019-cb14e234fc", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-5427", "CVE-2018-20433"], "modified": "2019-05-31T00:00:00", "id": "OPENVAS:1361412562310876429", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876429", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876429\");\n script_version(\"2019-05-31T13:18:49+0000\");\n script_cve_id(\"CVE-2018-20433\", \"CVE-2019-5427\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-31 13:18:49 +0000 (Fri, 31 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-29 02:12:01 +0000 (Wed, 29 May 2019)\");\n script_name(\"Fedora Update for c3p0 FEDORA-2019-cb14e234fc\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-cb14e234fc\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'c3p0'\n package(s) announced via the FEDORA-2019-cb14e234fc advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"c3p0 is an easy-to-use library for augmenting traditional JDBC drivers with\nJNDI-bindable DataSources, including DataSources that implement Connection\nand Statement Pooling, as described by the jdbc3 spec and jdbc2 standard\nextension.\");\n\n script_tag(name:\"affected\", value:\"'c3p0' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"c3p0\", rpm:\"c3p0~0.9.5.4~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-05T01:40:55", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-06-02T00:00:00", "type": "openvas", "title": "Fedora Update for c3p0 FEDORA-2019-063672154a", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-5427", "CVE-2018-20433"], "modified": "2019-06-04T00:00:00", "id": "OPENVAS:1361412562310876434", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876434", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876434\");\n script_version(\"2019-06-04T07:02:10+0000\");\n script_cve_id(\"CVE-2018-20433\", \"CVE-2019-5427\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-06-04 07:02:10 +0000 (Tue, 04 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-02 02:13:50 +0000 (Sun, 02 Jun 2019)\");\n script_name(\"Fedora Update for c3p0 FEDORA-2019-063672154a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-063672154a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'c3p0'\n package(s) announced via the FEDORA-2019-063672154a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"c3p0 is an easy-to-use library for augmenting traditional JDBC drivers with\nJNDI-bindable DataSources, including DataSources that implement Connection\nand Statement Pooling, as described by the jdbc3 spec and jdbc2 standard\nextension.\");\n\n script_tag(name:\"affected\", value:\"'c3p0' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"c3p0\", rpm:\"c3p0~0.9.5.4~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T19:30:01", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-06-22T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for jackson-databind (DLA-1831-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-12814", "CVE-2019-12384"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891831", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891831", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891831\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-12384\", \"CVE-2019-12814\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-06-22 02:00:08 +0000 (Sat, 22 Jun 2019)\");\n script_name(\"Debian LTS: Security Advisory for jackson-databind (DLA-1831-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1831-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/930750\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jackson-databind'\n package(s) announced via the DLA-1831-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"More Polymorphic Typing issues were discovered in jackson-databind. When\nDefault Typing is enabled (either globally or for a specific property)\nfor an externally exposed JSON endpoint and the service has JDOM 1.x or\n2.x or logback-core jar in the classpath, an attacker can send a\nspecifically crafted JSON message that allows them to read arbitrary\nlocal files on the server.\");\n\n script_tag(name:\"affected\", value:\"'jackson-databind' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n2.4.2-2+deb8u7.\n\nWe recommend that you upgrade your jackson-databind packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libjackson2-databind-java\", ver:\"2.4.2-2+deb8u7\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libjackson2-databind-java-doc\", ver:\"2.4.2-2+deb8u7\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:37", "description": "Two vulnerabilities have been found in the MySQL Connector/J JDBC driver.", "cvss3": {}, "published": "2017-05-18T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3857-1 (mysql-connector-java - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3586", "CVE-2017-3589"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703857", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703857", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3857.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Auto-generated from advisory DSA 3857-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703857\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2017-3586\", \"CVE-2017-3589\");\n script_name(\"Debian Security Advisory DSA 3857-1 (mysql-connector-java - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-18 00:00:00 +0200 (Thu, 18 May 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3857.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|8)\");\n script_tag(name:\"affected\", value:\"mysql-connector-java on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie), these problems have been fixed in\nversion 5.1.42-1~deb8u1.\n\nFor the upcoming stable distribution (stretch), these problems have been\nfixed in version 5.1.42-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 5.1.42-1.\n\nWe recommend that you upgrade your mysql-connector-java packages.\");\n script_tag(name:\"summary\", value:\"Two vulnerabilities have been found in the MySQL Connector/J JDBC driver.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libmysql-java\", ver:\"5.1.42-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libmysql-java\", ver:\"5.1.42-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2017-07-24T12:57:47", "description": "Two vulnerabilities have been found in the MySQL Connector/J JDBC driver.", "cvss3": {}, "published": "2017-05-18T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3857-1 (mysql-connector-java - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3586", "CVE-2017-3589"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:703857", "href": "http://plugins.openvas.org/nasl.php?oid=703857", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3857.nasl 6607 2017-07-07 12:04:25Z cfischer $\n# Auto-generated from advisory DSA 3857-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703857);\n script_version(\"$Revision: 6607 $\");\n script_cve_id(\"CVE-2017-3586\", \"CVE-2017-3589\");\n script_name(\"Debian Security Advisory DSA 3857-1 (mysql-connector-java - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:04:25 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-05-18 00:00:00 +0200 (Thu, 18 May 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2017/dsa-3857.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"mysql-connector-java on Debian Linux\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie), these problems have been fixed in\nversion 5.1.42-1~deb8u1.\n\nFor the upcoming stable distribution (stretch), these problems have been\nfixed in version 5.1.42-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 5.1.42-1.\n\nWe recommend that you upgrade your mysql-connector-java packages.\");\n script_tag(name: \"summary\", value: \"Two vulnerabilities have been found in the MySQL Connector/J JDBC driver.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libmysql-java\", ver:\"5.1.42-1\", rls_regex:\"DEB9.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmysql-java\", ver:\"5.1.42-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2020-01-29T19:26:05", "description": "XML External Entity (XXE) vulnerability was discovered in c3p0, a\nlibrary for JDBC connection pooling, that may be used to resolve\ninformation outside of the intended sphere of control.", "cvss3": {}, "published": "2019-01-03T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for c3p0 (DLA-1621-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-20433"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891621", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891621", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891621\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2018-20433\");\n script_name(\"Debian LTS: Security Advisory for c3p0 (DLA-1621-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-01-03 00:00:00 +0100 (Thu, 03 Jan 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"c3p0 on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n0.9.1.2-9+deb8u1.\n\nWe recommend that you upgrade your c3p0 packages.\");\n\n script_tag(name:\"summary\", value:\"XML External Entity (XXE) vulnerability was discovered in c3p0, a\nlibrary for JDBC connection pooling, that may be used to resolve\ninformation outside of the intended sphere of control.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libc3p0-java\", ver:\"0.9.1.2-9+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libc3p0-java-doc\", ver:\"0.9.1.2-9+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-27T19:23:06", "description": "Apache Axis2 is prone to a security vulnerability that may result in\n information-disclosure or denial-of-service conditions.", "cvss3": {}, "published": "2010-09-20T00:00:00", "type": "openvas", "title": "Apache Axis2 Document Type Declaration Processing Security Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-1632"], "modified": "2020-04-23T00:00:00", "id": "OPENVAS:1361412562310100814", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100814", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Axis2 Document Type Declaration Processing Security Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:apache:axis2';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100814\");\n script_version(\"2020-04-23T12:22:09+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 12:22:09 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-09-20 15:31:27 +0200 (Mon, 20 Sep 2010)\");\n\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_bugtraq_id(40976);\n script_cve_id(\"CVE-2010-1632\");\n\n script_name(\"Apache Axis2 Document Type Declaration Processing Security Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_axis2_detect.nasl\");\n script_require_ports(\"Services/www\", 8080, 8081);\n script_mandatory_keys(\"axis2/installed\");\n\n script_tag(name:\"solution\", value:\"The vendor has released fixes. Please see the references for more\n information.\");\n\n script_tag(name:\"summary\", value:\"Apache Axis2 is prone to a security vulnerability that may result in\n information-disclosure or denial-of-service conditions.\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this vulnerability to obtain potentially\n sensitive information by including local and external files on computers running the vulnerable\n application or by causing denial-of-service conditions. Other attacks are also possible.\");\n\n script_tag(name:\"affected\", value:\"The issue affects versions prior to 1.5.2 and 1.6.\");\n\n script_xref(name:\"URL\", value:\"https://www.securityfocus.com/bid/40976\");\n script_xref(name:\"URL\", value:\"http://ws.apache.org/axis2/\");\n script_xref(name:\"URL\", value:\"http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html\");\n script_xref(name:\"URL\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg27019456\");\n script_xref(name:\"URL\", value:\"https://issues.apache.org/jira/browse/AXIS2-4450\");\n script_xref(name:\"URL\", value:\"https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf\");\n script_xref(name:\"URL\", value:\"http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24027020\");\n script_xref(name:\"URL\", value:\"http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24027019\");\n script_xref(name:\"URL\", value:\"http://www.ibm.com/support/docview.wss?uid=swg24027503\");\n script_xref(name:\"URL\", value:\"http://www.ibm.com/support/docview.wss?uid=swg24027502\");\n script_xref(name:\"URL\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg21433581\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_is_less( version: vers, test_version: \"1.5.2\" ) ) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"1.5.2\");\n security_message(port: port, data: report);\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-28T17:20:11", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-04-26T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for jsch (DLA-2184-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5725"], "modified": "2020-04-26T00:00:00", "id": "OPENVAS:1361412562310892184", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892184", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from the referenced\n# advisories, and are Copyright (C) by the respective right holder(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892184\");\n script_version(\"2020-04-26T03:00:06+0000\");\n script_cve_id(\"CVE-2016-5725\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-04-26 03:00:06 +0000 (Sun, 26 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-26 03:00:06 +0000 (Sun, 26 Apr 2020)\");\n script_name(\"Debian LTS: Security Advisory for jsch (DLA-2184-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2020/04/msg00017.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2184-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jsch'\n package(s) announced via the DLA-2184-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that there was a path traversal vulnerability in jsch, a\npure Java implementation of the SSH2 protocol.\");\n\n script_tag(name:\"affected\", value:\"'jsch' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n0.1.51-1+deb8u1.\n\nWe recommend that you upgrade your jsch packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libjsch-java\", ver:\"0.1.51-1+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libjsch-java-doc\", ver:\"0.1.51-1+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:34:00", "description": "It was discovered that XStream, a Java library to serialise objects to\nXML and back again, was suspectible to denial of service during\nunmarshalling.", "cvss3": {}, "published": "2017-05-02T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3841-1 (libxstream-java - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-7957"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703841", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703841", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3841.nasl 14280 2019-03-18 14:50:45Z cfischer $\n# Auto-generated from advisory DSA 3841-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703841\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-7957\");\n script_name(\"Debian Security Advisory DSA 3841-1 (libxstream-java - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-02 00:00:00 +0200 (Tue, 02 May 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3841.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"libxstream-java on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie), this problem has been fixed in\nversion 1.4.7-2+deb8u2.\n\nFor the upcoming stable distribution (stretch), this problem will be\nfixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.9-2.\n\nWe recommend that you upgrade your libxstream-java packages.\");\n script_tag(name:\"summary\", value:\"It was discovered that XStream, a Java library to serialise objects to\nXML and back again, was suspectible to denial of service during\nunmarshalling.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libxstream-java\", ver:\"1.4.7-2+deb8u2\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2017-07-24T12:57:23", "description": "It was discovered that XStream, a Java library to serialise objects to\nXML and back again, was suspectible to denial of service during\nunmarshalling.", "cvss3": {}, "published": "2017-05-02T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3841-1 (libxstream-java - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-7957"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:703841", "href": "http://plugins.openvas.org/nasl.php?oid=703841", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3841.nasl 6607 2017-07-07 12:04:25Z cfischer $\n# Auto-generated from advisory DSA 3841-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703841);\n script_version(\"$Revision: 6607 $\");\n script_cve_id(\"CVE-2017-7957\");\n script_name(\"Debian Security Advisory DSA 3841-1 (libxstream-java - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:04:25 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-05-02 00:00:00 +0200 (Tue, 02 May 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2017/dsa-3841.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"libxstream-java on Debian Linux\");\n script_tag(name: \"insight\", value: \"The features of the XStream library are:\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie), this problem has been fixed in\nversion 1.4.7-2+deb8u2.\n\nFor the upcoming stable distribution (stretch), this problem will be\nfixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.9-2.\n\nWe recommend that you upgrade your libxstream-java packages.\");\n script_tag(name: \"summary\", value: \"It was discovered that XStream, a Java library to serialise objects to\nXML and back again, was suspectible to denial of service during\nunmarshalling.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libxstream-java\", ver:\"1.4.7-2+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2020-01-29T20:07:55", "description": "It was discovered that there was a remote application crash vulnerability in\nlibxstream-java, a Java library to serialize objects to XML and back again.\nThis was due to mishandled attempts to create an instance of the primitive type\n", "cvss3": {}, "published": "2018-01-25T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for libxstream-java (DLA-930-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-7957"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310890930", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890930", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.890930\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-7957\");\n script_name(\"Debian LTS: Security Advisory for libxstream-java (DLA-930-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-25 00:00:00 +0100 (Thu, 25 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/05/msg00000.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"libxstream-java on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', this issue has been fixed in libxstream-java version\n1.4.2-1+deb7u2.\n\nWe recommend that you upgrade your libxstream-java packages.\");\n\n script_tag(name:\"summary\", value:\"It was discovered that there was a remote application crash vulnerability in\nlibxstream-java, a Java library to serialize objects to XML and back again.\nThis was due to mishandled attempts to create an instance of the primitive type\n'void' during unmarshalling.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libxstream-java\", ver:\"1.4.2-1+deb7u2\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:35:10", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-04-11T00:00:00", "type": "openvas", "title": "Fedora Update for xstream FEDORA-2016-175", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3674"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310807751", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807751", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for xstream FEDORA-2016-175\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807751\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-11 14:52:18 +0200 (Mon, 11 Apr 2016)\");\n script_cve_id(\"CVE-2016-3674\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for xstream FEDORA-2016-175\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xstream'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"xstream on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-175\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181205.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"xstream\", rpm:\"xstream~1.4.9~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:35:41", "description": "It was discovered that XStream, a Java\nlibrary to serialize objects to XML and back again, was susceptible to XML External\nEntity attacks.", "cvss3": {}, "published": "2016-05-12T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3575-1 (libxstream-java - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3674"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703575", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703575", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3575.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3575-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703575\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2016-3674\");\n script_name(\"Debian Security Advisory DSA 3575-1 (libxstream-java - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-12 00:00:00 +0200 (Thu, 12 May 2016)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3575.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|8)\");\n script_tag(name:\"affected\", value:\"libxstream-java on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie),\nthis problem has been fixed in version 1.4.7-2+deb8u1.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 1.4.9-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.9-1.\n\nWe recommend that you upgrade your libxstream-java packages.\");\n script_tag(name:\"summary\", value:\"It was discovered that XStream, a Java\nlibrary to serialize objects to XML and back again, was susceptible to XML External\nEntity attacks.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libxstream-java\", ver:\"1.4.9-1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libxstream-java\", ver:\"1.4.7-2+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:35:42", "description": "Mageia Linux Local Security Checks mgasa-2016-0164", "cvss3": {}, "published": "2016-05-09T00:00:00", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2016-0164", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3674"], "modified": "2019-03-14T00:00:00", "id": "OPENVAS:1361412562310131288", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131288", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2016-0164.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131288\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 14:17:51 +0300 (Mon, 09 May 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2016-0164\");\n script_tag(name:\"insight\", value:\"Updated xstream packages fix security vulnerability: XStream (x-stream.github.io) is a Java library to marshal Java objects into XML and back. For this purpose it supports a lot of different XML parsers. Some of those can also process external entities which was enabled by default. An attacker could therefore provide manipulated XML as input to access data on the file system (CVE-2016-3674).\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2016-0164.html\");\n script_cve_id(\"CVE-2016-3674\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2016-0164\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"xstream\", rpm:\"xstream~1.4.9~1.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"javapackages-tools\", rpm:\"javapackages-tools~4.1.0~15.1.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:35:14", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-04-27T00:00:00", "type": "openvas", "title": "Fedora Update for xstream FEDORA-2016-250042", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3674"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310807953", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807953", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for xstream FEDORA-2016-250042\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807953\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-27 05:18:36 +0200 (Wed, 27 Apr 2016)\");\n script_cve_id(\"CVE-2016-3674\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for xstream FEDORA-2016-250042\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'xstream'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"xstream on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-250042\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"xstream\", rpm:\"xstream~1.4.9~1.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-07-24T12:54:54", "description": "It was discovered that XStream, a Java\nlibrary to serialize objects to XML and back again, was susceptible to XML External\nEntity attacks.", "cvss3": {}, "published": "2016-05-12T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3575-1 (libxstream-java - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3674"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:703575", "href": "http://plugins.openvas.org/nasl.php?oid=703575", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3575.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3575-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703575);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-3674\");\n script_name(\"Debian Security Advisory DSA 3575-1 (libxstream-java - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-05-12 00:00:00 +0200 (Thu, 12 May 2016)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3575.