Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_WEBCENTER_PORTAL_CPU_JUL_2020.NBIN
HistoryJul 16, 2020 - 12:00 a.m.

Oracle WebCenter Portal Multiple Vulnerabilities (Jul 2020 CPU)

2020-07-1600:00:00
This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
20
JSON

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the July 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including the following:

  • A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. This is part of the Security Framework component and is an easily exploitable vulnerability hat allows an unauthenticated attacker with network access to compromise Oracle WebCenter Portal. (CVE-2019-17531)

  • A vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Composer).
    Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. This is an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Portal accessible data as well as unauthorized read access to a subset of Oracle WebCenter Portal accessible data and the unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Portal. (CVE-2020-14611)

  • A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006, which is used in Oracle WebCenter Portal’s WebCenter Spaced Application component.
    This difficult to exploit vulnerability allows an unauthenticated attacker with access to the physical communication segment attached to the hardware where the Oracle WebCenter Portal executes to compromise Oracle WebCenter Portal. (CVE-2019-0227)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application’s self-reported version number.

Binary data oracle_webcenter_portal_cpu_jul_2020.nbin
VendorProductVersionCPE
oraclefusion_middlewarecpe:/a:oracle:fusion_middleware

Related

prion 3
cve 3
symantec 2
osv 7
redhat 13
debiancve 2
veracode 1
redhatcve 2
ubuntucve 2
github 2
ibm 33
rhino 1
githubexploit 1
packetstorm 1
exploitpack 1
zdt 1
nessus 18
checkpoint_advisories 1
debian 1
f5 1
openvas 1
exploitdb 1
almalinux 1
oraclelinux 1
cloudfoundry 1
rocky 1
qualysblog 1
kaspersky 1
mageia 1
ubuntu 1
hp 1
oracle 13
prion
prion
Design/Logic Flaw
2020-07-15 18:15:00
Design/Logic Flaw
2019-10-12 21:15:00
Server side request forgery (ssrf)
2019-05-01 21:29:00
cve
cve
CVE-2020-14611
2020-07-15 18:15:00
CVE-2019-17531
2019-10-12 21:15:00
CVE-2019-0227
2019-05-01 21:29:00
symantec
symantec
FasterXML Jackson-databind CVE-2019-17531 Remote Code Execution Vulnerability
2019-10-12 00:00:00
Apache Axis CVE-2019-0227 Remote Code Execution Vulnerability
2019-04-09 00:00:00
osv
osv
jackson-databind polymorphic typing issue
2019-11-13 00:32:38
CVE-2019-17531
2019-10-12 21:15:08
Server Side Request Forgery in Apache Axis
2019-05-14 04:02:24
redhat
redhat
(RHSA-2019:4192) Important: rh-maven35-jackson-databind security update
2019-12-10 15:26:25
(RHSA-2020:0939) Important: Red Hat AMQ Streams 1.4.0 release and security update
2020-03-23 13:14:04
(RHSA-2020:0895) Moderate: Red Hat Process Automation Manager 7.7.0 Security Update
2020-03-18 14:45:02
debiancve
debiancve
CVE-2019-17531
2019-10-12 21:15:00
CVE-2019-0227
2019-05-01 21:29:00
veracode
veracode
Remote Code Execution (RCE)
2019-10-14 05:13:49
redhatcve
redhatcve
CVE-2019-17531
2020-04-09 10:09:52
CVE-2019-0227
2019-04-11 08:59:43
ubuntucve
ubuntucve
CVE-2019-17531
2019-10-12 00:00:00
CVE-2019-0227
2019-05-01 00:00:00
github
github
jackson-databind polymorphic typing issue
2019-11-13 00:32:38
Server Side Request Forgery in Apache Axis
2019-05-14 04:02:24
ibm
ibm
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind
2019-12-20 08:47:33
Security Bulletin: Vulnerabilities affect IBM Network Performance Insight (CVE-2019-14379, CVE-2019-17531, CVE-2019-14439 and CVE-2019-14540)
2020-02-13 03:02:33
Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony
2019-12-17 02:33:42
rhino
rhino
CVE-2019-0227: Expired Domain to Remote Code Execution in Apache Axis
2019-04-09 10:30:52
githubexploit
githubexploit
Exploit for Server-Side Request Forgery in Apache Axis
2019-10-27 14:42:54
packetstorm
packetstorm
Apache Axis 1.4 Remote Code Execution
2019-04-10 00:00:00
exploitpack
exploitpack
Apache Axis 1.4 - Remote Code Execution
2019-04-09 00:00:00
zdt
zdt
Apache Axis 1.4 - Remote Code Execution Exploit
2019-04-09 00:00:00
nessus
nessus
Oracle Tuxedo Remote Code Execution Vulnerability (Jan 2020 CPU)
2020-01-17 00:00:00
Oracle Application Testing Suite (Apr 2020 CPU)
2020-04-16 00:00:00
Debian DLA-2030-1 : jackson-databind security update
2019-12-12 00:00:00
checkpoint_advisories
checkpoint_advisories
Apache Axis Remote Code Execution (CVE-2019-0227)
2019-04-22 00:00:00
debian
debian
[SECURITY] [DLA 2030-1] jackson-databind security update
2019-12-10 18:54:11
f5
f5
K32562850 : jackson-databind vulnerabilities CVE-2019-16943 and CVE-2019-17531
2020-06-03 00:00:00
openvas
openvas
Debian LTS: Security Advisory for jackson-databind (DLA-2030-1)
2019-12-11 00:00:00
exploitdb
exploitdb
Apache Axis 1.4 - Remote Code Execution
2019-04-09 00:00:00
almalinux
almalinux
Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update
2020-04-28 09:00:20
oraclelinux
oraclelinux
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update
2020-05-05 00:00:00
cloudfoundry
cloudfoundry
Various CVEs: UAA consumes vulnerable versions of FasterXML jackson-databind | Cloud Foundry
2019-11-13 00:00:00
rocky
rocky
pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update
2020-04-28 09:00:20
qualysblog
qualysblog
Oracle Patch Tuesday, July 2023 Security Update Review
2023-07-19 15:56:06
kaspersky
kaspersky
KLA11641 Multiple vulnerabilities in Oracle VirtualBox
2020-01-05 00:00:00
mageia
mageia
Updated jackson-databind packages fix security vulnerabilities
2021-03-27 17:27:02
ubuntu
ubuntu
Jackson Databind vulnerabilities
2021-03-15 00:00:00
hp
hp
HP Device Manager Security Updates
2023-10-20 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - July 2020
2020-07-14 00:00:00
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00
Oracle Critical Patch Update Advisory - January 2020
2020-01-14 00:00:00
JSON
Related for ORACLE_WEBCENTER_PORTAL_CPU_JUL_2020.NBIN
prion3cve3symantec2osv7redhat13debiancve2veracode1redhatcve2ubuntucve2github2ibm33rhino1githubexploit1packetstorm1exploitpack1zdt1nessus18checkpoint_advisories1debian1f51openvas1exploitdb1almalinux1oraclelinux1cloudfoundry1rocky1qualysblog1kaspersky1mageia1ubuntu1hp1oracle13