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"libxstream-java on Debian Linux\");\n script_tag(name: \"insight\", value: \"The features of the XStream library are:\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthis problem has been fixed in version 1.4.7-2+deb8u1.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 1.4.9-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.4.9-1.\n\nWe recommend that you upgrade your libxstream-java packages.\");\n script_tag(name: \"summary\", value: \"It was discovered that XStream, a Java\nlibrary to serialize objects to XML and back again, was susceptible to XML External\nEntity attacks.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libxstream-java\", ver:\"1.4.9-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libxstream-java\", ver:\"1.4.7-2+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:37:57", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2013-05-13T00:00:00", "type": "openvas", "title": "Fedora Update for plexus-archiver FEDORA-2013-5548", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310865612", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865612", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for plexus-archiver FEDORA-2013-5548\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.865612\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-13 12:42:20 +0530 (Mon, 13 May 2013)\");\n script_cve_id(\"CVE-2012-2098\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for plexus-archiver FEDORA-2013-5548\");\n script_xref(name:\"FEDORA\", value:\"2013-5548\");\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'plexus-archiver'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC18\");\n script_tag(name:\"affected\", value:\"plexus-archiver on Fedora 18\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"plexus-archiver\", rpm:\"plexus-archiver~2.3~1.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:37:56", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2013-05-13T00:00:00", "type": "openvas", "title": "Fedora Update for plexus-archiver FEDORA-2013-5546", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310865608", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865608", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for plexus-archiver FEDORA-2013-5546\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.865608\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-13 12:42:03 +0530 (Mon, 13 May 2013)\");\n script_cve_id(\"CVE-2012-2098\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for plexus-archiver FEDORA-2013-5546\");\n script_xref(name:\"FEDORA\", value:\"2013-5546\");\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105049.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'plexus-archiver'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"plexus-archiver on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"plexus-archiver\", rpm:\"plexus-archiver~2.3~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:38:46", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2012-06-04T00:00:00", "type": "openvas", "title": "Fedora Update for apache-commons-compress FEDORA-2012-8465", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310864280", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864280", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for apache-commons-compress FEDORA-2012-8465\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081746.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864280\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-04 11:07:12 +0530 (Mon, 04 Jun 2012)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2012-2098\");\n script_xref(name:\"FEDORA\", value:\"2012-8465\");\n script_name(\"Fedora Update for apache-commons-compress FEDORA-2012-8465\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache-commons-compress'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n script_tag(name:\"affected\", value:\"apache-commons-compress on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-commons-compress\", rpm:\"apache-commons-compress~1.4.1~1.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:38:47", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2012-08-30T00:00:00", "type": "openvas", "title": "Fedora Update for apache-commons-compress FEDORA-2012-8428", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310864383", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864383", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for apache-commons-compress FEDORA-2012-8428\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081697.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864383\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-30 10:06:36 +0530 (Thu, 30 Aug 2012)\");\n script_cve_id(\"CVE-2012-2098\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name:\"FEDORA\", value:\"2012-8428\");\n script_name(\"Fedora Update for apache-commons-compress FEDORA-2012-8428\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'apache-commons-compress'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"apache-commons-compress on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-commons-compress\", rpm:\"apache-commons-compress~1.4.1~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2018-01-06T13:06:48", "description": "Check for the Version of apache-commons-compress", "cvss3": {}, "published": "2012-06-04T00:00:00", "type": "openvas", "title": "Fedora Update for apache-commons-compress FEDORA-2012-8465", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2018-01-05T00:00:00", "id": "OPENVAS:864280", "href": "http://plugins.openvas.org/nasl.php?oid=864280", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for apache-commons-compress FEDORA-2012-8465\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"apache-commons-compress on Fedora 16\";\ntag_insight = \"The code in this component came from Avalon's Excalibur, but originally\n from Ant, as far as life in Apache goes. The tar package is originally\n Tim Endres' public domain package. The bzip2 package is based on the\n work done by Keiron Liddle. It has migrated via:\n Ant -&gt; Avalon-Excalibur -&gt; Commons-IO -&gt; Commons-Compress.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081746.html\");\n script_id(864280);\n script_version(\"$Revision: 8295 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 07:29:18 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-04 11:07:12 +0530 (Mon, 04 Jun 2012)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2012-2098\");\n script_xref(name: \"FEDORA\", value: \"2012-8465\");\n script_name(\"Fedora Update for apache-commons-compress FEDORA-2012-8465\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of apache-commons-compress\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-commons-compress\", rpm:\"apache-commons-compress~1.4.1~1.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:52:11", "description": "Check for the Version of plexus-archiver", "cvss3": {}, "published": "2013-05-13T00:00:00", "type": "openvas", "title": "Fedora Update for plexus-archiver FEDORA-2013-5546", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:865608", "href": "http://plugins.openvas.org/nasl.php?oid=865608", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for plexus-archiver FEDORA-2013-5546\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"plexus-archiver on Fedora 17\";\ntag_insight = \"The Plexus project seeks to create end-to-end developer tools for\n writing applications. At the core is the container, which can be\n embedded or for a full scale application server. There are many\n reusable components for hibernate, form processing, jndi, i18n,\n velocity, etc. Plexus also includes an application server which\n is like a J2EE application server, without all the baggage.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(865608);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-13 12:42:03 +0530 (Mon, 13 May 2013)\");\n script_cve_id(\"CVE-2012-2098\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for plexus-archiver FEDORA-2013-5546\");\n\n script_xref(name: \"FEDORA\", value: \"2013-5546\");\n script_xref(name: \"URL\" , value: \"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105049.html\");\n script_summary(\"Check for the Version of plexus-archiver\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"plexus-archiver\", rpm:\"plexus-archiver~2.3~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:51:27", "description": "Check for the Version of plexus-archiver", "cvss3": {}, "published": "2013-05-13T00:00:00", "type": "openvas", "title": "Fedora Update for plexus-archiver FEDORA-2013-5548", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:865612", "href": "http://plugins.openvas.org/nasl.php?oid=865612", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for plexus-archiver FEDORA-2013-5548\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"plexus-archiver on Fedora 18\";\ntag_insight = \"The Plexus project seeks to create end-to-end developer tools for\n writing applications. At the core is the container, which can be\n embedded or for a full scale application server. There are many\n reusable components for hibernate, form processing, jndi, i18n,\n velocity, etc. Plexus also includes an application server which\n is like a J2EE application server, without all the baggage.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(865612);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-13 12:42:20 +0530 (Mon, 13 May 2013)\");\n script_cve_id(\"CVE-2012-2098\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Fedora Update for plexus-archiver FEDORA-2013-5548\");\n\n script_xref(name: \"FEDORA\", value: \"2013-5548\");\n script_xref(name: \"URL\" , value: \"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html\");\n script_summary(\"Check for the Version of plexus-archiver\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"plexus-archiver\", rpm:\"plexus-archiver~2.3~1.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-01-06T13:07:17", "description": "Check for the Version of apache-commons-compress", "cvss3": {}, "published": "2012-08-30T00:00:00", "type": "openvas", "title": "Fedora Update for apache-commons-compress FEDORA-2012-8428", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2018-01-05T00:00:00", "id": "OPENVAS:864383", "href": "http://plugins.openvas.org/nasl.php?oid=864383", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for apache-commons-compress FEDORA-2012-8428\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"apache-commons-compress on Fedora 17\";\ntag_insight = \"The code in this component came from Avalon's Excalibur, but originally\n from Ant, as far as life in Apache goes. The tar package is originally\n Tim Endres' public domain package. The bzip2 package is based on the\n work done by Keiron Liddle. It has migrated via:\n Ant -&gt; Avalon-Excalibur -&gt; Commons-IO -&gt; Commons-Compress.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081697.html\");\n script_id(864383);\n script_version(\"$Revision: 8295 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 07:29:18 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-30 10:06:36 +0530 (Thu, 30 Aug 2012)\");\n script_cve_id(\"CVE-2012-2098\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-8428\");\n script_name(\"Fedora Update for apache-commons-compress FEDORA-2012-8428\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of apache-commons-compress\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"apache-commons-compress\", rpm:\"apache-commons-compress~1.4.1~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2023-05-18T14:12:58", "description": "Several issues were discovered in mysql-connector-java that allow attackers to execute arbitrary code, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of the data.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 5.1.42-1~deb7u1.\n\nWe recommend that you upgrade your mysql-connector-java packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2017-05-17T00:00:00", "type": "nessus", "title": "Debian DLA-945-1 : mysql-connector-java security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3523", "CVE-2017-3586", "CVE-2017-3589"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libmysql-java", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-945.NASL", "href": "https://www.tenable.com/plugins/nessus/100227", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-945-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100227);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-3523\", \"CVE-2017-3586\", \"CVE-2017-3589\");\n\n script_name(english:\"Debian DLA-945-1 : mysql-connector-java security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several issues were discovered in mysql-connector-java that allow\nattackers to execute arbitrary code, insert or delete access to some\nof MySQL Connectors accessible data as well as unauthorized read\naccess to a subset of the data.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n5.1.42-1~deb7u1.\n\nWe recommend that you upgrade your mysql-connector-java packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/05/msg00016.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/mysql-connector-java\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected libmysql-java package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libmysql-java\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libmysql-java\", reference:\"5.1.42-1~deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:25:20", "description": "This update for mysql-connector-java to version to 5.1.42 fixes several issues.\n\nThese security issues were fixed :\n\n - CVE-2017-3589: An unspecified vulnerability in MySQL Connector/J could have resulted in unauthorized update, insert or delete access to some of MySQL Connectors accessible data (bnc#1035210)\n\n - CVE-2017-3523: An unspecified vulnerability in MySQL Connector/J could have lead to takeover of MySQL Connectors (bnc#1035697)\n\n - CVE-2017-3586: An unspecified vulnerability in MySQL Connectors could have lead to unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data (bnc#1035211)\n\nMore infos are available at http://dev.mysql.com/doc/relnotes/connector-j/en/news-5-1.html\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update project.", "cvss3": {}, "published": "2018-03-13T00:00:00", "type": "nessus", "title": "openSUSE Security Update : mysql-connector-java (openSUSE-2018-248)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3523", "CVE-2017-3586", "CVE-2017-3589"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:mysql-connector-java", "cpe:/o:novell:opensuse:42.3"], "id": "OPENSUSE-2018-248.NASL", "href": "https://www.tenable.com/plugins/nessus/108270", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-248.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108270);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-3523\", \"CVE-2017-3586\", \"CVE-2017-3589\");\n\n script_name(english:\"openSUSE Security Update : mysql-connector-java (openSUSE-2018-248)\");\n script_summary(english:\"Check for the openSUSE-2018-248 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for mysql-connector-java to version to 5.1.42 fixes\nseveral issues.\n\nThese security issues were fixed :\n\n - CVE-2017-3589: An unspecified vulnerability in MySQL\n Connector/J could have resulted in unauthorized update,\n insert or delete access to some of MySQL Connectors\n accessible data (bnc#1035210)\n\n - CVE-2017-3523: An unspecified vulnerability in MySQL\n Connector/J could have lead to takeover of MySQL\n Connectors (bnc#1035697)\n\n - CVE-2017-3586: An unspecified vulnerability in MySQL\n Connectors could have lead to unauthorized update,\n insert or delete access to some of MySQL Connectors\n accessible data as well as unauthorized read access to a\n subset of MySQL Connectors accessible data (bnc#1035211)\n\nMore infos are available at\nhttp://dev.mysql.com/doc/relnotes/connector-j/en/news-5-1.html\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.\"\n );\n # http://dev.mysql.com/doc/relnotes/connector-j/en/news-5-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://dev.mysql.com/doc/relnotes/connector-j/en/news-5-1.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1035210\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1035211\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1035697\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mysql-connector-java package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mysql-connector-java\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"mysql-connector-java-5.1.42-10.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mysql-connector-java\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-10-16T00:30:38", "description": "Update to version 0.9.5.4.\n\nResolves CVE-2018-20433 and CVE-2019-5427.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-05-29T00:00:00", "type": "nessus", "title": "Fedora 29 : c3p0 (2019-063672154a)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-20433", "CVE-2019-5427"], "modified": "2020-01-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:c3p0", "cpe:/o:fedoraproject:fedora:29"], "id": "FEDORA_2019-063672154A.NASL", "href": "https://www.tenable.com/plugins/nessus/125486", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-063672154a.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125486);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/15\");\n\n script_cve_id(\"CVE-2018-20433\", \"CVE-2019-5427\");\n script_xref(name:\"FEDORA\", value:\"2019-063672154a\");\n\n script_name(english:\"Fedora 29 : c3p0 (2019-063672154a)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to version 0.9.5.4.\n\nResolves CVE-2018-20433 and CVE-2019-5427.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-063672154a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected c3p0 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:c3p0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"c3p0-0.9.5.4-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"c3p0\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-16T12:49:14", "description": "Update to version 0.9.5.4.\n\nResolves CVE-2018-20433 and CVE-2019-5427.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-05-29T00:00:00", "type": "nessus", "title": "Fedora 30 : c3p0 (2019-cb14e234fc)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-20433", "CVE-2019-5427"], "modified": "2020-01-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:c3p0", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2019-CB14E234FC.NASL", "href": "https://www.tenable.com/plugins/nessus/125487", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-cb14e234fc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125487);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/15\");\n\n script_cve_id(\"CVE-2018-20433\", \"CVE-2019-5427\");\n script_xref(name:\"FEDORA\", value:\"2019-cb14e234fc\");\n\n script_name(english:\"Fedora 30 : c3p0 (2019-cb14e234fc)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to version 0.9.5.4.\n\nResolves CVE-2018-20433 and CVE-2019-5427.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-cb14e234fc\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected c3p0 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:c3p0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"c3p0-0.9.5.4-1.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"c3p0\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-24T14:24:40", "description": "More Polymorphic Typing issues were discovered in jackson-databind.\nWhen Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or logback-core jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 2.4.2-2+deb8u7.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-06-24T00:00:00", "type": "nessus", "title": "Debian DLA-1831-1 : jackson-databind security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-12384", "CVE-2019-12814"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libjackson2-databind-java", "p-cpe:/a:debian:debian_linux:libjackson2-databind-java-doc", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-1831.NASL", "href": "https://www.tenable.com/plugins/nessus/126126", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1831-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(126126);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2019-12384\", \"CVE-2019-12814\");\n\n script_name(english:\"Debian DLA-1831-1 : jackson-databind security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"More Polymorphic Typing issues were discovered in jackson-databind.\nWhen Default Typing is enabled (either globally or for a specific\nproperty) for an externally exposed JSON endpoint and the service has\nJDOM 1.x or 2.x or logback-core jar in the classpath, an attacker can\nsend a specifically crafted JSON message that allows them to read\narbitrary local files on the server.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2.4.2-2+deb8u7.\n\nWe recommend that you upgrade your jackson-databind packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/jackson-databind\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libjackson2-databind-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libjackson2-databind-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libjackson2-databind-java\", reference:\"2.4.2-2+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libjackson2-databind-java-doc\", reference:\"2.4.2-2+deb8u7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:20:10", "description": "Two vulnerabilities have been found in the MySQL Connector/J JDBC driver.", "cvss3": {}, "published": "2017-05-19T00:00:00", "type": "nessus", "title": "Debian DSA-3857-1 : mysql-connector-java - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3586", "CVE-2017-3589"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:mysql-connector-java", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DSA-3857.NASL", "href": "https://www.tenable.com/plugins/nessus/100279", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3857. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100279);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-3586\", \"CVE-2017-3589\");\n script_xref(name:\"DSA\", value:\"3857\");\n\n script_name(english:\"Debian DSA-3857-1 : mysql-connector-java - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two vulnerabilities have been found in the MySQL Connector/J JDBC\ndriver.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/mysql-connector-java\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3857\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the mysql-connector-java packages.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 5.1.42-1~deb8u1.\n\nFor the upcoming stable distribution (stretch), these problems have\nbeen fixed in version 5.1.42-1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mysql-connector-java\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libmysql-java\", reference:\"5.1.42-1~deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:22", "description": "According to its self-reported version number, the version of JFrog Artifactory installed on the remote host is prior to 7.10.1. It is, therefore, affected by multiple vulnerabilities:\n\n - Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON. (CVE-2013-7285)\n\n - Multiple XML external entity (XXE) vulnerabilities in the Dom4JDriver, DomDriver, JDomDriver, JDom2Driver, SjsxpDriver, StandardStaxDriver, and WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document. (CVE-2016-3674)\n\n - XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML call. (CVE-2017-7957)\n\n - The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. (CVE-2019-12402)\n\n - The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. (CVE-2019-20104)\n\n - Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. (CVE-2020-15586)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-12-16T00:00:00", "type": "nessus", "title": "JFrog < 7.10.1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-7285", "CVE-2016-3674", "CVE-2017-7957", "CVE-2019-12402", "CVE-2019-20104", "CVE-2020-15586"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:jfrog:artifactory"], "id": "JFROG_ARTIFACTORY_7_10_1.NASL", "href": "https://www.tenable.com/plugins/nessus/144307", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144307);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2013-7285\",\n \"CVE-2016-3674\",\n \"CVE-2017-7957\",\n \"CVE-2019-12402\",\n \"CVE-2019-20104\",\n \"CVE-2020-15586\"\n );\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"JFrog < 7.10.1 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Determines if the remote JFrog Artifactory installation is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of JFrog Artifactory installed on the remote host is prior\nto 7.10.1. It is, therefore, affected by multiple vulnerabilities:\n\n - Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may\n allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when\n unmarshaling XML or any supported format. e.g. JSON. (CVE-2013-7285)\n\n - Multiple XML external entity (XXE) vulnerabilities in the Dom4JDriver, DomDriver, JDomDriver, JDom2Driver, SjsxpDriver,\n StandardStaxDriver, and WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files\n via a crafted XML document. (CVE-2016-3674)\n\n - XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance\n of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by\n an xstream.fromXML call. (CVE-2017-7957)\n\n - The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite\n loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose\n the file names inside of an archive created by Compress. (CVE-2019-12402)\n\n - The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1\n allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. (CVE-2019-20104)\n\n - Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the\n httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. (CVE-2020-15586)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.jfrog.com/confluence/display/JFROG/Fixed+Security+Vulnerabilities\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8dc55d3d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to JFrog Artifactory 7.10.1, or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-7285\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:jfrog:artifactory\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jfrog_artifactory_win_installed.nbin\", \"jfrog_artifactory_nix_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Artifactory\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nwin_local = FALSE;\nos = get_kb_item('Host/OS');\nif ('windows' >< tolower(os)) win_local = TRUE;\n\napp_info = vcf::get_app_info(app:'Artifactory', win_local:win_local);\n\nconstraints = [\n { 'min_version' : '7.0', 'fixed_version' : '7.10.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:42", "description": "The remote host is affected by the vulnerability described in GLSA-202107-39 (Apache Commons FileUpload: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Apache Commons FileUpload. Please review the CVE identifiers referenced below for details.\n Impact :\n\n Please review the referenced CVE identifiers for details.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2022-01-24T00:00:00", "type": "nessus", "title": "GLSA-202107-39 : Apache Commons FileUpload: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0248", "CVE-2014-0050", "CVE-2016-3092"], "modified": "2022-12-14T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:commons-fileupload", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202107-39.NASL", "href": "https://www.tenable.com/plugins/nessus/156985", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202107-39.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(156985);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/14\");\n\n script_cve_id(\"CVE-2013-0248\", \"CVE-2014-0050\", \"CVE-2016-3092\");\n script_xref(name:\"GLSA\", value:\"202107-39\");\n\n script_name(english:\"GLSA-202107-39 : Apache Commons FileUpload: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202107-39\n(Apache Commons FileUpload: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Apache Commons\n FileUpload. Please review the CVE identifiers referenced below for\n details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202107-39\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Gentoo has discontinued support for Apache Commons FileUpload. We\n recommend that users unmerge it:\n # emerge --ask --depclean 'dev-java/commons-fileupload'\n NOTE: The Gentoo developer(s) maintaining Apache Commons FileUpload have\n discontinued support at this time. It may be possible that a new Gentoo\n developer will update Apache Commons FileUpload at a later date. We do\n not have a suggestion for a replacement at this time.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3092\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:commons-fileupload\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-java/commons-fileupload\", unaffected:make_list(), vulnerable:make_list(\"le 1.3\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Apache Commons FileUpload\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:43:25", "description": "A XML External Entity (XXE) vulnerability was discovered in c3p0, a library for JDBC connection pooling, that may be used to resolve information outside of the intended sphere of control.\n\nFor Debian 8 'Jessie', this problem has been fixed in version 0.9.1.2-9+deb8u1.\n\nWe recommend that you upgrade your c3p0 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2018-12-31T00:00:00", "type": "nessus", "title": "Debian DLA-1621-1 : c3p0 security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-20433"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libc3p0-java", "p-cpe:/a:debian:debian_linux:libc3p0-java-doc", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-1621.NASL", "href": "https://www.tenable.com/plugins/nessus/119941", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1621-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119941);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2018-20433\");\n\n script_name(english:\"Debian DLA-1621-1 : c3p0 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A XML External Entity (XXE) vulnerability was discovered in c3p0, a\nlibrary for JDBC connection pooling, that may be used to resolve\ninformation outside of the intended sphere of control.\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n0.9.1.2-9+deb8u1.\n\nWe recommend that you upgrade your c3p0 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/c3p0\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected libc3p0-java, and libc3p0-java-doc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc3p0-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libc3p0-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libc3p0-java\", reference:\"0.9.1.2-9+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libc3p0-java-doc\", reference:\"0.9.1.2-9+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:27:49", "description": "It was discovered that there was a path traversal vulnerability in jsch, a pure Java implementation of the SSH2 protocol.\n\nFor Debian 7 'Wheezy', this issue has been fixed in jsch version 0.1.42-2+deb7u1.\n\nWe recommend that you upgrade your jsch packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-09-06T00:00:00", "type": "nessus", "title": "Debian DLA-611-1 : jsch security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5725"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libjsch-java", "p-cpe:/a:debian:debian_linux:libjsch-java-doc", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-611.NASL", "href": "https://www.tenable.com/plugins/nessus/93323", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-611-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93323);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2016-5725\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Debian DLA-611-1 : jsch security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"It was discovered that there was a path traversal vulnerability in\njsch, a pure Java implementation of the SSH2 protocol.\n\nFor Debian 7 'Wheezy', this issue has been fixed in jsch version\n0.1.42-2+deb7u1.\n\nWe recommend that you upgrade your jsch packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.debian.org/debian-lts-announce/2016/09/msg00004.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/wheezy/jsch\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the affected libjsch-java, and libjsch-java-doc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libjsch-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libjsch-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libjsch-java\", reference:\"0.1.42-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libjsch-java-doc\", reference:\"0.1.42-2+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:05:28", "description": "It was discovered that there was a path traversal vulnerability in jsch, a pure Java implementation of the SSH2 protocol.\n\nFor Debian 8 'Jessie', this problem has been fixed in version 0.1.51-1+deb8u1.\n\nWe recommend that you upgrade your jsch packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-04-27T00:00:00", "type": "nessus", "title": "Debian DLA-2184-1 : jsch security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5725"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libjsch-java", "p-cpe:/a:debian:debian_linux:libjsch-java-doc", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-2184.NASL", "href": "https://www.tenable.com/plugins/nessus/135976", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2184-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135976);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2016-5725\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Debian DLA-2184-1 : jsch security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"It was discovered that there was a path traversal vulnerability in\njsch, a pure Java implementation of the SSH2 protocol.\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n0.1.51-1+deb8u1.\n\nWe recommend that you upgrade your jsch packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.debian.org/debian-lts-announce/2020/04/msg00017.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/jessie/jsch\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the affected libjsch-java, and libjsch-java-doc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libjsch-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libjsch-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libjsch-java\", reference:\"0.1.51-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libjsch-java-doc\", reference:\"0.1.51-1+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:46:51", "description": "The remote host is affected by the vulnerability described in GLSA-202107-37 (Apache Commons Collections: Remote code execution)\n\n Some classes in the Apache Commons Collections functor package deserialized potentially untrusted input by default.\n Impact :\n\n Deserializing untrusted input using Apache Commons Collections could result in remote code execution.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2022-01-24T00:00:00", "type": "nessus", "title": "GLSA-202107-37 : Apache Commons Collections: Remote code execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-15708"], "modified": "2022-01-26T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:commons-collections", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202107-37.NASL", "href": "https://www.tenable.com/plugins/nessus/156980", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202107-37.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(156980);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/26\");\n\n script_cve_id(\"CVE-2017-15708\");\n script_xref(name:\"GLSA\", value:\"202107-37\");\n\n script_name(english:\"GLSA-202107-37 : Apache Commons Collections: Remote code execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202107-37\n(Apache Commons Collections: Remote code execution)\n\n Some classes in the Apache Commons Collections functor package\n deserialized potentially untrusted input by default.\n \nImpact :\n\n Deserializing untrusted input using Apache Commons Collections could\n result in remote code execution.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202107-37\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Apache Commons Collections users should upgrade to the latest\n version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=dev-java/commons-collections-3.2.2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:commons-collections\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-java/commons-collections\", unaffected:make_list(\"ge 3.2.2\"), vulnerable:make_list(\"lt 3.2.2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Apache Commons Collections\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:14", "description": "All Apache Synapse releases previous to 3.0.1 installed on the remote host are affected by a Remote Code Execution vulnerability. This can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-11-03T00:00:00", "type": "nessus", "title": "Apache Synapse < 3.0.1 Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-15708"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:synapse"], "id": "SYNAPSE_3_0_0.NASL", "href": "https://www.tenable.com/plugins/nessus/142226", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142226);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-15708\");\n\n script_name(english:\"Apache Synapse < 3.0.1 Remote Code Execution Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a Remote Code Execution vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"All Apache Synapse releases previous to 3.0.1 installed on the remote host are\naffected by a Remote Code Execution vulnerability. This can be performed by injecting specially \ncrafted serialized objects. And the presence of Apache Commons Collections 3.2.1 \n(commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. \nTo mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to \n3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1,\nCommons Collection has been updated to 3.2.2 version.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/bid/102154\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to Apache Synapse 3.0.1 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-15708\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:synapse\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"synapse_jar_detection.nbin\");\n script_require_keys(\"installed_sw/Apache Synapse\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'Apache Synapse');\n\nconstraints = [\n {'fixed_version' : '3.0.1'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:12:41", "description": "It was discovered that there was a remote application crash vulnerability in libxstream-java, a Java library to serialize objects to XML and back again. This was due to mishandled attempts to create an instance of the primitive type 'void' during unmarshalling.\n\nFor Debian 7 'Wheezy', this issue has been fixed in libxstream-java version 1.4.2-1+deb7u2.\n\nWe recommend that you upgrade your libxstream-java packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2017-05-02T00:00:00", "type": "nessus", "title": "Debian DLA-930-1 : libxstream-java security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-7957"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libxstream-java", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-930.NASL", "href": "https://www.tenable.com/plugins/nessus/99919", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-930-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99919);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-7957\");\n\n script_name(english:\"Debian DLA-930-1 : libxstream-java security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that there was a remote application crash\nvulnerability in libxstream-java, a Java library to serialize objects\nto XML and back again. This was due to mishandled attempts to create\nan instance of the primitive type 'void' during unmarshalling.\n\nFor Debian 7 'Wheezy', this issue has been fixed in libxstream-java\nversion 1.4.2-1+deb7u2.\n\nWe recommend that you upgrade your libxstream-java packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/05/msg00000.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/libxstream-java\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected libxstream-java package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxstream-java\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libxstream-java\", reference:\"1.4.2-1+deb7u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:13:35", "description": "It was discovered that XStream, a Java library to serialise objects to XML and back again, was suspectible to denial of service during unmarshalling.", "cvss3": {}, "published": "2017-05-04T00:00:00", "type": "nessus", "title": "Debian DSA-3841-1 : libxstream-java - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-7957"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libxstream-java", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DSA-3841.NASL", "href": "https://www.tenable.com/plugins/nessus/99970", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3841. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99970);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-7957\");\n script_xref(name:\"DSA\", value:\"3841\");\n\n script_name(english:\"Debian DSA-3841-1 : libxstream-java - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that XStream, a Java library to serialise objects to\nXML and back again, was suspectible to denial of service during\nunmarshalling.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/libxstream-java\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3841\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the libxstream-java packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.4.7-2+deb8u2.\n\nFor the upcoming stable distribution (stretch), this problem will be\nfixed soon.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxstream-java\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libxstream-java\", reference:\"1.4.7-2+deb8u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:22:58", "description": "According to the version of the xerces-j2 package installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.(CVE-2012-0881)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-09-28T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : xerces-j2 (EulerOS-SA-2020-2068)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0881"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:xerces-j2", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-2068.NASL", "href": "https://www.tenable.com/plugins/nessus/140835", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140835);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2012-0881\"\n );\n script_bugtraq_id(\n 68753\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : xerces-j2 (EulerOS-SA-2020-2068)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the xerces-j2 package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - Apache Xerces2 Java Parser before 2.12.0 allows remote\n attackers to cause a denial of service (CPU\n consumption) via a crafted message to an XML service,\n which triggers hash table collisions.(CVE-2012-0881)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2068\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5b1699ad\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected xerces-j2 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"xerces-j2-2.11.0-17.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-j2\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:07:02", "description": "According to the version of the xerces-j2 package installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.(CVE-2012-0881)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-08-28T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP8 : xerces-j2 (EulerOS-SA-2020-1889)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0881"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:xerces-j2", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-1889.NASL", "href": "https://www.tenable.com/plugins/nessus/139992", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139992);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2012-0881\"\n );\n script_bugtraq_id(\n 68753\n );\n\n script_name(english:\"EulerOS 2.0 SP8 : xerces-j2 (EulerOS-SA-2020-1889)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the xerces-j2 package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - Apache Xerces2 Java Parser before 2.12.0 allows remote\n attackers to cause a denial of service (CPU\n consumption) via a crafted message to an XML service,\n which triggers hash table collisions.(CVE-2012-0881)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1889\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4ad5275c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected xerces-j2 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(8)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP8\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"xerces-j2-2.11.0-34.h1.eulerosv2r8\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"8\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-j2\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:35", "description": "According to the version of the xerces-j2 package installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.(CVE-2012-0881)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-11-03T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP2 : xerces-j2 (EulerOS-SA-2020-2405)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0881"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:xerces-j2", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-2405.NASL", "href": "https://www.tenable.com/plugins/nessus/142350", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142350);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2012-0881\"\n );\n script_bugtraq_id(\n 68753\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : xerces-j2 (EulerOS-SA-2020-2405)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the xerces-j2 package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - Apache Xerces2 Java Parser before 2.12.0 allows remote\n attackers to cause a denial of service (CPU\n consumption) via a crafted message to an XML service,\n which triggers hash table collisions.(CVE-2012-0881)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2405\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?557a544f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected xerces-j2 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"xerces-j2-2.11.0-17.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-j2\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:09", "description": "According to the version of the xerces-j2 package installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.(CVE-2012-0881)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-10-30T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : xerces-j2 (EulerOS-SA-2020-2277)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0881"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:xerces-j2", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-2277.NASL", "href": "https://www.tenable.com/plugins/nessus/142063", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142063);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2012-0881\"\n );\n script_bugtraq_id(\n 68753\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : xerces-j2 (EulerOS-SA-2020-2277)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the xerces-j2 package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - Apache Xerces2 Java Parser before 2.12.0 allows remote\n attackers to cause a denial of service (CPU\n consumption) via a crafted message to an XML service,\n which triggers hash table collisions.(CVE-2012-0881)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2277\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9a464673\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected xerces-j2 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"xerces-j2-2.11.0-17.h1.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xerces-j2\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:06:22", "description": "Security fix for CVE-2016-3674\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-04-27T00:00:00", "type": "nessus", "title": "Fedora 22 : xstream-1.4.9-1.fc22 (2016-250042b8a6)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3674"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:xstream", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2016-250042B8A6.NASL", "href": "https://www.tenable.com/plugins/nessus/90727", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-250042b8a6.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90727);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3674\");\n script_xref(name:\"FEDORA\", value:\"2016-250042b8a6\");\n\n script_name(english:\"Fedora 22 : xstream-1.4.9-1.fc22 (2016-250042b8a6)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-3674\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1321789\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?66f33493\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xstream package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:xstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"xstream-1.4.9-1.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xstream\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:22:53", "description": "Security fix for CVE-2016-3674\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-04-05T00:00:00", "type": "nessus", "title": "Fedora 24 : xstream-1.4.9-1.fc24 (2016-175b56bb05)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3674"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:xstream", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-175B56BB05.NASL", "href": "https://www.tenable.com/plugins/nessus/90327", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-175b56bb05.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90327);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3674\");\n script_xref(name:\"FEDORA\", value:\"2016-175b56bb05\");\n\n script_name(english:\"Fedora 24 : xstream-1.4.9-1.fc24 (2016-175b56bb05)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-3674\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1321789\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-April/181205.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1bf54099\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xstream package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:xstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"xstream-1.4.9-1.fc24\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xstream\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:23:30", "description": "Security fix for CVE-2016-3674\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-04-27T00:00:00", "type": "nessus", "title": "Fedora 23 : xstream-1.4.9-1.fc23 (2016-de909cc333)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3674"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:xstream", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-DE909CC333.NASL", "href": "https://www.tenable.com/plugins/nessus/90739", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-de909cc333.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90739);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3674\");\n script_xref(name:\"FEDORA\", value:\"2016-de909cc333\");\n\n script_name(english:\"Fedora 23 : xstream-1.4.9-1.fc23 (2016-de909cc333)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-3674\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1321789\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cce1a3a5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected xstream package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:xstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"xstream-1.4.9-1.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xstream\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:23:41", "description": "It was discovered that XStream, a Java library to serialize objects to XML and back again, was susceptible to XML External Entity attacks.", "cvss3": {}, "published": "2016-05-13T00:00:00", "type": "nessus", "title": "Debian DSA-3575-1 : libxstream-java - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3674"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libxstream-java", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DSA-3575.NASL", "href": "https://www.tenable.com/plugins/nessus/91110", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3575. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91110);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3674\");\n script_xref(name:\"DSA\", value:\"3575\");\n\n script_name(english:\"Debian DSA-3575-1 : libxstream-java - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that XStream, a Java library to serialize objects to\nXML and back again, was susceptible to XML External Entity attacks.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/libxstream-java\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3575\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the libxstream-java packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.4.7-2+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxstream-java\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libxstream-java\", reference:\"1.4.7-2+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:24:30", "description": "It was discovered that XStream, a Java library to serialize objects to XML and back again, was susceptible to XML External Entity attacks.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 1.4.2-1+deb7u1.\n\nWe recommend that you upgrade your libxstream-java packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-06-09T00:00:00", "type": "nessus", "title": "Debian DLA-504-1 : libxstream-java security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3674"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libxstream-java", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-504.NASL", "href": "https://www.tenable.com/plugins/nessus/91521", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-504-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91521);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3674\");\n\n script_name(english:\"Debian DLA-504-1 : libxstream-java security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that XStream, a Java library to serialize objects to\nXML and back again, was susceptible to XML External Entity attacks.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.4.2-1+deb7u1.\n\nWe recommend that you upgrade your libxstream-java packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/06/msg00007.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/libxstream-java\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected libxstream-java package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libxstream-java\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libxstream-java\", reference:\"1.4.2-1+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:36:31", "description": "Rebase to upstream version 2.3 and add patch to fix CVE-2012-2098.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2013-05-11T00:00:00", "type": "nessus", "title": "Fedora 18 : plexus-archiver-2.3-1.fc18 (2013-5548)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:plexus-archiver", "cpe:/o:fedoraproject:fedora:18"], "id": "FEDORA_2013-5548.NASL", "href": "https://www.tenable.com/plugins/nessus/66378", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-5548.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66378);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-2098\");\n script_bugtraq_id(53676);\n script_xref(name:\"FEDORA\", value:\"2013-5548\");\n\n script_name(english:\"Fedora 18 : plexus-archiver-2.3-1.fc18 (2013-5548)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Rebase to upstream version 2.3 and add patch to fix CVE-2012-2098.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=951522\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?484a0607\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected plexus-archiver package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:plexus-archiver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"plexus-archiver-2.3-1.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"plexus-archiver\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:36:42", "description": "Rebase to upstream version 2.3 and add patch to fix CVE-2012-2098.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2013-05-11T00:00:00", "type": "nessus", "title": "Fedora 17 : plexus-archiver-2.3-1.fc17 (2013-5546)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:plexus-archiver", "cpe:/o:fedoraproject:fedora:17"], "id": "FEDORA_2013-5546.NASL", "href": "https://www.tenable.com/plugins/nessus/66377", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-5546.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66377);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-2098\");\n script_bugtraq_id(53676);\n script_xref(name:\"FEDORA\", value:\"2013-5546\");\n\n script_name(english:\"Fedora 17 : plexus-archiver-2.3-1.fc17 (2013-5546)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Rebase to upstream version 2.3 and add patch to fix CVE-2012-2098.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=951521\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-May/105049.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aee6b2b0\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected plexus-archiver package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:plexus-archiver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"plexus-archiver-2.3-1.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"plexus-archiver\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:36:41", "description": "Rebase to upstream version and add patch to fix CVE-2012-2098.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2013-05-11T00:00:00", "type": "nessus", "title": "Fedora 19 : plexus-archiver-2.3-1.fc19 (2013-5530)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:plexus-archiver", "cpe:/o:fedoraproject:fedora:19"], "id": "FEDORA_2013-5530.NASL", "href": "https://www.tenable.com/plugins/nessus/66376", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-5530.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66376);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_bugtraq_id(53676);\n script_xref(name:\"FEDORA\", value:\"2013-5530\");\n\n script_name(english:\"Fedora 19 : plexus-archiver-2.3-1.fc19 (2013-5530)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Rebase to upstream version and add patch to fix CVE-2012-2098.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=911539\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-May/105121.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bb60b5c7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected plexus-archiver package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:plexus-archiver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"plexus-archiver-2.3-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"plexus-archiver\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:09:33", "description": "The remote Solaris system is missing necessary patches to address security updates :\n\n - Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs. (CVE-2012-2098)", "cvss3": {}, "published": "2015-01-19T00:00:00", "type": "nessus", "title": "Oracle Solaris Third-Party Patch Update : ant (algorithmic_complexity_vulnerability_in_apache)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2021-01-14T00:00:00", "cpe": ["cpe:/o:oracle:solaris:11.1", "p-cpe:/a:oracle:solaris:ant"], "id": "SOLARIS11_ANT_20130430.NASL", "href": "https://www.tenable.com/plugins/nessus/80580", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80580);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2012-2098\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : ant (algorithmic_complexity_vulnerability_in_apache)\");\n script_summary(english:\"Check for the 'entire' version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - Algorithmic complexity vulnerability in the sorting\n algorithms in bzip2 compressing stream\n (BZip2CompressorOutputStream) in Apache Commons Compress\n before 1.4.1 allows remote attackers to cause a denial\n of service (CPU consumption) via a file with many\n repeating inputs. (CVE-2012-2098)\"\n );\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4a913f44\"\n );\n # https://blogs.oracle.com/sunsecurity/algorithmic-complexity-vulnerability-in-apache-ant\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4785b054\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Solaris 11.1.3.4.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:ant\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^ant$\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ant\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.1.3.0.4.0\", sru:\"SRU 11.1.3.4.0\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : ant\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_warning(port:0, extra:error_extra);\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"ant\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:23:38", "description": "Update to 1.4.1, fixing CVE-2012-2098\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2012-06-04T00:00:00", "type": "nessus", "title": "Fedora 16 : apache-commons-compress-1.4.1-1.fc16 (2012-8465)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:apache-commons-compress", "cpe:/o:fedoraproject:fedora:16"], "id": "FEDORA_2012-8465.NASL", "href": "https://www.tenable.com/plugins/nessus/59349", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-8465.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59349);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-2098\");\n script_bugtraq_id(53676);\n script_xref(name:\"FEDORA\", value:\"2012-8465\");\n\n script_name(english:\"Fedora 16 : apache-commons-compress-1.4.1-1.fc16 (2012-8465)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 1.4.1, fixing CVE-2012-2098\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=810406\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/081746.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?582dc174\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache-commons-compress package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:apache-commons-compress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"apache-commons-compress-1.4.1-1.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-commons-compress\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:24:10", "description": "Update to 1.4.1, fixing CVE-2012-2098\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2012-06-04T00:00:00", "type": "nessus", "title": "Fedora 17 : apache-commons-compress-1.4.1-1.fc17 (2012-8428)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2098"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:apache-commons-compress", "cpe:/o:fedoraproject:fedora:17"], "id": "FEDORA_2012-8428.NASL", "href": "https://www.tenable.com/plugins/nessus/59346", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-8428.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59346);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-2098\");\n script_bugtraq_id(53676);\n script_xref(name:\"FEDORA\", value:\"2012-8428\");\n\n script_name(english:\"Fedora 17 : apache-commons-compress-1.4.1-1.fc17 (2012-8428)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 1.4.1, fixing CVE-2012-2098\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/081697.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?65e7ee03\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected apache-commons-compress package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:apache-commons-compress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"apache-commons-compress-1.4.1-1.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-commons-compress\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:24:45", "description": "Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a website) via unspecified vectors. (CVE-2016-3093)", "cvss3": {}, "published": "2016-06-28T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Apache Struts 2 vulnerability (K23432135)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3093"], "modified": "2019-01-04T00:00:00", "cpe": ["cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL23432135.NASL", "href": "https://www.tenable.com/plugins/nessus/91861", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K23432135.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91861);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2016-3093\");\n\n script_name(english:\"F5 Networks BIG-IP : Apache Struts 2 vulnerability (K23432135)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method\nreferences when used with OGNL before 3.0.12, which allows remote\nattackers to cause a denial of service (block access to a website) via\nunspecified vectors. (CVE-2016-3093)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K23432135\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K23432135.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K23432135\";\nvmatrix = make_array();\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"13.0.0\",\"11.4.0-11.6.1\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running the affected module AM\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "mageia": [{"lastseen": "2023-05-27T15:00:32", "description": "Thijs Alkemade discovered that unexpected automatic deserialisation of Java objects in the MySQL Connector/J JDBC driver may result in the execution of arbitary code (CVE-2017-3523). Two vulnerabilities have been found in the MySQL Connector/J JDBC driver (CVE-2017-3586, CVE-2017-3589). \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-10-24T05:50:58", "type": "mageia", "title": "Updated mysql-connector-java packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3523", "CVE-2017-3586", "CVE-2017-3589"], "modified": "2017-10-24T05:50:58", "id": "MGASA-2017-0382", "href": "https://advisories.mageia.org/MGASA-2017-0382.html", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:00:33", "description": "An XML external entity processing vulnerability was found in extractXmlConfigFromInputStream function in c3p0 (CVE-2018-20433). c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration (CVE-2019-5427). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-28T07:52:40", "type": "mageia", "title": "Updated c3p0 packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433", "CVE-2019-5427"], "modified": "2020-01-28T07:52:39", "id": "MGASA-2020-0051", "href": "https://advisories.mageia.org/MGASA-2020-0051.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:00:32", "description": "It was discovered that there was a path traversal vulnerability in jsch (CVE-2016-5725). \n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-09-21T20:38:22", "type": "mageia", "title": "Updated jsch packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5725"], "modified": "2016-09-21T20:38:22", "id": "MGASA-2016-0311", "href": "https://advisories.mageia.org/MGASA-2016-0311.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-05-26T15:09:54", "description": "Updated xstream packages fix security vulnerability: XStream (x-stream.github.io) is a Java library to marshal Java objects into XML and back. For this purpose it supports a lot of different XML parsers. Some of those can also process external entities which was enabled by default. An attacker could therefore provide manipulated XML as input to access data on the file system (CVE-2016-3674). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-05-05T16:26:44", "type": "mageia", "title": "Updated xstream packages fix CVE-2016-3674\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2016-05-05T16:26:44", "id": "MGASA-2016-0164", "href": "https://advisories.mageia.org/MGASA-2016-0164.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-26T15:09:54", "description": "Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs (CVE-2012-2098). plexus-archiver used an embedded copy of the affected code from Apache Commons Compress, and therefore was affected by this. It has been patched to use the apache-commons-compress package, in which this issue has already been fixed, for bzip2 compression and decompression. \n", "cvss3": {}, "published": "2014-02-12T17:07:07", "type": "mageia", "title": "Updated plexus-archiver package fixes security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2098"], "modified": "2014-02-12T17:07:07", "id": "MGASA-2014-0056", "href": "https://advisories.mageia.org/MGASA-2014-0056.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ibm": [{"lastseen": "2023-04-24T18:11:55", "description": "## Summary\n\nThere are vulnerabilities in Apache Xerces2 Java Parser that affect Apache Solr. The details are available in the Vulnerability Details section.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2013-4002](<https://vulners.com/cve/CVE-2013-4002>) \n** DESCRIPTION: **A denial of service vulnerability in the Apache Xerces-J parser used by IBM Java could result in a complete availability impact on the affected system. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85260](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85260>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) \n \n** CVEID: **[CVE-2012-0881](<https://vulners.com/cve/CVE-2012-0881>) \n** DESCRIPTION: **Apache Xerces2 Java is vulnerable to a denial of service, caused by a flaw in the XML service. By sending a specially crafted message to an XML service, a remote attacker could exploit this vulnerability to consume available CPU resources from the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134404>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2009-2625](<https://vulners.com/cve/CVE-2009-2625>) \n** DESCRIPTION: **Sun Java Runtime Environment (JRE) is vulnerable to a denial of service, caused by an error in Apache Xerces2 Java. A remote attacker could exploit this vulnerability using specially-crafted XML input, to cause the application to enter into an infinite loop and hang. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/53082](<https://exchange.xforce.ibmcloud.com/vulnerabilities/53082>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nLog Analysis| 1.3.1 \nLog Analysis| 1.3.2 \nLog Analysis| 1.3.3 \nLog Analysis| 1.3.4 \nLog Analysis| 1.3.5 \nLog Analysis| 1.3.6 \n \n \n \n\n\n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s) :| Fix details \n \n---|--- \nIBM Operations Analytics - Log Analysis version 1.3.x| Upgrade to Log Analysis version 1.3.7 Download the 1.3.7-TIV-IOALA-FP [here](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Operations%20Analytics&product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Log+Analysis&release=1.3.7&platform=All&function=all> \"here\" ). \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-16T07:16:00", "type": "ibm", "title": "Security Bulletin: Apache Solr, shipped with IBM Operations Analytics - Log Analysis, susceptible to multiple vulnerabilities in Apache Xerces2", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2625", "CVE-2012-0881", "CVE-2013-4002"], "modified": "2021-04-16T07:16:00", "id": "E472DE505C96419516AEFE62313E85E4E907BADF9E49C6E7E7D5A4719C5D4565", "href": "https://www.ibm.com/support/pages/node/6444043", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-27T21:52:25", "description": "## Summary\n\nCVE-2009-2625 CVE-2012-0881 CVE-2013-4002 CVE-2014-0107 Multiple Xml handling Issues in xerces and xalan\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2009-2625](<https://vulners.com/cve/CVE-2009-2625>) \n** DESCRIPTION: **Sun Java Runtime Environment (JRE) is vulnerable to a denial of service, caused by an error in Apache Xerces2 Java. A remote attacker could exploit this vulnerability using specially-crafted XML input, to cause the application to enter into an infinite loop and hang. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/53082](<https://exchange.xforce.ibmcloud.com/vulnerabilities/53082>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n** CVEID: **[CVE-2012-0881](<https://vulners.com/cve/CVE-2012-0881>) \n** DESCRIPTION: **Apache Xerces2 Java is vulnerable to a denial of service, caused by a flaw in the XML service. By sending a specially crafted message to an XML service, a remote attacker could exploit this vulnerability to consume available CPU resources from the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134404>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2013-4002](<https://vulners.com/cve/CVE-2013-4002>) \n** DESCRIPTION: **A denial of service vulnerability in the Apache Xerces-J parser used by IBM Java could result in a complete availability impact on the affected system. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85260](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85260>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) \n \n** CVEID: **[CVE-2014-0107](<https://vulners.com/cve/CVE-2014-0107>) \n** DESCRIPTION: **Apache Xalan-Java could allow a remote attacker to bypass security restrictions, caused by the improper handling of output properties. An attacker could exploit this vulnerability to bypass the secure processing feature to load arbitrary restricted classes. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92023](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92023>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nUCD - IBM UrbanCode Deploy| 6.2.7.4 \nUCD - IBM UrbanCode Deploy| 6.2.7.3 \nUCD - IBM UrbanCode Deploy| 7.0.4.0 \nUCD - IBM UrbanCode Deploy| 7.0.3.0 \nUCD - IBM UrbanCode Deploy| All \n \n\n\n## Remediation/Fixes\n\nUpdate to latest release of UCD\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-04T18:49:55", "type": "ibm", "title": "Security Bulletin: CVE-2009-2625 CVE-2012-0881 CVE-2013-4002 CVE-2014-0107 Multiple Xml handling Issues in xerces and xalan", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2625", "CVE-2012-0881", "CVE-2013-4002", "CVE-2014-0107"], "modified": "2020-08-04T18:49:55", "id": "B8DC16D7984D0BBBA4C1AF32274D163BB6450605EB784C1C3FB1AA833F622DDD", "href": "https://www.ibm.com/support/pages/node/6233388", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-05-27T17:44:31", "description": "## Summary\n\nMultiple denial of service vulnerabilities in Apache Xerces used by IBM InfoSphere Information Server were addressed.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2022-23437](<https://vulners.com/cve/CVE-2022-23437>) \n**DESCRIPTION: **Apache Xerces2 Java XML Parser is vulnerable to a denial of service, caused by an infinite loop in the XML parser. By persuading a victim to open a specially-crafted XML document payloads, a remote attacker could exploit this vulnerability to consume system resources for prolonged duration. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217982](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217982>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) \n \n**CVEID: **[CVE-2013-4002](<https://vulners.com/cve/CVE-2013-4002>) \n**DESCRIPTION: **A denial of service vulnerability in the Apache Xerces-J parser used by IBM Java could result in a complete availability impact on the affected system. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85260](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85260>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) \n \n**CVEID: **[CVE-2012-0881](<https://vulners.com/cve/CVE-2012-0881>) \n**DESCRIPTION: **Apache Xerces2 Java is vulnerable to a denial of service, caused by a flaw in the XML service. By sending a specially crafted message to an XML service, a remote attacker could exploit this vulnerability to consume available CPU resources from the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134404>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: **[CVE-2009-2625](<https://vulners.com/cve/CVE-2009-2625>) \n**DESCRIPTION: **Sun Java Runtime Environment (JRE) is vulnerable to a denial of service, caused by an error in Apache Xerces2 Java. A remote attacker could exploit this vulnerability using specially-crafted XML input, to cause the application to enter into an infinite loop and hang. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/53082](<https://exchange.xforce.ibmcloud.com/vulnerabilities/53082>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nInfoSphere Information Server | 11.7 \n \n## Remediation/Fixes\n\n_Product_ | _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server, Information Server on Cloud | 11.7 | [DT135064](<https://www.ibm.com/mysupport/s/defect/aCI3p000000Xhp7> \"DT135064\" ) \n| \\--Apply InfoSphere Information Server version [11.7.1.0](<https://www.ibm.com/support/docview.wss?uid=ibm10878310> \"11.7.1.0\" ) \n\\--Apply InfoSphere Information Server version [11.7.1.4](<https://www.ibm.com/support/pages/node/6620275> \"11.7.1.4\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-10-18T20:24:46", "type": "ibm", "title": "Security Bulletin: Multiple denial of service vulnerabilities in Apache Xerces affect IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2625", "CVE-2012-0881", "CVE-2013-4002", "CVE-2022-23437"], "modified": "2022-10-18T20:24:46", "id": "C9DF9C64EA1901A4A73100734E733E276B2C17AF4A3093D142E5F13C918BC741", "href": "https://www.ibm.com/support/pages/node/6829361", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-05-27T17:39:49", "description": "## Summary\n\nVulnerability in Apache Commons Collections library shipped with IBM Sterling Global Mailbox has been addressed. [CVE-2015-6420, CVE-2017-15708]\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2015-6420](<https://vulners.com/cve/CVE-2015-6420>) \n** DESCRIPTION: **Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-15708](<https://vulners.com/cve/CVE-2017-15708>) \n** DESCRIPTION: **Apache Synapse could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Apache Commons Collections. By injecting specially-crafted serialized objects, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/136262](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136262>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Sterling Global Mailbox| 6.0.3.7 \nIBM Sterling Global Mailbox| 6.1.2.0 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Apache Commons Collections which is shipped with Global Mailbox.\n\n**Product** \n\n\n| \n\n**Version**\n\n| \n\n**Fix / Remediation** \n \n \n---|---|--- \n \nIBM Sterling Global Mailbox\n\n| \n\n6.0.3.7 \n\n\n| \n\nApply 6.0.3.8 \n \nIBM Sterling Global Mailbox| \n\n6.1.2.0\n\n| \n\nApply 6.1.2.1 \n \n6.0.3.8 is now available on Fix Central - \n\n**B2Bi IIM** \nFix Central Link: [https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&amp;fixids=6.0.3.8-OtherSoftware-B2Bi-All&amp;source=SAR](<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fwww.ibm.com%2Fsupport%2Ffixcentral%2Fquickorder%3Fproduct%3Dibm*2FOther*software*2FSterling*B2B*Integrator%26fixids%3D6.0.3.8-OtherSoftware-B2Bi-All%26source%3DSAR__%3BJSslKys!!I6-MEfEZPA!IB5bkMjlwf6g1E3PKztw1OJ9iNkrCn3ZHiWpomnQeY3XrRYvuaad2g_AXU1IWGlMPm_J_IWZuWv95PKqAVytg0hI%24&data=05%7C01%7CVijaysing.Chavan%40precisely.com%7C37ccf45f380f45c9737508db09d99eb8%7Cc0a2941c29154bcaaa4ce8880dc77f7f%7C0%7C0%7C638114602512673018%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6sSe0xPzbt6QQ7LqqcTJUYpUZKQ8WXWh%2FqdUFTQsF9k%3D&reserved=0> \"\" )\n\n**B2Bi Docker**\n\nFix Central Link: [https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&amp;fixids=6.0.3.8-OtherSoftware-B2Bi-Docker-All&amp;source=SAR](<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fwww.ibm.com%2Fsupport%2Ffixcentral%2Fquickorder%3Fproduct%3Dibm*2FOther*software*2FSterling*B2B*Integrator%26fixids%3D6.0.3.8-OtherSoftware-B2Bi-Docker-All%26source%3DSAR__%3BJSslKys!!I6-MEfEZPA!JGykiNBynnWJd4TdORA9lDYom5N97PlrkvOhq02rASG0J6vbtfHJIrmmaaBMXvDgWe696ZfmFArum1enciFI62j_%24&data=05%7C01%7CVijaysing.Chavan%40precisely.com%7C37ccf45f380f45c9737508db09d99eb8%7Cc0a2941c29154bcaaa4ce8880dc77f7f%7C0%7C0%7C638114602512673018%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KtHIqZSQUuozOr5pPlu7K%2BY5NK%2Bf93cPdzujz%2FSZ4OM%3D&reserved=0> \"\" )\n\n**SFG IIM**\n\nFix Central Link: [https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&amp;fixids=6.0.3.8-OtherSoftware-SFG-All&amp;source=SAR](<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fwww.ibm.com%2Fsupport%2Ffixcentral%2Fquickorder%3Fproduct%3Dibm*2FOther*software*2FSterling*File*Gateway%26fixids%3D6.0.3.8-OtherSoftware-SFG-All%26source%3DSAR__%3BJSslKys!!I6-MEfEZPA!K_D0a3ItCrdh9vNrzZZpoAz822qT-qQLA4bAY95iEBVC4XuuOOLRPQ1FGE1v1-OQTKyeEkEKML7oILxfn6kHm0WV%24&data=05%7C01%7CVijaysing.Chavan%40precisely.com%7C37ccf45f380f45c9737508db09d99eb8%7Cc0a2941c29154bcaaa4ce8880dc77f7f%7C0%7C0%7C638114602512673018%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=G8919cMqkirIpsY5tUpOTpieOYcOu3Hd90JI87Qy%2F4w%3D&reserved=0> \"\" )\n\n**SFG Docker**\n\nFix Central Link: [https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&amp;fixids=6.0.3.8-OtherSoftware-SFG-Docker-All&amp;source=SAR](<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fwww.ibm.com%2Fsupport%2Ffixcentral%2Fquickorder%3Fproduct%3Dibm*2FOther*software*2FSterling*File*Gateway%26fixids%3D6.0.3.8-OtherSoftware-SFG-Docker-All%26source%3DSAR__%3BJSslKys!!I6-MEfEZPA!NAcvNpyZak7BFXos-LTfmLHO9eh1d7ngkSrQkF37UmOIRluNWJ_AxUiidguAcoVbIKuXjDJU8_UnbKvA03-qsKVO%24&data=05%7C01%7CVijaysing.Chavan%40precisely.com%7C37ccf45f380f45c9737508db09d99eb8%7Cc0a2941c29154bcaaa4ce8880dc77f7f%7C0%7C0%7C638114602512673018%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nebmQ1fAKh79HDLg%2BrCj%2FKK26KSPM%2B4JPMUx%2BJ4F5H4%3D&reserved=0> \"\" )\n\n6.1.2.1 IIM &amp; Certified Container is now available on Fix Central -\n\n**Sterling B2B Integrator**\n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&amp;product=ibm/Other+software/Sterling+B2B+Integrator&amp;release=6.1.2.0&amp;platform=All&amp;function=fixId&amp;fixids=6.1.2.1-OtherSoftware-B2Bi-All+&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+B2B+Integrator&release=6.1.2.0&platform=All&function=fixId&fixids=6.1.2.1-OtherSoftware-B2Bi-All+&includeSupersedes=0>)\n\n**Sterling File Gateway**\n\n[https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&amp;product=ibm/Other+software/Sterling+File+Gateway&amp;release=6.1.2.0&amp;platform=All&amp;function=fixId&amp;fixids=6.1.2.1-OtherSoftware-SFG-All+&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+File+Gateway&release=6.1.2.0&platform=All&function=fixId&fixids=6.1.2.1-OtherSoftware-SFG-All+&includeSupersedes=0>)\n\n**Certified Container**\n\nCertified Container edition images and Helm charts are now available for download from IBM Entitled Registry (ER) and IBM public chart repository, respectively.\n\n**IBM Sterling B2B Integrator V6.1.2.1**\n\n * Certified Container Image\n\ncp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.1\n\n * Helm Chart\n\n<https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-b2bi-prod-2.1.1.tgz>\n\n**IBM Sterling File Gateway V6.1.2.1**\n\n * Certified Container Image\n\ncp.icr.io/cp/ibm-sfg/sfg:6.1.2.1\n\n * Helm Chart \n<https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-sfg-prod-2.1.1.tgz>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-22T13:38:06", "type": "ibm", "title": "Security Bulletin: IBM Sterling Global Mailbox is vulnerable to arbitrary code execution due to Apache Commons Collections [CVE-2015-6420, CVE-2017-15708]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-6420", "CVE-2017-15708"], "modified": "2023-02-22T13:38:06", "id": "37A865B8A16F0A6EAC8B82722E64A2EAC9B4AB1D6FE4CBA00F40A43E0855F3B9", "href": "https://www.ibm.com/support/pages/node/6957392", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-26T18:04:09", "description": "## Summary\n\nIBM Sterling B2B Integrator has addressed the vulnerabilities.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2012-0881](<https://vulners.com/cve/CVE-2012-0881>) \n** DESCRIPTION: **Apache Xerces2 Java is vulnerable to a denial of service, caused by a flaw in the XML service. By sending a specially crafted message to an XML service, a remote attacker could exploit this vulnerability to consume available CPU resources from the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134404>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2013-4002](<https://vulners.com/cve/CVE-2013-4002>) \n** DESCRIPTION: **A denial of service vulnerability in the Apache Xerces-J parser used by IBM Java could result in a complete availability impact on the affected system. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85260](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85260>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)\n\n## Affected Products and Versions\n\nAffected Product(s)| APAR(s)| Version(s) \n---|---|--- \nIBM Sterling B2B Integrator| IT37615| 5.2.0.0 - 5.2.6.5_4 \nIBM Sterling B2B Integrator| IT37615| 6.0.0.0 - 6.0.0.6, 6.0.1.0 - 6.0.3.4 \nIBM Sterling B2B Integrator| IT37615| 6.1.0.0 - 6.1.0.3 \n \n\n\n## Remediation/Fixes\n\nProduct &amp; Version| Remediation &amp; Fix \n---|--- \n5.2.0.0 - 5.2.6.5_4| Apply IBM Sterling B2B Integrator version 6.0.0.7, 6.0.3.5, 6.1.1.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n6.0.0.0 - 6.0.0.6, 6.0.1.0 - 6.0.3.4| Apply IBM Sterling B2B Integrator version 6.0.0.7, 6.0.3.5, or 6.1.1.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n6.1.0.0 - 6.1.0.3| Apply IBM Sterling B2B Integrator version 6.1.1.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-05T20:51:14", "type": "ibm", "title": "Security Bulletin: Apache Xerces2 Vulnerabilities Affect IBM Sterling B2B Integrator (CVE-2012-0881, CVE-2013-4002)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0881", "CVE-2013-4002"], "modified": "2021-10-05T20:51:14", "id": "E593E12AB7D6E26E07598ADF3963FAD201BAABDA173B0C2AE81C1AAB831FBC26", "href": "https://www.ibm.com/support/pages/node/6495949", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:58:30", "description": "## Summary\n\nSecurity vulnerabilities have been reported for the Apache Struts 1.1 and Apache Commons FileUpload libraries shipped with one component of IBM Business Process Manager V8.5.5. \n\n## Vulnerability Details\n\nThe vulnerable libraries are used only in an administrative user interface that, by default, is available only to one administrative user. Other usage of the same libraries in IBM Business Process Manager have been addressed by fixes detailed in the security bulletin links in the References section**.** \n \n**CVE ID: **[_CVE-2014-0114_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0114>) \n \n**DESCRIPTION: ** \nApache Struts might allow a remote attacker to execute arbitrary code on the system, which is caused by the failure to restrict the setting of ClassflLoader attributes. An attacker might exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \n \n**CVSS:** \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/92889_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n**CVE ID: **[_CVE-2014-0050_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0050>) \n \n**DESCRIPTION: \n**Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, which is caused by the improper handling of Content-Type HTTP header for multipart requests. By sending a specially-crafted request, an attacker might exploit this vulnerability to cause the application to enter into an infinite loop. \n \n**CVSS:** \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/90987_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90987>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\n * IBM Business Process Manager Express V8.5.5\n * IBM Business Process Manager Standard V8.5.5\n * IBM Business Process Manager Advanced V8.5.5\n\n## Remediation/Fixes\n\nThe recommended solution is to install interim fix JR50538 on IBM Business Process Manager V8.5.5. JR50538 is available on Fix Central through the following links: \n\n * [_IBM Business Process Manager Express V8.5.5_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=8.5.5.0&platform=All&function=fixId&fixids=8.5.5.0-WS-BPM-IFJR50538&includeRequisites=0&includeSupersedes=0&downloadMethod=ddp&source=fc>)\n * [_IBM Business Process Manager Standard V8.5.5_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=8.5.5.0&platform=All&function=fixId&fixids=8.5.5.0-WS-BPM-IFJR50538&includeRequisites=0&includeSupersedes=0&downloadMethod=ddp&source=fc>)\n * [_IBM Business Process Manager Advanced V8.5.5_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=8.5.5.0&platform=All&function=fixId&fixids=8.5.5.0-WS-BPM-IFJR50538&includeRequisites=0&includeSupersedes=0&downloadMethod=ddp&source=fc>)\n\n## Workarounds and Mitigations\n\nThe vulnerable application is only required for IBM Support to gather additional information. By default, only a single administrative user (deployment environment administrator) can access the application. You can completely prevent access to the application by removing all users and groups from the Java\u2122 Platform Enterprise Edition (Java EE) role mapping in this application. \n \nIn the WebSphere Administrative Console, navigate to **Applications &gt; Application Types &gt; WebSphere Enterprise Applications &gt; IBM_BPM_DocStoreAdmin_&lt;clusterName&gt; &gt; Security role to user/group mapping**. Remove all users and groups from the role mapping.\n\n## ", "cvss3": {}, "published": "2018-06-15T07:00:58", "type": "ibm", "title": "Security Bulletin: ClassLoader manipulation with Apache Struts (CVE-2014-0114) and Denial Of Service vulnerability in Apache Commons FileUpload (CVE-2014-0050) affect IBM Business Process Manager (BPM) V8.5.5.0", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0050", "CVE-2014-0114"], "modified": "2018-06-15T07:00:58", "id": "D073E08AD140CB6620590BE3498F8D2736D636AB608813B1FECA6FBC21280451", "href": "https://www.ibm.com/support/pages/node/516051", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T17:35:59", "description": "## Summary\n\nAtlas eDiscovery Process Management is affected by a vulnerable org.apache.xerces_2.9.0.v201101211617-4.8.0.jar. Hence org.apache.xerces_2.9.0.v201101211617-4.8.0.jar upgraded to org.apache.xerces_2.12.2.v201101211617-4.8.0.jar to fix vulnerabilities.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2012-0881](<https://vulners.com/cve/CVE-2012-0881>) \n** DESCRIPTION: **Apache Xerces2 Java is vulnerable to a denial of service, caused by a flaw in the XML service. By sending a specially crafted message to an XML service, a remote attacker could exploit this vulnerability to consume available CPU resources from the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134404>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2009-2625](<https://vulners.com/cve/CVE-2009-2625>) \n** DESCRIPTION: **Sun Java Runtime Environment (JRE) is vulnerable to a denial of service, caused by an error in Apache Xerces2 Java. A remote attacker could exploit this vulnerability using specially-crafted XML input, to cause the application to enter into an infinite loop and hang. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/53082](<https://exchange.xforce.ibmcloud.com/vulnerabilities/53082>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n** CVEID: **[CVE-2022-23437](<https://vulners.com/cve/CVE-2022-23437>) \n** DESCRIPTION: **Apache Xerces2 Java XML Parser is vulnerable to a denial of service, caused by an infinite loop in the XML parser. By persuading a victim to open a specially-crafted XML document payloads, a remote attacker could exploit this vulnerability to consume system resources for prolonged duration. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217982](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217982>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nAtlas eDiscovery Process Management| 6.0.3 \n \n\n\n## Remediation/Fixes\n\n**_ Product_**\n\n| \n\n**_ VRMF_**\n\n| \n\n**_ Remediation/First Fix_** \n \n---|---|--- \n \nAtlas eDiscovery Process Management\n\n| \n\n6.0.3\n\n| \n\nApply Fix Pack **6.0.3.9 Interim fix 7**, available from [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Atlas%20eDiscovery&product=ibm/Information+Management/Atlas+eDiscovery+Process+Management&release=6.0.3.9&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-05-08T08:35:39", "type": "ibm", "title": "Security Bulletin: Atlas eDiscovery Process Management is affected by a vulnerable org.apache.xerces_2.9.0.v201101211617-4.8.0.jar", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2625", "CVE-2012-0881", "CVE-2022-23437"], "modified": "2023-05-08T08:35:39", "id": "6F77F80EE3AB09F7D1E3FF7C55920CDAC0C2065B8D946835C616112F8BE43DEE", "href": "https://www.ibm.com/support/pages/node/6988893", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-05-27T17:35:29", "description": "## Summary\n\nApache Xerces is not used by IBM App Connect Enterprise Certified Container but was present in an image. IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability. [CVE-2012-0881], [CVE-2013-4002] and [CVE-2022-23437]\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2012-0881](<https://vulners.com/cve/CVE-2012-0881>) \n** DESCRIPTION: **Apache Xerces2 Java is vulnerable to a denial of service, caused by a flaw in the XML service. By sending a specially crafted message to an XML service, a remote attacker could exploit this vulnerability to consume available CPU resources from the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/134404](<https://exchange.xforce.ibmcloud.com/vulnerabilities/134404>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2013-4002](<https://vulners.com/cve/CVE-2013-4002>) \n** DESCRIPTION: **A denial of service vulnerability in the Apache Xerces-J parser used by IBM Java could result in a complete availability impact on the affected system. \nCVSS Base score: 7.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85260](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85260>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) \n \n** CVEID: **[CVE-2022-23437](<https://vulners.com/cve/CVE-2022-23437>) \n** DESCRIPTION: **Apache Xerces2 Java XML Parser is vulnerable to a denial of service, caused by an infinite loop in the XML parser. By persuading a victim to open a specially-crafted XML document payloads, a remote attacker could exploit this vulnerability to consume system resources for prolonged duration. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217982](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217982>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nApp Connect Enterprise Certified Container| 5.0-lts \n \n## Remediation/Fixes\n\nIBM strongly suggests the following: \n**App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)**\n\nOnly the DesignerAuthoring and IntegrationServer operands at version 12.0.8.0-r1-lts are affected. \n\nTo resolve this vulnerability, upgrade to App Connect Enterprise Certified Container Operator version 5.0.7 or higher, and ensure that all DesignerAuthoring and IntegrationServer components are at 12.0.8.0-r2-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>\n\nAlternatively, if operands at 12.0.8.0-r1-lts must be used, the fix can be applied by updating the DesignerAuthoring and IntegrationServer operands to use a custom image\n\nFor a DesignerAuthoring instance, update the instance definition by setting the field \"spec.integrationServer.containers.runtime.image\" to the value \"icr.io/cp/appc/ace-server-prod:12.0.8.0-r2-lts-20230421-155247@sha256:ea3a4c69678adad6acd3238ed94b690646dad1fb115a98d6398fdff2275ffa91\". See <https://www.ibm.com/docs/en/app-connect/container?topic=resources-designer-authoring-reference> for more information\n\nFor an IntegrationServer instance, update the instance definition by setting the field \"spec.pod.containers.runtime.image\" to the value \"icr.io/cp/appc/ace-server-prod:12.0.8.0-r2-lts-20230421-155247@sha256:ea3a4c69678adad6acd3238ed94b690646dad1fb115a98d6398fdff2275ffa91\". See <https://www.ibm.com/docs/en/app-connect/container?topic=resources-integration-server-reference> for more information\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-05-23T14:54:04", "type": "ibm", "title": "Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to denial of service due to [CVE-2012-0881], [CVE-2013-4002] and [CVE-2022-23437]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0881", "CVE-2013-4002", "CVE-2022-23437"], "modified": "2023-05-23T14:54:04", "id": "3AE8B7045D3F6049DF983F14126D0E4FAAF567E5AEA283E61BDCAB7EE7E255EF", "href": "https://www.ibm.com/support/pages/node/6985605", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:39:00", "description": "## Summary\n\nMultiple vulnerabilities in Apache Commons exists in IBM Sterling B2B Integrator\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [CVE-2014-0050](<https://vulners.com/cve/CVE-2014-0050>)** \nDESCRIPTION:** Apache Commons FileUpload, as used in Apache Tomcat, Solr, and other products is vulnerable to a denial of service, caused by the improper handling of Content-Type HTTP header for multipart requests by MultipartStream.java. An attacker could exploit this vulnerability using a specially crafted Content-Type header to cause the application to enter into an infinite loop. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90987> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [CVE-2013-0248](<https://vulners.com/cve/CVE-2013-0248>)** \nDESCRIPTION:** Apache Commons FileUpload could allow a local attacker to launch a symlink attack. Temporary files are created insecurely. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to overwrite arbitrary files on the system with elevated privileges. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/82618> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:P) \n\n## Affected Products and Versions\n\nIBM Sterling B2B Integrator 5.2\n\n## Remediation/Fixes\n\n**Product &amp; Version **\n\n| \n\n**Remediation/Fix** \n \n---|--- \n \nIBM Sterling B2B Integrator 5.2.0 - 5.2.6.3\n\n| Apply fix pack 5020603 then interim fix 5020603_1 on [_Fix Central_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/Sterling+B2B+Integrator&release=5.2.6.3&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-02-05T00:53:36", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in Apache Commons Affect IBM Sterling B2B Integrator (CVE-2016-3092, CVE-2014-0050, CVE-2013-0248)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0248", "CVE-2014-0050", "CVE-2016-3092"], "modified": "2020-02-05T00:53:36", "id": "DBEEBEA67BF53D06F2B67D1EC250BC6DC481E7E1D95538F33DA149848FB8D480", "href": "https://www.ibm.com/support/pages/node/291151", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-27T21:49:42", "description": "## Summary\n\nJazz for Service Management is affected with multiple vulnerabilities (CVE-2015-4852, CVE-2015-6420, CVE-2017-15708)\n\n## Vulnerability Details\n\n**CVEID: **CVE-2017-15708 \n**DESCRIPTION: **In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version\n\n**CVEID: **[](<https://vulners.com/cve/CVE-2019-17566>)CVE-2015-6420[](<https://vulners.com/cve/CVE-2019-17566>) \n**DESCRIPTION: ** Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Clien t Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Net work Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transco ding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrar y commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library\n\n**CVEID: **CVE-2015-4852 \n**DESCRIPTION: ** The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 all ows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collection s.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.\n\n## Affected Products and Versions\n\n## Affected JazzSM versions\n\nAffected Product(s) | Version(s) \n---|--- \nJazz for Service Management | 1.1.3 - 1.1.3.8 \n \n## Remediation/Fixes\n\n1\\. Upgrade IBM Websphere Application Server (WAS) version to v8.5.5.17 or v8.5.5.18\n\n2\\. Move commons-collections.jar file from below path to another safe location \n\n&lt;JazzSM Installed Location&gt;/profile/installedApps/JazzSMNode01Cell/isc.ear\n\n3\\. Copy commons-collections.jar file from folder &lt;WAS Installed Location&gt;/systemApps/isclite.ear to &lt;JazzSM Installed Location&gt;/profile/installedApps/JazzSMNode01Cell/isc.ear\n\n4\\. Restart JazzSM profile server\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-20T11:33:26", "type": "ibm", "title": "Security Bulletin: IBM Jazz for Service Management (JazzSM) is affected with multiple vulnerabilities (CVE-2015-4852, CVE-2015-6420, CVE-2017-15708)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852", "CVE-2015-6420", "CVE-2017-15708", "CVE-2019-17566"], "modified": "2020-10-20T11:33:26", "id": "44D4BE9C6B3A5CA2D7E393A0C6B1DE6752C9B6BDF8F6BC23CA690D4063D3152B", "href": "https://www.ibm.com/support/pages/node/6350069", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:42:09", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about security vulnerabilities affecting Websphere Application Server has been published in security bulletins.\n\n## Vulnerability Details\n\nPlease consult the security bulletins:\n\n[Security Bulletin: Information disclosure in Apache Commons HttpClient used by WebSphere Application Server (CVE-2012-5783)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016216>),\n\n[Security Bulletin: Information disclosure in WebSphere Application Server with SAML (CVE-2018-1614)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016887>),\n\n[Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>),\n\n[Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)](<http://www-01.ibm.com/support/docview.wss?uid=swg22015348>)\n\nfor vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence versions 1.0, 1.0.1, 1.1, 1.1.1, 1.1.2\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Websphere Application Server which is/are shipped with Predictive Customer Intelligence.\n\nPrincipal Product and Version(s) | Affected Supporting Product and Version | Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1 | Websphere Application Server 8.5.5 | [Security Bulletin: Information disclosure in Apache Commons HttpClient used by WebSphere Application Server (CVE-2012-5783)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016216>)\n\n[Security Bulletin: Information disclosure in WebSphere Application Server with SAML (CVE-2018-1614)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016887>)\n\n[Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>)\n\n[Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)](<http://www-01.ibm.com/support/docview.wss?uid=swg22015348>) \n \nPredictive Customer Intelligence 1.1 and 1.1.1 | Websphere Application Server 8.5.5.6 | [Security Bulletin: Information disclosure in Apache Commons HttpClient used by WebSphere Application Server (CVE-2012-5783)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016216>)\n\n[Security Bulletin: Information disclosure in WebSphere Application Server with SAML (CVE-2018-1614)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016887>)\n\n[Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>)\n\n[Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)](<http://www-01.ibm.com/support/docview.wss?uid=swg22015348>) \n \nPredictive Customer Intelligence 1.1.2 | Websphere Application Server 9.0.0.4 | [Security Bulletin: Information disclosure in Apache Commons HttpClient used by WebSphere Application Server (CVE-2012-5783)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016216>)\n\n[Security Bulletin: Information disclosure in WebSphere Application Server with SAML (CVE-2018-1614)](<http://www-01.ibm.com/support/docview.wss?uid=swg22016887>)\n\n[Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>)\n\n[Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)](<http://www-01.ibm.com/support/docview.wss?uid=swg22015348>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-02-11T21:31:00", "type": "ibm", "title": "Security Bulletin: Security Vulnerabilities have been Identified in Websphere Application Server Shipped with Predictive Customer Intelligence (CVE-2012-5783, CVE-2018-1614, CVE-2014-0114, CVE-2015-0899)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5783", "CVE-2014-0114", "CVE-2015-0899", "CVE-2018-1614"], "modified": "2020-02-11T21:31:00", "id": "0F8C9B43069C04EF8D42F75FA8D42A5837D2A01F1B45F132DD6CE116C7562B83", "href": "https://www.ibm.com/support/pages/node/715391", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-05-27T13:40:36", "description": "## Summary\n\nApache Commons Fileupload is shipped with IBM Tivoli Business Manager 6.2.0 as part of its web service infrastucture. Information about security vulnerabilities affecting Apache Commons Fileupload has been published in a security bulletin.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2013-2186](<https://vulners.com/cve/CVE-2013-2186>) \n** DESCRIPTION: **Apache commons-fileupload could allow a remote attacker to overwrite arbitrary files on the system, caused by a NULL byte in the implementation of the DiskFileItem class. By sending a serialized instance of the DiskFileItem class, an attacker could exploit this vulnerability to write or overwrite arbitrary files on the system. \nCVSS Base score: 6.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/88133](<https://exchange.xforce.ibmcloud.com/vulnerabilities/88133>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P) \n \n** CVEID: **[CVE-2013-0248](<https://vulners.com/cve/CVE-2013-0248>) \n** DESCRIPTION: **Apache Commons FileUpload could allow a local attacker to launch a symlink attack. Temporary files are created insecurely. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to overwrite arbitrary files on the system with elevated privileges. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/82618](<https://exchange.xforce.ibmcloud.com/vulnerabilities/82618>) for the current score. \nCVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:P) \n \n** CVEID: **[CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/114336](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2014-0050](<https://vulners.com/cve/CVE-2014-0050>) \n** DESCRIPTION: **Apache Commons FileUpload, as used in Apache Tomcat, Solr, and other products is vulnerable to a denial of service, caused by the improper handling of Content-Type HTTP header for multipart requests by MultipartStream.java. An attacker could exploit this vulnerability using a specially crafted Content-Type header to cause the application to enter into an infinite loop. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/90987](<https://exchange.xforce.ibmcloud.com/vulnerabilities/90987>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n** IBM X-Force ID: **220723 \n** DESCRIPTION: **Apache Commons Fileupload could allow a remote attacker to obtain sensitive information, caused by a resource leak flaw in the FileUploadBase class. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/220723 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/220723>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Business Service Manager| 6.2.0 \n \n\n\n## Remediation/Fixes\n\nProduct| VRMF| APAR| Remediation \n---|---|---|--- \nIBM Tivoli Business Service Manager 6.2.0| 6.2.0.4| IJ32982| Upgrade to [IBM Tivoli Business Service Manager 6.2.0.4](<https://www.ibm.com/support/pages/node/6578641> \"IBM Tivoli Business Service Manager 6.2.0.4\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-26T05:34:17", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Commons Fileupload affects IBM Tivoli Business Service Manager (CVE-2013-2186, CVE-2013-0248, CVE-2016-3092, CVE-2014-0050, 220723)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0248", "CVE-2013-2186", "CVE-2014-0050", "CVE-2016-3092"], "modified": "2022-09-26T05:34:17", "id": "8155B091E8A9E365D7BF4DC2FC7DA1113C991153BF54EDFFC2BCC3322D0D6281", "href": "https://www.ibm.com/support/pages/node/6606997", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-23T21:50:33", "description": "## Summary\n\nA vulnerability in Jsch affects IBM System Networking Switch Center. IBM System Networking Switch Center has addressed the vulnerability.\n\n## Vulnerability Details\n\n**Summary**\n\nA vulnerability in Jsch affects IBM System Networking Switch Center. IBM System Networking Switch Center has addressed the vulnerability.\n\n**Vulnerability Details:**\n\n**CVEID:** [CVE-2016-5725](<https://vulners.com/cve/CVE-2016-5725>)\n\n**Description:** JSch could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to the implementation for recursive sftp-get containing \"dot dot\" sequences (/../) to download the malicious files outside the client download base directory.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/117122> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)\n\n**Affected Products and Versions**\n\nProduct | Affected Version \n---|--- \nIBM System Networking Switch Center | 7.3 \n \n**Remediation/Fixes:**\n\nFirmware fix versions are available on Fix Central: \n<http://www.ibm.com/support/fixcentral/>.\n\nProduct | Fix Version \n---|--- \nIBM System Networking Switch Center \n\\- Windows English Install Package (CNK7TEN) \n\\- AIX English Install Package (CNK7SEN) \n\\- Linux English Install Package (CNK7REN) | 7.3.3 \n \n**Workaround(s) &amp; Mitigation(s):**\n\nNone\n\n**References:**\n\n * [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide.html>)\n * [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n[Lenovo Product Security Advisories](<https://support.lenovo.com/us/en/product_security/home>)\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n26 July 2017: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-01-31T02:25:02", "type": "ibm", "title": "Security Bulletin: IBM System Networking Switch Center is affected by a Jsch vulnerability (CVE-2016-5725)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5725"], "modified": "2019-01-31T02:25:02", "id": "270059310308ADDF90FB6FA65F9F800BC7784217CB7B74FA653E7420EBD96506", "href": "https://www.ibm.com/support/pages/node/868754", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:44:42", "description": "## Summary\n\nDirectory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\\ (dot dot backslash) in a response to a recursive GET command.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2016-5725](<https://vulners.com/cve/CVE-2016-5725>) \n** DESCRIPTION: **JSch could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to the implementation for recursive sftp-get containing \"dot dot\" sequences (/../) to download the malicious files outside the client download base directory. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/117122](<https://exchange.xforce.ibmcloud.com/vulnerabilities/117122>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nUCD - IBM UrbanCode Deploy| 6.2.7.4 \nUCD - IBM UrbanCode Deploy| 6.2.7.3 \nUCD - IBM UrbanCode Deploy| 7.0.4.0 \nUCD - IBM UrbanCode Deploy| 7.0.3.0 \nUCD - IBM UrbanCode Deploy| All \n \n\n\n## Remediation/Fixes\n\nUpdate to z/OS Utility plugin version 54\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-29T21:04:31", "type": "ibm", "title": "Security Bulletin: Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5725"], "modified": "2021-03-29T21:04:31", "id": "926CD83AAB7DA7EA60F3ED2C60C4D2004D06E2189562B75111B63EE52FE070C2", "href": "https://www.ibm.com/support/pages/node/6437559", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-05-27T17:44:38", "description": "## Summary\n\nMultiple vulnerabilities in Apache Commons Collections used by IBM InfoSphere Information Server were addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2015-4852](<https://vulners.com/cve/CVE-2015-4852>) \n** DESCRIPTION: **The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-6420](<https://vulners.com/cve/CVE-2015-6420>) \n** DESCRIPTION: **Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-15708](<https://vulners.com/cve/CVE-2017-15708>) \n** DESCRIPTION: **Apache Synapse could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Apache Commons Collections. By injecting specially-crafted serialized objects, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/136262](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136262>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-7501](<https://vulners.com/cve/CVE-2015-7501>) \n** DESCRIPTION: **Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-13116](<https://vulners.com/cve/CVE-2019-13116>) \n** DESCRIPTION: **MuleSoft Mule runtime could allow a remote attacker to execute arbitrary code on the system, caused by Java deserialization, related to Apache Commons Collections. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169704](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169704>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nInfoSphere Information Server| 11.7 \n \n\n\n## Remediation/Fixes\n\n_Product_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server, Information Server on Cloud| 11.7| [JR64991](<https://www.ibm.com/support/pages/apar/JR64991> \"JR64991\" ) \n| \\--Apply InfoSphere Information Server version [11.7.1.0](<https://www.ibm.com/support/docview.wss?uid=ibm10878310> \"11.7.1.0\" ) \n\\--Apply InfoSphere Information Server version [11.7.1.4](<https://www.ibm.com/support/pages/node/6620275> \"11.7.1.4\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-14T22:00:35", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Commons Collections affect IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852", "CVE-2015-6420", "CVE-2015-7501", "CVE-2017-15708", "CVE-2019-13116"], "modified": "2022-10-14T22:00:35", "id": "DAB88099018B311F83DAFDB9431625A326A00FF72BE126856DCECA1262D7C308", "href": "https://www.ibm.com/support/pages/node/6829349", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T17:43:35", "description": "## Summary\n\nIBM Security Verify Governance uses Apache Commons Collections library which is vulnerable to arbitrary code execution by an attacker by sending specially crafted serialized objects (CVE-2017-15708, CVE-2015-7501, CVE-2015-6420, CVE-2015-4852, CVE-2019-13116). The fix includes upgrading the Commons Collections jar to the patched version.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2017-15708](<https://vulners.com/cve/CVE-2017-15708>) \n** DESCRIPTION: **Apache Synapse could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Apache Commons Collections. By injecting specially-crafted serialized objects, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/136262](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136262>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-7501](<https://vulners.com/cve/CVE-2015-7501>) \n** DESCRIPTION: **Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-6420](<https://vulners.com/cve/CVE-2015-6420>) \n** DESCRIPTION: **Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-4852](<https://vulners.com/cve/CVE-2015-4852>) \n** DESCRIPTION: **The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-13116](<https://vulners.com/cve/CVE-2019-13116>) \n** DESCRIPTION: **MuleSoft Mule runtime could allow a remote attacker to execute arbitrary code on the system, caused by Java deserialization, related to Apache Commons Collections. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169704](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169704>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Verify Governance| 10.0 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)\n\n| \n\nVersion(s)\n\n| \n\nFirst Fix \n \n---|---|--- \n \nIBM Security Verify Governance\n\n| \n\n10.0.1\n\n| \n\n[10.0.1.0-ISS-ISVG-IGVA-FP0002](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Verify+Governance&release=10.0.0.0&platform=Linux&function=fixId&fixids=10.0.1.0-ISS-ISVG-IGVA-FP0002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n**IBM strongly recommends addressing the vulnerability now.**\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-22T16:37:00", "type": "ibm", "title": "Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to use of Apache Commons Collections (multiple vulnerabilities)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852", "CVE-2015-6420", "CVE-2015-7501", "CVE-2017-15708", "CVE-2019-13116"], "modified": "2022-11-22T16:37:00", "id": "9A19B1A61B0A4ADFDBA9E428552BF21656703586B14AC314FFC9B663C7D9BDEB", "href": "https://www.ibm.com/support/pages/node/6841039", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:44:32", "description": "## Summary\n\nIBM Tivoli Netcool Configuration Manager (ITNCM) has addressed the following potential XStream vulnerability.\n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2017-7957_](<https://vulners.com/cve/CVE-2017-7957>)** \nDESCRIPTION: **XStream is vulnerable to a denial of service, caused by the improper handling of attempts to create an instance of the primitive type 'void' during unmarshalling. A remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125800_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125800>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\nThe following releases are affected: \n \nITNCM 6.4.2.0 - 6.4.2.4 \nITNCM 6.4.1.0 - 6.4.1.4 \n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nITNCM| 6.4.2.4| None| For a Standalone ITNCM installation, Standalone Worker server or OOBC environment, install fix pack [6.4.2-TIV-ITNCM-FP005](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&release=6.4.2.4&platform=All&function=all>) \nITNCM| 6.4.1.4| None| Install [interim fix: 6.4.1.4-TIV-ITNCM-IF007](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FTivoli&product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&release=All&platform=All&function=fixId&fixids=6.4.1.4-TIV-ITNCM-IF007&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&login=true>) \n \nPlease also note the [end of support announcement](<http://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/8/897/ENUS917-138/index.html&lang=en&request_locale=en>) from 12 September 2017 for selected Netcool product versions. \nYou can find detailed information on whether the product version you have installed in your environment is affected by this end of service announcement by following the [Netcool End of Support Knowledge Collection](<https://www-01.ibm.com/support/entdocview.wss?uid=swg22009231>). If your product version is affected, IBM recommend to upgrade your product version to the latest supported version of your product. \nPlease contact your IBM account manager for any question you might have or for any assistance you may require for upgrading an end of service announced offering \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:44:33", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Netcool Configuration Manager (ITNCM) is affected by a XStream vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7957"], "modified": "2018-06-17T15:44:33", "id": "623954A70FECE1147032EEFB914DE7513BD7CFBBF3613D72AE3ADEDF6131D88C", "href": "https://www.ibm.com/support/pages/node/566949", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:49:47", "description": "## Summary\n\nOpen Source XStream is vulnerable to a Denial of Service attack.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-7957_](<https://vulners.com/cve/CVE-2017-7957>)** \nDESCRIPTION:** XStream is vulnerable to a denial of service, caused by the improper handling of attempts to create an instance of the primitive type 'void' during unmarshalling. A remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125800_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125800>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\n\u00b7 IBM QRadar SIEM 7.2.0 \u2013 7.2.8 Patch 8 \n\n\u00b7 IBM QRadar SIEM 7.3.0 \u2013 7.3.0 Patch 3\n\n## Remediation/Fixes\n\n[\u00b7 _QRadar/QRM/QVM/QRIF/QNI 7.2.8 Patch 9_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=All&function=fixId&fixids=7.2.8-QRADAR-QRSIEM-20170726184122&includeRequisites=1&includeS>)\n\n[\u00b7 _QRadar/QRM/QVM/QRIF/QNI 7.3.0 Patch 4_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=All&function=fixId&fixids=7.3.0-QRADAR-QRSIEM-20170830160510&includeRequisites=1&includeS>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T22:02:18", "type": "ibm", "title": "Security Bulletin: Open Source XStream as used in IBM QRadar SIEM is vulnerable to Denial of Service. (CVE-2017-7957)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7957"], "modified": "2018-06-16T22:02:18", "id": "0E9A4AA745E8DA99E68988A52A69F5E79367E37CC08A08A6C2BB73B338AFB4AD", "href": "https://www.ibm.com/support/pages/node/296129", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:53:24", "description": "## Summary\n\nA vulnerability in XStream was addressed by IBM InfoSphere Information Governance Catalog, IBM InfoSphere Information Server Business Glossary, and IBM InfoSphere Information Server Business Glossary Client for Eclipse.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-7957_](<https://vulners.com/cve/CVE-2017-7957>) \n**DESCRIPTION:** XStream is vulnerable to a denial of service, caused by the improper handling of attempts to create an instance of the primitive type 'void' during unmarshalling. A remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/125800_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/125800>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nThe following product, running on all supported platforms, is affected: \nIBM InfoSphere Information Governance Catalog: versions 9.1, 11.3, and 11.5 \nIBM InfoSphere Information Server Business Glossary Client for Eclipse: versions 11.3, and 11.5 \nIBM InfoSphere Information Server Business Glossary 9.1 \nIBM InfoSphere Information Server on Cloud version 11.5\n\n## Remediation/Fixes\n\n**_Product_**\n\n| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nInfoSphere Information Governance Catalog, Business Glossary Client for Eclipse, Information Server on Cloud| 11.5| [_JR57991_](<http://www.ibm.com/support/docview.wss?uid=swg1JR57991>)| \\--Apply InfoSphere Information Server version [_11.5.0.2_](<http://www.ibm.com/support/docview.wss?uid=swg24043666>) \n\\--Apply InfoSphere Information Server [_11.5 Service Pack 2_](<http://www.ibm.com/support/docview.wss?uid=swg22008267>) \nInfoSphere Information Governance Catalog, Business Glossary Client for Eclipse| 11.3| [_JR57991_](<http://www.ibm.com/support/docview.wss?uid=swg1JR57991>)| \\--Apply InfoSphere Information Server version [_11.3.1.2 _](<http://www-01.ibm.com/support/docview.wss?uid=swg24040138>) \n\\--Apply InfoSphere Information Governance Catalog [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113_JR57991_IGC_server_engine_client_multi>) \nInfoSphere Business Glossary| 9.1| [_JR57991_](<http://www.ibm.com/support/docview.wss?uid=swg1JR57991>)| \\--Apply InfoSphere Business Glossary [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is91_security_JR57991_bg_all_multi>) \n \n**Contact Technical Support:** \nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [_contacts for other countries_](<http://www.ibm.com/planetwide/>) outside of the United States. \nElectronically [_open a Service Request_](<http://www.ibm.com/software/support/probsub.html>) with Information Server Technical Support. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T13:48:38", "type": "ibm", "title": "Security Bulletin: A vulnerability in XStream affects IBM InfoSphere Information Governance components", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7957"], "modified": "2018-06-16T13:48:38", "id": "86B993D6503E34FB9416A4008E2B835C55F8299FC3EA8C2C75569BF05DE5B981", "href": "https://www.ibm.com/support/pages/node/562845", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-02T14:37:28", "description": "## Summary\n\nXStream XML information discloure in XStream libraries shipped with IBM Rational Quality Manager could allow a remote attacker to obtain sensitive information. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3674_](<https://vulners.com/cve/CVE-2016-3674>)** \nDESCRIPTION:** XStream libraries shipped with ** **IBM Rational Quality Manager could allow a remote attacker to obtain sensitive information, caused by an error when processing XML external entities. By sending specially-crafted XML data, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111806_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111806>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 4.0.0 - 6.0.2 \n \nRational Quality Manager 6.0 - 6.0.2 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 3.0.1.6\n\n## Remediation/Fixes\n\nNote: In the instructions below, replace Y.Y.Y with the product version you have deployed. For example, replace Y.Y.Y with 6.0.2 if that is the version deployed. \nFor jars with X.X.XXX.vXXX in the instructions below, the X's will be dependent on your exact version. Use the version that is deployed. \n \n1\\. Get the xStream library 1.4.9 version from <http://x-stream.github.io/download.html> \n2\\. Go to the rqm-update-site\\plugins folder in your CLM installation path: \n_C:\\&lt;installation directory&gt;\\server\\conf\\qm\\sites\\rqm-update-site_ \n3\\. Locate the jar file: com.ibm.rational.test.lm.service_X.X.XXX.vXXX.jar \n\na. Make a backup \nb. Open the jar and from inside \nc. Delete the files:** **_xstream-Y.Y.Y.jar_ and _xstream-SNAPSHOT.jar_ \nd. Copy the new xStream library the same place (xstream-1.4.9.jar) \ne. Edit the build.properties file. i. Delete the following lines: **xstream-Y.Y.Y.jar,\\**** **and** ****xstream-SNAPSHOT.jar,\\** \nii. Add the following line in the same place: **xstream-1.4.9.jar,\\** f. Edit the META-INF\\MANIFEST.MF file. i. Delete the following lines:** ****xstream-Y.Y.Y.jar,**** **and** ****xstream-SNAPSHOT.jar,** \nii. Add the following line in the same place: **xstream-1.4.9.jar,** 4\\. Locate the jar file: com.ibm.rqm.process.deployment_X.X.XXX.vXXX.jar a. Make a backup \nb. Open the jar and from inside \nc. Delete the files: _lib\\xstream-Y.Y.Y.jar_ \nd. Copy the new xStream library the same place (xstream-1.4.9.jar) \ne. Edit the build.properties file. i. Delete the following lines: **lib/xstream-Y.Y.Y.jar,\\** \nii. Add the following line in the same place: **lib/xstream-1.4.9.jar,\\** f. Edit the META-INF\\MANIFEST.MF file. i. Delete the following lines: **lib/xstream-Y.Y.Y.jar,** \nii. Add the following line in the same place: **lib/xstream-1.4.9.jar,** 5\\. Restart the server. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: XStream XML information discloure vulnerability affects IBM\u00ae Rational\u00ae Quality Manager (CVE-2016-3674)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2021-04-28T18:35:50", "id": "E089CD8F4E1283BE8ED3A30F96421499F2E0C3F867875E0345CFFE45A636E65E", "href": "https://www.ibm.com/support/pages/node/553157", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-23T21:42:10", "description": "## Summary\n\nA vulnerability in Apache Ant was addressed by IBM InfoSphere Information Server. \n\n## Vulnerability Details\n\n**CVEID:** _[CVE-2012-2098](<https://vulners.com/cve/CVE-2012-2098>)_ \n**DESCRIPTION:** Apache Commons Compress and Apache Ant are vulnerable to a denial of service, caused by an error when using bzip2 compression to compress files. By passing specially-crafted input to the BZip2CompressorOutputStream class, a remote attacker could exploit this vulnerability to consume all available resources. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/75857>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\nThe following product, running on all supported platforms, is affected: \nIBM InfoSphere Information Server: versions 11.3, 11.5, and 11.7 \nIBM InfoSphere Information Server on Cloud: versions 11.5, and 11.7\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server, Information Server on Cloud | 11.7 | [_JR60963_](<http://www.ibm.com/support/docview.wss?uid=swg1JR60963>) | \\--Apply IBM InfoSphere Information Server version [_11.7.1.0_](<https://www.ibm.com/support/docview.wss?uid=ibm10878310>) \n\\--Apply IBM InfoSphere Information Server _[11.7.1.0 Service Pack 1](<http://www.ibm.com/support/docview.wss?uid=ibm10957209>)_ \n \n \nInfoSphere Information Server, Information Server on Cloud | 11.5 | \n\n[_JR60963_](<http://www.ibm.com/support/docview.wss?uid=swg1JR60963>)\n\n[_JR61551_](<http://www.ibm.com/support/docview.wss?uid=swg1JR61551>)\n\n| \\--Apply InfoSphere Information Server version [_11.5.0.2_](<http://www.ibm.com/support/docview.wss?uid=swg24043666>) \n\\--Apply InfoSphere Information Server [_11.5.0.2 Service Pack 6_](<https://www-01.ibm.com/support/docview.wss?uid=ibm10957521>) \n\\--Apply InfoSphere _[Information Server Framework Security patch](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is11502_isf_ru12_services_engine_client_multi>)_ \n\\--Apply InfoSphere [_Metadata Asset Manager Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is11502_JR60965_imam_services_engine_all*>) \n\\--Apply InfoSphere [_Governance Catalog Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is11502_JR61551_IGC_services_engine_all>) \n\\--Apply InfoSphere [_Component Installer Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is11502_JR60963_comp-inst_engine_*>) \n\\--Apply InfoSphere [_Common Metadata Services Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is11502_JR60965_CMS_services_engine_all*>) \nInfoSphere Information Server | 11.3 | [_JR60963_](<http://www.ibm.com/support/docview.wss?uid=swg1JR60963>) | \\--Upgrade to a new release where the issue has been addressed \n \n**Contact Technical Support:**\n\nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [contacts for other countries](<http://www.ibm.com/planetwide/>) outside of the United States. \nElectronically [open a Service Request](<http://www.ibm.com/software/support/probsub.html>) with Information Server Technical Support.\n\n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2019-11-01T21:23:52", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Ant affects IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2098"], "modified": "2019-11-01T21:23:52", "id": "353D1C6BCD631024A42E1D490141E816161A8A6A01F6D551CFADA25D97B22F33", "href": "https://www.ibm.com/support/pages/node/887113", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-26T17:54:33", "description": "## Summary\n\nIBM TRIRIGA Application Platform discloses CVE-2016-3093\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2016-3093](<https://vulners.com/cve/CVE-2016-3093>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by the improper implementation of cache used to store method references by the OGNL expression language. An attacker could exploit this vulnerability to block access to a Web site. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/113686](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113686>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM TRIRIGA Application Platform| All \nIBM TRIRIGA Application Suite| All \n \n\n\n## Remediation/Fixes\n\n**Product**| **VRMF**| \n\n**Remediation/First Fix** \n \n---|---|--- \nIBM TRIRIGA Application Platform| 3.6.1.3| The fix is available for download on [FixCentral](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%203.6.1.3&language=en_US> \"FixCentral\" ). \nIBM TRIRIGA Application Platform| 3.7.0.1| The fix is available for download on [FixCentral](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%203.7.0.1&language=en_US> \"FixCental\" ) \nIBM TRIRIGA Application Platform| 3.8.0.1| The fix is available for download on [FixCentral](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%203.8.0.1&language=en_US> \"FixCental\" ) \nIBM TRIRIGA Application Platform| 4.0.2| The fix is available for download on [FixCentral](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%204.0.2&language=en_US> \"FixCental\" ) \nIBM TRIRIGA Application Platform| 4.1.1| The fix is available for download on [FixCentral](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%204.1.1&language=en_US> \"FixCental\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-08-30T16:40:55", "type": "ibm", "title": "Security Bulletin:IBM TRIRIGA Application Platform discloses CVE-2016-3093", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3093"], "modified": "2022-08-30T16:40:55", "id": "EB2D86A7BBA252757A65C0A0A0329A0AD6B47B01B8C03C060D72D11BD2074A52", "href": "https://www.ibm.com/support/pages/node/6616287", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "githubexploit": [{"lastseen": "2022-03-23T16:36:01", "description": "Hi.\n\nBuilding c3p0 should be as easy as editing build.properties...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-13T12:08:30", "type": "githubexploit", "title": "Exploit for Improper Restriction of XML External Entity Reference in Mchange C3P0", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433", "CVE-2019-5427"], "modified": "2020-12-13T12:10:34", "id": "25C1C38A-8474-541F-8A69-2CF8DAC80EEB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "veracode": [{"lastseen": "2023-04-18T13:24:12", "description": "c3p0 is vulnerable to XML external entity (XXE) attacks. The external entity expansion is not disabled in the XML parser, which would allow a remote attacker to perform XXE attacks via a crafted XML document. This CVE is also known as CVE-2019-5427.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-26T01:56:50", "type": "veracode", "title": "XML External Entity (XXE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433", "CVE-2019-5427"], "modified": "2020-05-04T02:26:04", "id": "VERACODE:8075", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-8075/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T15:27:42", "description": "Apache Synapse uses a vulnerable version of commons-collections. This allows attackers to exploit the use of the vulnerable library to perform remote code execution (RCE) attacks.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-12-11T01:11:22", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15708"], "modified": "2022-03-08T17:15:26", "id": "VERACODE:5546", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-5546/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T16:26:48", "description": "xstream-core is vulnerable to Denial of Service (DoS) attacks. The vulnerability is caused when it unmarshals `void`, and the issue allows a remote attacker to crash the target system.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-05-02T03:07:21", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7957"], "modified": "2019-05-15T06:18:36", "id": "VERACODE:4053", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-4053/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-04-18T16:10:45", "description": "Apache Xerces is vulnerable to denial of service (DoS) attacks. Using a message sent to the XML service, attackers can cause hash table collisions, long processing time and ultimately the crashing of an application.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-31T05:53:02", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0881"], "modified": "2023-02-13T01:47:25", "id": "VERACODE:5352", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-5352/summary", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "fedora": [{"lastseen": "2021-07-28T14:46:51", "description": "c3p0 is an easy-to-use library for augmenting traditional JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 standard extension. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-29T02:59:54", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: c3p0-0.9.5.4-1.fc29", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433", "CVE-2019-5427"], "modified": "2019-05-29T02:59:54", "id": "FEDORA:EAC816021840", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "c3p0 is an easy-to-use library for augmenting traditional JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 standard extension. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-29T00:50:47", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: c3p0-0.9.5.4-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433", "CVE-2019-5427"], "modified": "2019-05-29T00:50:47", "id": "FEDORA:E6ABF605A2A5", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "description": "XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization. XStream serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor. Duplicate references encountered in the object-model will be maintained. Supports circular references. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML). Strategies can be registered allowing customization of how particular types are represented as XML. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-04-26T21:24:48", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: xstream-1.4.9-1.fc22", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2016-04-26T21:24:48", "id": "FEDORA:3403F601DEC5", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JOWPI37IF6AXNZEBV7BVT3YXNGW562DP/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "description": "XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization. XStream serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor. Duplicate references encountered in the object-model will be maintained. Supports circular references. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML). Strategies can be registered allowing customization of how particular types are represented as XML. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-04-04T17:28:40", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: xstream-1.4.9-1.fc24", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2016-04-04T17:28:40", "id": "FEDORA:EFE7B60E36E5", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SG3YN44GD5FSWADKPMNSPABYRZQQIR5E/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "description": "XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization. XStream serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor. Duplicate references encountered in the object-model will be maintained. Supports circular references. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML). Strategies can be registered allowing customization of how particular types are represented as XML. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-04-26T20:58:33", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: xstream-1.4.9-1.fc23", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2016-04-26T20:58:33", "id": "FEDORA:A486D601BFF8", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JU6P2ZO5AZTBW546M5FH6MNAG5BI2KSP/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:51", "description": "The Plexus project seeks to create end-to-end developer tools for writing applications. At the core is the container, which can be embedded or for a full scale application server. There are many reusable components for hibernate, form processing, jndi, i18n, velocity, etc. Plexus also includes an application server which is like a J2EE application server, without all the baggage. ", "cvss3": {}, "published": "2013-05-11T00:26:08", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: plexus-archiver-2.3-1.fc17", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2098"], "modified": "2013-05-11T00:26:08", "id": "FEDORA:9013E20C03", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UBNHDW2F2EWGUW2ABW4QYTTT36YHL2JA/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "description": "The code in this component came from Avalon's Excalibur, but originally from Ant, as far as life in Apache goes. The tar package is originally Tim Endres' public domain package. The bzip2 package is based on the work done by Keiron Liddle. It has migrated via: Ant -> Avalon-Excalibur -> Commons-IO -> Commons-Compress. ", "cvss3": {}, "published": "2012-06-03T23:26:27", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: apache-commons-compress-1.4.1-1.fc16", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2098"], "modified": "2012-06-03T23:26:27", "id": "FEDORA:787E821133", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EMHTBXCAPZ2TPHWRJFZ5PWSRBWTADYXM/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "description": "The code in this component came from Avalon's Excalibur, but originally from Ant, as far as life in Apache goes. The tar package is originally Tim Endres' public domain package. The bzip2 package is based on the work done by Keiron Liddle. It has migrated via: Ant -> Avalon-Excalibur -> Commons-IO -> Commons-Compress. ", "cvss3": {}, "published": "2012-06-02T23:56:50", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: apache-commons-compress-1.4.1-1.fc17", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2098"], "modified": "2012-06-02T23:56:50", "id": "FEDORA:D5702210FC", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OD2EC64NBDEPOEQVM4HTG7IRS4F6ZKIK/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "description": "The Plexus project seeks to create end-to-end developer tools for writing applications. At the core is the container, which can be embedded or for a full scale application server. There are many reusable components for hibernate, form processing, jndi, i18n, velocity, etc. Plexus also includes an application server which is like a J2EE application server, without all the baggage. ", "cvss3": {}, "published": "2013-05-11T00:27:50", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: plexus-archiver-2.3-1.fc18", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2098"], "modified": "2013-05-11T00:27:50", "id": "FEDORA:E9B33209C0", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/43G3YX74XUZFEKNGWRMIXB2SR2JZOFUA/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "description": "The Plexus project seeks to create end-to-end developer tools for writing applications. At the core is the container, which can be embedded or for a full scale application server. There are many reusable components for hibernate, form processing, jndi, i18n, velocity, etc. Plexus also includes an application server which is like a J2EE application server, without all the baggage. ", "cvss3": {}, "published": "2013-05-11T03:16:43", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: plexus-archiver-2.3-1.fc19", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2098"], "modified": "2013-05-11T03:16:43", "id": "FEDORA:13FF82114D", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FKDNKWTYTG4NCWKEJBSKAMOT3QS5YOBU/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "hackerone": [{"lastseen": "2023-05-27T15:19:09", "bounty": 0.0, "description": "> NOTE! Thanks for submitting a report! Please replace *all* the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Please refer to the **[example on our policy page](/central-security-project?view_policy=true#disclosure-example)**.\n\n# Maven artifact\n**groupId:** com.mchange\n**artifactId:** c3p0\n**version:** 0.9.5.3\n\n# Vulnerability\n## Vulnerability Description\n> `c3p0/src/java/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java` does not protect against recursive entity expansion when loading configuration. \n\n## Additional Details\n**Source File and Line Number:** https://github.com/swaldman/c3p0/blob/c3p0-0.9.5.3/src/java/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java#L154\n\n## Steps To Reproduce:\n> Detailed steps to reproduce with all required references/steps/commands. Any sample/exploit code or other proof of concept.\n\n1) Use `C3P0ConfigXmlUtils.extractXmlConfigFromInputStream()` on Billion Laughs XML payload\n2) Have a billion laughs while the JVM crashes.\n\n```\nimport com.mchange.v2.c3p0.cfg.C3P0ConfigXmlUtils;\nimport java.io.InputStream;\n\npublic class C3P0PoC {\n\n public static void main(String[] args) throws Exception {\n\n String payload = args[0];\n InputStream inputStream = C3P0PoC.class.getResourceAsStream(payload);\n\n C3P0ConfigXmlUtils.extractXmlConfigFromInputStream(inputStream, false);\n\n\n System.out.println(\"Completed!\");\n }\n}\n```\n\nXML Payload\n```\n<?xml version=\"1.0\"?>\n<!DOCTYPE lolz [\n <!ENTITY lol \"lol\">\n <!ELEMENT lolz (#PCDATA)>\n <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\n <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\n <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\n <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\n <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">\n <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\n <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\n <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\n <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\n ]>\n<lolz>&lol9;</lolz>\n```\n\n## Patch\n\nThe patch given was adapted from [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j)\n\nApply the following before calling `fact.newDocumentBuilder()`.\n```\nString FEATURE = null;\nFEATURE = \"http://apache.org/xml/features/disallow-doctype-decl\";\nfact.setFeature(FEATURE, true);\n```\n\n## Supporting Material/References:\n> State all technical information about the stack where the vulnerability was found\n- Darwin Kernel Version 18.2.0\n- 1.8.0_171\n- 3.3.9\n\n# Wrap up\n> Select Y or N for the following statements:\n- I contacted the maintainer to let them know: N \n- I opened an issue in the related repository: N\n\n> Finder's comments and funny memes goes here\n\nHonestly, this is a pretty complicated attack to pull off. The attack requires poisoned XML configuration data to make to the component's client code. I may have held off on reporting it, but the maintainer did acknowledge a similar attack, twas XXE, under CVE-2018-20433. Since the reporter didn't dispute it, I decided to report this attack as valid as well.\n\nVulnerabilities like these exist because https://docs.oracle.com/javase/7/docs/api/javax/xml/parsers/DocumentBuilderFactory.html#setExpandEntityReferences(boolean) is a poorly named and documented method thus causing misunderstanding.\n\nI'm on my third five hour energy today.\n\n## Impact\n\nThis could be leveraged by an attacker to cause a Denial of Service by crashing the JVM that the server process is running on.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-13T16:34:01", "type": "hackerone", "title": "Central Security Project: c3p0 may be exploited by a Billion Laughs Attack when loading XML configuration", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433", "CVE-2019-5427"], "modified": "2019-04-16T20:05:48", "id": "H1:509315", "href": "https://hackerone.com/reports/509315", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "atlassian": [{"lastseen": "2021-09-01T06:43:22", "description": "Affected versions of Atlassian Fisheye and Crucible allow an unauthenticated remote attacker to achieve remote code execution, denial of service and XML external entities in Atlassian Gadgets. The CVEs involved were:\r\n * CVE-2012-0881\r\n * CVE-2019-10172\r\n * CVE-2018-1000632\r\n * CVE-2016-1000031\r\n * CVE-2014-0114\r\n * CVE-2020-26217\r\n\r\nThe affected versions are before version 4.8.6.\r\n\r\n*Affected versions:*\r\n * version < 4.8.6\r\n\r\n*Fixed versions:*\r\n * 4.8.6 \u00a0", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-03T22:43:13", "type": "atlassian", "title": "Update atlassian-gadgets to 4.2.39 to fix CVE-2012-0881, CVE-2014-0114 and other vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26217", "CVE-2012-0881", "CVE-2014-0114", "CVE-2019-10172", "CVE-2018-1000632", "CVE-2016-1000031"], "modified": "2021-09-01T06:01:40", "id": "ATLASSIAN:FE-7345", "href": "https://jira.atlassian.com/browse/FE-7345", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T14:59:10", "description": "Affected versions of Atlassian Fisheye and Crucible allow an unauthenticated remote attacker to achieve remote code execution, denial of service and XML external entities in Atlassian Gadgets. The CVEs involved were:\r\n * CVE-2012-0881\r\n * CVE-2019-10172\r\n * CVE-2018-1000632\r\n * CVE-2016-1000031\r\n * CVE-2014-0114\r\n * CVE-2020-26217\r\n\r\nThe affected versions are before version 4.8.6.\r\n\r\n*Affected versions:*\r\n * version < 4.8.6\r\n\r\n*Fixed versions:*\r\n * 4.8.6 \u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-03T22:43:13", "type": "atlassian", "title": "Update atlassian-gadgets to 4.2.39 to fix CVE-2012-0881, CVE-2014-0114 and other vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0881", "CVE-2014-0114", "CVE-2016-1000031", "CVE-2018-1000632", "CVE-2019-10172", "CVE-2020-26217"], "modified": "2023-05-09T17:48:27", "id": "FE-7345", "href": "https://jira.atlassian.com/browse/FE-7345", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:40:39", "description": "The bundled version of XStream in Fisheye before version 4.7.1 was vulnerable to CVE-2016-3674 (https://nvd.nist.gov/vuln/detail/CVE-2016-3674).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-07-08T23:32:08", "type": "atlassian", "title": "Upgrade Xstream to address CVE-2016-3674", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2019-12-05T01:31:00", "id": "ATLASSIAN:FE-7200", "href": "https://jira.atlassian.com/browse/FE-7200", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-28T14:40:48", "description": "The bundled version of XStream in Crucible before version 4.7.1 was vulnerable to CVE-2016-3674 (https://nvd.nist.gov/vuln/detail/CVE-2016-3674).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-07-08T23:36:22", "type": "atlassian", "title": "Upgrade Xstream to address CVE-2016-3674", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2019-12-05T01:31:00", "id": "ATLASSIAN:CRUC-8411", "href": "https://jira.atlassian.com/browse/CRUC-8411", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-26T15:24:36", "description": "The bundled version of XStream in Crucible before version 4.7.1 was vulnerable to CVE-2016-3674 (https://nvd.nist.gov/vuln/detail/CVE-2016-3674).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-07-08T23:36:22", "type": "atlassian", "title": "Upgrade Xstream to address CVE-2016-3674", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2019-12-05T01:31:00", "id": "CRUC-8411", "href": "https://jira.atlassian.com/browse/CRUC-8411", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-26T15:19:04", "description": "The bundled version of XStream in Fisheye before version 4.7.1 was vulnerable to CVE-2016-3674 (https://nvd.nist.gov/vuln/detail/CVE-2016-3674).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-07-08T23:32:08", "type": "atlassian", "title": "Upgrade Xstream to address CVE-2016-3674", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2019-12-05T01:31:00", "id": "FE-7200", "href": "https://jira.atlassian.com/browse/FE-7200", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "redhat": [{"lastseen": "2023-05-25T16:21:22", "description": "Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.4.6 serves as a replacement for Red Hat JBoss BPM Suite 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-12T21:58:49", "type": "redhat", "title": "(RHSA-2017:2889) Important: Red Hat JBoss BPM Suite 6.4.6 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5645", "CVE-2017-7957", "CVE-2019-17571"], "modified": "2019-12-26T04:37:26", "id": "RHSA-2017:2889", "href": "https://access.redhat.com/errata/RHSA-2017:2889", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-25T16:21:22", "description": "Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.4.6 serves as a replacement for Red Hat JBoss BRMS 6.4.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-12T21:58:30", "type": "redhat", "title": "(RHSA-2017:2888) Important: Red Hat JBoss BRMS 6.4.6 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5645", "CVE-2017-7957", "CVE-2019-17571"], "modified": "2019-12-26T04:38:51", "id": "RHSA-2017:2888", "href": "https://access.redhat.com/errata/RHSA-2017:2888", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:34:45", "description": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.5.0 serves as an update to Red Hat Process Automation Manager 7.4.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)\n\n* jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution (CVE-2019-12384)\n\n* jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message (CVE-2019-12814)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-31T19:07:44", "type": "redhat", "title": "(RHSA-2019:3297) Important: Red Hat Process Automation Manager 7.5.0 Security Update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12384", "CVE-2019-12814", "CVE-2019-14379"], "modified": "2019-10-31T19:08:11", "id": "RHSA-2019:3297", "href": "https://access.redhat.com/errata/RHSA-2019:3297", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:34:45", "description": "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.5.0 serves as an update to Red Hat Decision Manager 7.4.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)\n\n* jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution (CVE-2019-12384)\n\n* jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message (CVE-2019-12814)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-31T17:24:46", "type": "redhat", "title": "(RHSA-2019:3292) Important: Red Hat Decision Manager 7.5.0 Security Update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12384", "CVE-2019-12814", "CVE-2019-14379"], "modified": "2019-10-31T17:25:30", "id": "RHSA-2019:3292", "href": "https://access.redhat.com/errata/RHSA-2019:3292", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2023-05-27T10:57:27", "description": "### Background\n\nThe Apache Commons FileUpload package makes it easy to add robust, high-performance, file upload capability to your servlets and web applications. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Apache Commons FileUpload. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nGentoo has discontinued support for Apache Commons FileUpload. We recommend that users unmerge it: \n \n \n # emerge --ask --depclean \"dev-java/commons-fileupload\"\n \n\nNOTE: The Gentoo developer(s) maintaining Apache Commons FileUpload have discontinued support at this time. It may be possible that a new Gentoo developer will update Apache Commons FileUpload at a later date. We do not have a suggestion for a replacement at this time.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-17T00:00:00", "type": "gentoo", "title": "Apache Commons FileUpload: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0248", "CVE-2014-0050", "CVE-2016-3092"], "modified": "2021-07-17T00:00:00", "id": "GLSA-202107-39", "href": "https://security.gentoo.org/glsa/202107-39", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-05-27T14:58:16", "description": "### Background\n\nApache Commons Collections extends the JCF classes with new interfaces, implementations and utilities. \n\n### Description\n\nSome classes in the Apache Commons Collections functor package deserialized potentially untrusted input by default. \n\n### Impact\n\nDeserializing untrusted input using Apache Commons Collections could result in remote code execution. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Apache Commons Collections users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=dev-java/commons-collections-3.2.2\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-16T00:00:00", "type": "gentoo", "title": "Apache Commons Collections: Remote code execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15708"], "modified": "2021-07-16T00:00:00", "id": "GLSA-202107-37", "href": "https://security.gentoo.org/glsa/202107-37", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-05-26T14:41:56", "description": "DaoAuthenticationProvider in VMware SpringSource Spring Security before\n2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the\npassword if the user is not found, which makes the response delay shorter\nand might allow remote attackers to enumerate valid usernames via a series\nof login requests.", "cvss3": {}, "published": "2012-12-05T00:00:00", "type": "ubuntucve", "title": "CVE-2012-5055", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5055"], "modified": "2012-12-05T00:00:00", "id": "UB:CVE-2012-5055", "href": "https://ubuntu.com/security/CVE-2012-5055", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-27T13:47:17", "description": "c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in\ncom/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917257>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-24T00:00:00", "type": "ubuntucve", "title": "CVE-2018-20433", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433"], "modified": "2018-12-24T00:00:00", "id": "UB:CVE-2018-20433", "href": "https://ubuntu.com/security/CVE-2018-20433", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-26T14:50:46", "description": "Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server\n(WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9\nthrough 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse,\nApache ODE, Apache Tuscany, Apache Geronimo, and other products, does not\nproperly reject DTDs in SOAP messages, which allows remote attackers to\nread arbitrary files, send HTTP requests to intranet servers, or cause a\ndenial of service (CPU and memory consumption) via a crafted DTD, as\ndemonstrated by an entity declaration in a request to the Synapse\nSimpleStockQuoteService.", "cvss3": {}, "published": "2010-06-22T00:00:00", "type": "ubuntucve", "title": "CVE-2010-1632", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1632"], "modified": "2010-06-22T00:00:00", "id": "UB:CVE-2010-1632", "href": "https://ubuntu.com/security/CVE-2010-1632", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:02:38", "description": "Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows,\nwhen the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write\nto arbitrary files via a ..\\ (dot dot backslash) in a response to a\nrecursive GET command.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-01-19T00:00:00", "type": "ubuntucve", "title": "CVE-2016-5725", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5725"], "modified": "2017-01-19T00:00:00", "id": "UB:CVE-2016-5725", "href": "https://ubuntu.com/security/CVE-2016-5725", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-05-27T13:59:17", "description": "XStream through 1.4.9, when a certain denyTypes workaround is not used,\nmishandles attempts to create an instance of the primitive type 'void'\nduring unmarshalling, leading to a remote application crash, as\ndemonstrated by an xstream.fromXML(\"<void/>\") call.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861521>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-04-29T00:00:00", "type": "ubuntucve", "title": "CVE-2017-7957", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7957"], "modified": "2017-04-29T00:00:00", "id": "UB:CVE-2017-7957", "href": "https://ubuntu.com/security/CVE-2017-7957", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-26T14:13:34", "description": "Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a\ndenial of service (CPU consumption) via a crafted message to an XML\nservice, which triggers hash table collisions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-30T00:00:00", "type": "ubuntucve", "title": "CVE-2012-0881", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0881"], "modified": "2017-10-30T00:00:00", "id": "UB:CVE-2012-0881", "href": "https://ubuntu.com/security/CVE-2012-0881", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-05-27T14:06:49", "description": "Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver,\n(2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6)\nStandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9\nallow remote attackers to read arbitrary files via a crafted XML document.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819455>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-05-17T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3674", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2016-05-17T00:00:00", "id": "UB:CVE-2016-3674", "href": "https://ubuntu.com/security/CVE-2016-3674", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-26T14:44:12", "description": "Algorithmic complexity vulnerability in the sorting algorithms in bzip2\ncompressing stream (BZip2CompressorOutputStream) in Apache Commons Compress\nbefore 1.4.1 allows remote attackers to cause a denial of service (CPU\nconsumption) via a file with many repeating inputs.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674448>\n", "cvss3": {}, "published": "2012-06-29T00:00:00", "type": "ubuntucve", "title": "CVE-2012-2098", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2098"], "modified": "2012-06-29T00:00:00", "id": "UB:CVE-2012-2098", "href": "https://ubuntu.com/security/CVE-2012-2098", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-27T14:06:30", "description": "Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method\nreferences when used with OGNL before 3.0.12, which allows remote attackers\nto cause a denial of service (block access to a web site) via unspecified\nvectors.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | struts 2.x only\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2016-06-07T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3093", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3093"], "modified": "2016-06-07T00:00:00", "id": "UB:CVE-2016-3093", "href": "https://ubuntu.com/security/CVE-2016-3093", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-27T14:12:52", "description": "Directory traversal vulnerability in Pivotal Spring Framework 3.x before\n3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files\nvia a crafted URL.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760733>\n", "cvss3": {}, "published": "2015-02-19T00:00:00", "type": "ubuntucve", "title": "CVE-2014-3578", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3578"], "modified": "2015-02-19T00:00:00", "id": "UB:CVE-2014-3578", "href": "https://ubuntu.com/security/CVE-2014-3578", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-27T13:44:50", "description": "Xstream API versions up to 1.4.6 and version 1.4.10, if the security\nframework has not been initialized, may allow a remote attacker to run\narbitrary shell commands by manipulating the processed input stream when\nunmarshaling XML or any supported format. e.g. JSON.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734821>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with 1.4.7, it is now possible to define permissions for types. This requires applications to use permissions.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-15T00:00:00", "type": "ubuntucve", "title": "CVE-2013-7285", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-7285"], "modified": "2019-05-15T00:00:00", "id": "UB:CVE-2013-7285", "href": "https://ubuntu.com/security/CVE-2013-7285", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-05-26T15:24:23", "description": "DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.", "cvss3": {}, "published": "2022-05-17T05:17:30", "type": "github", "title": "Exposure of Sensitive Information to an Unauthorized Actor in Spring Security", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5055"], "modified": "2023-01-27T05:02:31", "id": "GHSA-3533-RVPC-6X56", "href": "https://github.com/advisories/GHSA-3533-rvpc-6x56", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-27T15:16:28", "description": "c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-07T19:14:34", "type": "github", "title": "XML External Entity Reference in mchange:c3p0", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433"], "modified": "2023-01-09T05:03:58", "id": "GHSA-Q485-J897-QC27", "href": "https://github.com/advisories/GHSA-q485-j897-qc27", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-26T15:24:25", "description": "Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.", "cvss3": {}, "published": "2022-05-17T02:22:43", "type": "github", "title": "Improper Input Validation in Apache Axis2", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1632"], "modified": "2023-01-27T05:02:30", "id": "GHSA-23VV-V25H-QWQW", "href": "https://github.com/advisories/GHSA-23vv-v25h-qwqw", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:15:15", "description": "Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\\ (dot dot backslash) in a response to a recursive GET command.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-13T01:09:33", "type": "github", "title": "Improper Limitation of a Pathname to a Restricted Directory in JCraft JSch", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5725"], "modified": "2023-01-27T05:02:13", "id": "GHSA-Q446-82VQ-W674", "href": "https://github.com/advisories/GHSA-q446-82vq-w674", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-05-27T15:16:06", "description": "In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T18:23:25", "type": "github", "title": "Remote Code Execution in Apache Synapse", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15708"], "modified": "2023-02-01T05:05:04", "id": "GHSA-P694-23Q3-RVRC", "href": "https://github.com/advisories/GHSA-p694-23q3-rvrc", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:16:17", "description": "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-30T22:48:24", "type": "github", "title": "Denial of service in XStream", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7957"], "modified": "2023-01-09T05:03:31", "id": "GHSA-7HWC-46RM-65JH", "href": "https://github.com/advisories/GHSA-7hwc-46rm-65jh", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-26T15:25:34", "description": "Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-15T18:51:38", "type": "github", "title": "Denial of service in Apache Xerces2", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0881"], "modified": "2023-02-13T17:20:41", "id": "GHSA-VMQM-G3VH-847M", "href": "https://github.com/advisories/GHSA-vmqm-g3vh-847m", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-05-26T15:25:34", "description": "Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-30T22:48:14", "type": "github", "title": "XML External Entity Injection in XStream", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2023-01-09T05:03:18", "id": "GHSA-RGH3-987H-WPMW", "href": "https://github.com/advisories/GHSA-rgh3-987h-wpmw", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-26T15:24:32", "description": "Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.", "cvss3": {}, "published": "2022-05-13T01:07:05", "type": "github", "title": "Uncontrolled Resource Consumption in Apache Commons Compress", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2098"], "modified": "2023-01-27T05:02:18", "id": "GHSA-6FXM-66HQ-FC96", "href": "https://github.com/advisories/GHSA-6fxm-66hq-fc96", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-26T15:24:24", "description": "Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-05-17T03:42:18", "type": "github", "title": "Improper Input Validation in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3093"], "modified": "2023-02-13T17:43:48", "id": "GHSA-383P-XQXX-RRMP", "href": "https://github.com/advisories/GHSA-383p-xqxx-rrmp", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-05-27T11:12:57", "description": "Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.", "cvss3": {}, "published": "2022-05-14T00:56:29", "type": "github", "title": "Improper Limitation of a Pathname to a Restricted Directory in Spring Framework", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3578"], "modified": "2023-01-27T05:02:11", "id": "GHSA-RHCG-RWHX-QJ3J", "href": "https://github.com/advisories/GHSA-rhcg-rwhx-qj3j", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2023-05-26T14:11:35", "description": "DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.", "cvss3": {}, "published": "2012-12-05T17:55:00", "type": "cve", "title": "CVE-2012-5055", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5055"], "modified": "2012-12-28T05:00:00", "cpe": ["cpe:/a:vmware:springsource_spring_security:2.0.2", "cpe:/a:vmware:springsource_spring_security:3.0.3", "cpe:/a:vmware:springsource_spring_security:2.0.4", "cpe:/a:vmware:springsource_spring_security:3.0.0", "cpe:/a:vmware:springsource_spring_security:2.0.5", "cpe:/a:vmware:springsource_spring_security:2.0.1", "cpe:/a:vmware:springsource_spring_security:2.0.3", "cpe:/a:vmware:springsource_spring_security:3.0.2", "cpe:/a:vmware:springsource_spring_security:3.0.1", "cpe:/a:vmware:springsource_spring_security:3.0.4", "cpe:/a:vmware:springsource_spring_security:3.1.2", "cpe:/a:vmware:springsource_spring_security:2.0.6", "cpe:/a:vmware:springsource_spring_security:3.1.1", "cpe:/a:vmware:springsource_spring_security:3.0.5", "cpe:/a:vmware:springsource_spring_security:2.0.0"], "id": "CVE-2012-5055", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5055", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:vmware:springsource_spring_security:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_security:3.0.4:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:46:43", "description": "c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-24T13:29:00", "type": "cve", "title": "CVE-2018-20433", "cwe": ["CWE-611"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433"], "modified": "2019-05-29T05:29:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:mchange:c3p0:0.9.5.2"], "id": "CVE-2018-20433", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20433", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:mchange:c3p0:0.9.5.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-26T14:03:26", "description": "Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.", "cvss3": {}, "published": "2010-06-22T20:30:00", "type": "cve", "title": "CVE-2010-1632", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1632"], "modified": "2017-07-30T01:29:00", "cpe": ["cpe:/a:apache:axis2:1.5", "cpe:/a:apache:axis2:1.4.1", "cpe:/a:apache:axis2:1.5.1", "cpe:/a:apache:axis2:1.4", "cpe:/a:apache:axis2:1.3"], "id": "CVE-2010-1632", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1632", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:axis2:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:axis2:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:axis2:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:axis2:1.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:axis2:1.5:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:15:20", "description": "Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\\ (dot dot backslash) in a response to a recursive GET command.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-01-19T22:59:00", "type": "cve", "title": "CVE-2016-5725", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5725"], "modified": "2021-06-14T18:15:00", "cpe": ["cpe:/a:jcraft:jsch:0.1.53"], "id": "CVE-2016-5725", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5725", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:jcraft:jsch:0.1.53:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:42:02", "description": "In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-12-11T15:29:00", "type": "cve", "title": "CVE-2017-15708", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15708"], "modified": "2022-03-08T15:39:00", "cpe": ["cpe:/a:apache:synapse:3.0.0", "cpe:/a:apache:synapse:1.1.2", "cpe:/a:apache:synapse:1.1", "cpe:/a:apache:synapse:2.1.0", "cpe:/a:apache:synapse:1.0", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.56", "cpe:/a:apache:synapse:1.2", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57", "cpe:/a:apache:synapse:1.1.1", "cpe:/a:oracle:financial_services_market_risk_measurement_and_management:8.0.6", "cpe:/a:apache:synapse:2.0.0", "cpe:/a:oracle:financial_services_market_risk_measurement_and_management:8.0.8"], "id": "CVE-2017-15708", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15708", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:synapse:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "cpe:2.3:a:apache:synapse:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:synapse:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:synapse:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:synapse:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:synapse:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:synapse:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:synapse:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T15:06:22", "description": "XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"<void/>\") call.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-04-29T19:59:00", "type": "cve", "title": "CVE-2017-7957", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7957"], "modified": "2019-03-26T17:15:00", "cpe": ["cpe:/a:xstream_project:xstream:1.4.9", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-7957", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7957", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:xstream_project:xstream:1.4.9:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-26T14:00:55", "description": "Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-30T16:29:00", "type": "cve", "title": "CVE-2012-0881", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0881"], "modified": "2023-02-13T00:23:00", "cpe": ["cpe:/a:apache:xerces2_java:2.11.0"], "id": "CVE-2012-0881", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0881", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:a:apache:xerces2_java:2.11.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-26T14:39:05", "description": "Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-05-17T14:08:00", "type": "cve", "title": "CVE-2016-3674", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3674"], "modified": "2018-03-26T18:47:00", "cpe": ["cpe:/o:fedoraproject:fedora:23", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:xstream_project:xstream:1.4.8", "cpe:/o:fedoraproject:fedora:22"], "id": "CVE-2016-3674", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*", "cpe:2.3:a:xstream_project:xstream:1.4.8:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-26T14:04:11", "description": "Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.", "cvss3": {}, "published": "2012-06-29T19:55:00", "type": "cve", "title": "CVE-2012-2098", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2098"], "modified": "2021-08-12T21:30:00", "cpe": [], "id": "CVE-2012-2098", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2098", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": []}, {"lastseen": "2023-05-26T14:37:39", "description": "Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2016-06-07T18:59:00", "type": "cve", "title": "CVE-2016-3093", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3093"], "modified": "2023-02-12T23:18:00", "cpe": ["cpe:/a:apache:struts:2.1.5", "cpe:/a:apache:struts:2.1.1", "cpe:/a:apache:struts:2.3.14.3", "cpe:/a:apache:struts:2.3.16.1", "cpe:/a:apache:struts:2.3.4.1", "cpe:/a:apache:struts:2.3.20", "cpe:/a:apache:struts:2.0.10", "cpe:/a:apache:struts:2.3.1.1", "cpe:/a:apache:struts:2.3.15.2", "cpe:/a:apache:struts:2.3.7", "cpe:/a:apache:struts:2.3.14", "cpe:/a:apache:struts:2.1.4", "cpe:/a:apache:struts:2.3.16.3", "cpe:/a:apache:struts:2.3.15.3", "cpe:/a:apache:struts:2.0.3", "cpe:/a:ognl_project:ognl:3.0.11", "cpe:/a:apache:struts:2.0.0", "cpe:/a:apache:struts:2.0.2", "cpe:/a:apache:struts:2.2.1", "cpe:/a:apache:struts:2.0.11.1", "cpe:/a:apache:struts:2.2.1.1", "cpe:/a:apache:struts:2.1.3", "cpe:/a:apache:struts:2.2.3", "cpe:/a:apache:struts:2.1.6", "cpe:/a:apache:struts:2.3.8", "cpe:/a:apache:struts:2.0.14", "cpe:/a:apache:struts:2.0.13", "cpe:/a:apache:struts:2.3.20.1", "cpe:/a:apache:struts:2.3.1.2", "cpe:/a:apache:struts:2.3.4", "cpe:/a:apache:struts:2.1.8", "cpe:/a:apache:struts:2.3.15.1", "cpe:/a:apache:struts:2.0.9", "cpe:/a:apache:struts:2.0.8", "cpe:/a:apache:struts:2.3.16.2", "cpe:/a:apache:struts:2.2.3.1", "cpe:/a:apache:struts:2.1.0", "cpe:/a:apache:struts:2.1.2", "cpe:/a:apache:struts:2.3.20.3", "cpe:/a:apache:struts:2.0.7", "cpe:/a:apache:struts:2.3.15", "cpe:/a:apache:struts:2.0.6", "cpe:/a:apache:struts:2.0.4", "cpe:/a:apache:struts:2.0.11.2", "cpe:/a:apache:struts:2.0.11", "cpe:/a:apache:struts:2.0.12", "cpe:/a:apache:struts:2.3.16", "cpe:/a:apache:struts:2.3.24.1", "cpe:/a:apache:struts:2.1.8.1", "cpe:/a:apache:struts:2.3.1", "cpe:/a:apache:struts:2.3.12", "cpe:/a:apache:struts:2.3.24", "cpe:/a:apache:struts:2.0.5", "cpe:/a:apache:struts:2.3.14.1", "cpe:/a:apache:struts:2.0.1", "cpe:/a:apache:struts:2.3.14.2"], "id": "CVE-2016-3093", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3093", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ognl_project:ognl:3.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T10:12:31", "description": "Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.", "cvss3": {}, "published": "2015-02-19T20:59:00", "type": "cve", "title": "CVE-2014-3578", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3578"], "modified": "2019-07-14T00:15:00", "cpe": [], "id": "CVE-2014-3578", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3578", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-05-27T14:14:06", "description": "Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-15T17:29:00", "type": "cve", "title": "CVE-2013-7285", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-7285"], "modified": "2022-04-25T13:15:00", "cpe": ["cpe:/a:xstream_project:xstream:1.4.6", "cpe:/a:xstream_project:xstream:1.4.10"], "id": "CVE-2013-7285", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:xstream_project:xstream:1.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:xstream_project:xstream:1.4.10:*:*:*:*:*:*:*"]}], "debiancve": [{"lastseen": "2023-05-27T15:12:08", "description": "c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-12-24T13:29:00", "type": "debiancve", "title": "CVE-2018-20433", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20433"], "modified": "2018-12-24T13:29:00", "id": "DEBIANCVE:CVE-2018-20433", "href": "https://security-tracker.debian.org/tracker/CVE-2018-20433", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:13:39", "description": "Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\\ (dot dot backslash) in a response to a recursive GET command.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-01-19T22:59:00", "type": "debiancve", "title": "CVE-2016-5725", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5725"], "modified": "2017-01-19T22: