DATABASE RESOURCES PRICING ABOUT US

{"id": "RHSA-2020:5568", "vendorId": null, "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2020:5568) Important: Red Hat Fuse 7.8.0 release and security update", "description": "This release of Red Hat Fuse 7.8.0 serves as a replacement for Red Hat Fuse 7.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* libquartz: XXE attacks via job description (CVE-2019-13990)\n\n* jetty: double release of resource can lead to information disclosure (CVE-2019-17638)\n\n* keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)\n\n* springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application (CVE-2020-5398)\n\n* wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740)\n\n* camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution (CVE-2020-11972)\n\n* camel: Netty enables Java deserialization by default which could leed to remote code execution (CVE-2020-11973)\n\n* shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass (CVE-2020-11989)\n\n* camel: server-side template injection and arbitrary file disclosure on templating components (CVE-2020-11994)\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\n* shiro: specially crafted HTTP request may cause an authentication bypass (CVE-2020-13933)\n\n* RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)\n\n* jackson-modules-java8: DoS due to an Improper Input Validation (CVE-2018-1000873)\n\n* thrift: Endless loop when feed with specific input data (CVE-2019-0205)\n\n* thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)\n\n* mysql-connector-java: privilege escalation in MySQL connector (CVE-2019-2692)\n\n* spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3773)\n\n* spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3774)\n\n* codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities (CVE-2019-10202)\n\n* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n* org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library (CVE-2019-11777)\n\n* cxf: does not restrict the number of message attachments (CVE-2019-12406)\n\n* cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)\n\n* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)\n\n* batik: SSRF via \"xlink:href\" (CVE-2019-17566)\n\n* Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely (CVE-2019-19343)\n\n* Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719)\n\n* apache-flink: JMX information disclosure vulnerability (CVE-2020-1960)\n\n* cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)\n\n* tika-core: Denial of Service Vulnerabilities in Some of Apache Tika's Parsers (CVE-2020-9489)\n\n* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)\n\n* netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612)\n\n* camel: DNS Rebinding in JMX Connector could result in remote command execution (CVE-2020-11971)\n\n* karaf: A remote client could create MBeans from arbitrary URLs (CVE-2020-11980)\n\n* tika: excessive memory usage in PSDParser (CVE-2020-1950)\n\n* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "published": "2020-12-16T12:07:05", "modified": "2021-06-29T15:22:55", "epss": [{"cve": "CVE-2018-1000873", "epss": 0.00205, "percentile": 0.57227, "modified": "2023-06-19"}, {"cve": "CVE-2019-0205", "epss": 0.00301, "percentile": 0.65417, "modified": "2023-07-15"}, {"cve": "CVE-2019-0210", "epss": 0.00328, "percentile": 0.66949, "modified": "2023-07-15"}, {"cve": "CVE-2019-10202", "epss": 0.00904, "percentile": 0.80483, "modified": "2023-06-13"}, {"cve": "CVE-2019-10219", "epss": 0.00187, "percentile": 0.5473, "modified": "2023-06-13"}, {"cve": "CVE-2019-10768", "epss": 0.00091, "percentile": 0.37503, "modified": "2023-06-13"}, {"cve": "CVE-2019-11777", "epss": 0.00125, "percentile": 0.45883, "modified": "2023-06-13"}, {"cve": "CVE-2019-12406", "epss": 0.00245, "percentile": 0.61168, "modified": "2023-06-13"}, {"cve": "CVE-2019-12423", "epss": 0.00289, "percentile": 0.64456, "modified": "2023-06-13"}, {"cve": "CVE-2019-13990", "epss": 0.00314, "percentile": 0.65932, "modified": "2023-06-13"}, {"cve": "CVE-2019-14900", "epss": 0.00104, "percentile": 0.4113, "modified": "2023-06-13"}, {"cve": "CVE-2019-17566", "epss": 0.00121, "percentile": 0.4518, "modified": "2023-06-13"}, {"cve": "CVE-2019-17638", "epss": 0.0042, "percentile": 0.70565, "modified": "2023-06-13"}, {"cve": "CVE-2019-19343", "epss": 0.00133, "percentile": 0.47256, "modified": "2023-06-13"}, {"cve": "CVE-2019-2692", "epss": 0.00045, "percentile": 0.12392, "modified": "2023-06-13"}, {"cve": "CVE-2019-3773", "epss": 0.00636, "percentile": 0.7614, "modified": "2023-06-13"}, {"cve": "CVE-2019-3774", "epss": 0.01166, "percentile": 0.82932, "modified": "2023-06-13"}, {"cve": "CVE-2020-10683", "epss": 0.00261, "percentile": 0.62434, "modified": "2023-06-06"}, {"cve": "CVE-2020-10740", "epss": 0.00333, "percentile": 0.66926, "modified": "2023-06-06"}, {"cve": "CVE-2020-11612", "epss": 0.00623, "percentile": 0.75879, "modified": "2023-06-06"}, {"cve": "CVE-2020-11971", "epss": 0.00107, "percentile": 0.42281, "modified": "2023-06-06"}, {"cve": "CVE-2020-11972", "epss": 0.00884, "percentile": 0.80239, "modified": "2023-06-06"}, {"cve": "CVE-2020-11973", "epss": 0.01072, "percentile": 0.82145, "modified": "2023-06-06"}, {"cve": "CVE-2020-11980", "epss": 0.00071, "percentile": 0.29045, "modified": "2023-06-06"}, {"cve": "CVE-2020-11989", "epss": 0.26221, "percentile": 0.9603, "modified": "2023-06-06"}, {"cve": "CVE-2020-11994", "epss": 0.00079, "percentile": 0.32611, "modified": "2023-06-06"}, {"cve": "CVE-2020-13692", "epss": 0.0094, "percentile": 0.80864, "modified": "2023-06-06"}, {"cve": "CVE-2020-13933", "epss": 0.00075, "percentile": 0.30555, "modified": "2023-06-06"}, {"cve": "CVE-2020-14326", "epss": 0.00084, "percentile": 0.34447, "modified": "2023-06-06"}, {"cve": "CVE-2020-1714", "epss": 0.00387, "percentile": 0.69345, "modified": "2023-06-06"}, {"cve": "CVE-2020-1719", "epss": 0.00054, "percentile": 0.20553, "modified": "2023-06-06"}, {"cve": "CVE-2020-1950", "epss": 0.00056, "percentile": 0.21461, "modified": "2023-06-06"}, {"cve": "CVE-2020-1960", "epss": 0.00042, "percentile": 0.05671, "modified": "2023-06-06"}, {"cve": "CVE-2020-5398", "epss": 0.97084, "percentile": 0.99632, "modified": "2023-06-06"}, {"cve": "CVE-2020-5410", "epss": 0.9712, "percentile": 0.99649, "modified": "2023-06-06"}, {"cve": "CVE-2020-7226", "epss": 0.00932, "percentile": 0.80777, "modified": "2023-06-06"}, {"cve": "CVE-2020-7676", "epss": 0.0022, "percentile": 0.58616, "modified": "2023-06-06"}, {"cve": "CVE-2020-9488", "epss": 0.0026, "percentile": 0.62378, "modified": "2023-06-06"}, {"cve": "CVE-2020-9489", "epss": 0.00055, "percentile": 0.20866, "modified": "2023-06-06"}], "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://access.redhat.com/errata/RHSA-2020:5568", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2018-1000873", "CVE-2019-0205", "CVE-2019-0210", "CVE-2019-10202", "CVE-2019-10219", "CVE-2019-10768", "CVE-2019-11777", "CVE-2019-12406", "CVE-2019-12423", "CVE-2019-13990", "CVE-2019-14900", "CVE-2019-17566", "CVE-2019-17638", "CVE-2019-19343", "CVE-2019-2692", "CVE-2019-3773", "CVE-2019-3774", "CVE-2020-10683", "CVE-2020-10740", "CVE-2020-11612", "CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973", "CVE-2020-11980", "CVE-2020-11989", "CVE-2020-11994", "CVE-2020-13692", "CVE-2020-13933", "CVE-2020-14326", "CVE-2020-1714", "CVE-2020-1719", "CVE-2020-1950", "CVE-2020-1960", "CVE-2020-5398", "CVE-2020-5410", "CVE-2020-7226", "CVE-2020-7676", "CVE-2020-9488", "CVE-2020-9489"], "immutableFields": [], "lastseen": "2023-08-04T12:27:58", "viewCount": 117, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2020:3176"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2020-13692"]}, {"type": "amazon", "idList": ["ALAS-2021-1533", "ALAS2-2020-1482"]}, {"type": "archlinux", "idList": ["ASA-202005-8"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BSERV-12196", "ATLASSIAN:FE-7344", "ATLASSIAN:FE-7346", "BSERV-12196", "FE-7344", "FE-7346"]}, {"type": "attackerkb", "idList": ["AKB:770521DD-D057-4195-A187-66787A667266", "AKB:9C1D0E92-46E7-498E-99D8-8198572E25E3", "AKB:FB2F65B2-D10B-4622-AEE6-41AAD3C1E6E7"]}, {"type": "centos", "idList": ["CESA-2020:3284", "CESA-2020:3285"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-2209", "CPAI-2020-3581"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2020-5410"]}, {"type": "cve", "idList": ["CVE-2018-1000873", "CVE-2019-0205", "CVE-2019-0210", "CVE-2019-10202", "CVE-2019-10219", "CVE-2019-10768", "CVE-2019-11777", "CVE-2019-12406", "CVE-2019-12423", "CVE-2019-13990", "CVE-2019-14900", "CVE-2019-17566", "CVE-2019-17638", "CVE-2019-19343", "CVE-2019-2692", "CVE-2019-3773", "CVE-2019-3774", "CVE-2020-10683", "CVE-2020-10707", "CVE-2020-10740", "CVE-2020-11612", "CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973", "CVE-2020-11980", "CVE-2020-11989", "CVE-2020-11994", "CVE-2020-13692", "CVE-2020-13933", "CVE-2020-14326", "CVE-2020-1714", "CVE-2020-1719", "CVE-2020-1950", "CVE-2020-1960", "CVE-2020-5398", "CVE-2020-5410", "CVE-2020-7226", "CVE-2020-7676", "CVE-2020-9488", "CVE-2020-9489"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2161-1:2B202", "DEBIAN:DLA-2161-1:C6AFF", "DEBIAN:DLA-2191-1:6C344", "DEBIAN:DLA-2191-1:AF8DE", "DEBIAN:DLA-2273-1:3F203", "DEBIAN:DLA-2364-1:39666", "DEBIAN:DLA-2726-1:D3013", "DEBIAN:DLA-2852-1:37D89", "DEBIAN:DSA-4885-1:31BC0", "DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5196-1:1B171"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-0205", "DEBIANCVE:CVE-2019-0210", "DEBIANCVE:CVE-2019-10219", "DEBIANCVE:CVE-2019-10768", "DEBIANCVE:CVE-2019-13990", "DEBIANCVE:CVE-2019-14900", "DEBIANCVE:CVE-2019-17566", "DEBIANCVE:CVE-2019-17638", "DEBIANCVE:CVE-2019-19343", "DEBIANCVE:CVE-2019-2692", "DEBIANCVE:CVE-2020-10683", "DEBIANCVE:CVE-2020-11612", "DEBIANCVE:CVE-2020-11989", "DEBIANCVE:CVE-2020-13692", "DEBIANCVE:CVE-2020-13933", "DEBIANCVE:CVE-2020-14326", "DEBIANCVE:CVE-2020-1950", "DEBIANCVE:CVE-2020-5398", "DEBIANCVE:CVE-2020-7676", "DEBIANCVE:CVE-2020-9488", "DEBIANCVE:CVE-2020-9489"]}, {"type": "f5", "idList": ["F5:K02349370", "F5:K15111130", "F5:K23157312", "F5:K32412075"]}, {"type": "fedora", "idList": ["FEDORA:05AFB3091421", "FEDORA:0D7F230979AB", "FEDORA:12DAE6051076", "FEDORA:1364530979AB", "FEDORA:1620B30A0F0E", "FEDORA:2BBC46051742", "FEDORA:2BD533098BA0", "FEDORA:32EC36051065", "FEDORA:489136051065", "FEDORA:49205309799A", "FEDORA:4DF45605106F", "FEDORA:61A713098ED5", "FEDORA:62812605106F", "FEDORA:67F5A6051068", "FEDORA:7A1EA3098BA2", "FEDORA:7C4736051069", "FEDORA:82BA46051069", "FEDORA:85B0430979AB", "FEDORA:94A8C309799A", "FEDORA:957DA605174F", "FEDORA:9E3346051071", "FEDORA:9F2FE3098B94", "FEDORA:AF19730979AB", "FEDORA:B11A16051070", "FEDORA:B8E2D6051075", "FEDORA:BACE03098BA0", "FEDORA:BDC9D3090DB1", "FEDORA:C4FE16051044", "FEDORA:C6AD93098B94", "FEDORA:D1E836050C52", "FEDORA:D4B143098BA2", "FEDORA:E0E2C3098BA0", "FEDORA:E63546051071", "FEDORA:EC39E6051044", "FEDORA:EDF1E309799A"]}, {"type": "freebsd", "idList": ["09EA1B08-1D3E-4BF2-91A1-D6573F4DA3D8"]}, {"type": "gentoo", "idList": ["GLSA-202107-32"]}, {"type": "github", "idList": ["GHSA-2VGM-WXR3-6W2J", "GHSA-2X6R-7427-95CM", "GHSA-32XF-JWMV-9HF3", "GHSA-37G7-8VJJ-PJPJ", "GHSA-3H29-52VH-PQGR", "GHSA-3WC8-659G-R88Q", "GHSA-42F2-F9VC-6365", "GHSA-4PV3-63JW-4JW2", "GHSA-58P8-9G59-Q2HR", "GHSA-63QC-P2X4-9FGF", "GHSA-6G88-99WJ-8MGG", "GHSA-72W9-FCJ5-3FCG", "GHSA-8222-6FC8-MHVF", "GHSA-88CC-G835-76RP", "GHSA-89MQ-4X47-5V83", "GHSA-8GRG-Q944-CCH5", "GHSA-8HXH-R6F7-JF45", "GHSA-8WX2-9Q48-VM9R", "GHSA-9JG9-6WM2-X7P5", "GHSA-9QCF-C26R-X5RF", "GHSA-9VFJ-5G7H-4P24", "GHSA-C27H-MCMW-48HV", "GHSA-CMX4-P4V5-HMR5", "GHSA-H4X4-5QP2-WP46", "GHSA-H79P-32MX-FJJ9", "GHSA-HFG5-XPVW-C9X4", "GHSA-HWJ3-M3P6-HJ38", "GHSA-JCQ3-CPRP-M333", "GHSA-JQ7P-26H5-W78R", "GHSA-M6MM-Q862-J366", "GHSA-M8P2-495H-CCMH", "GHSA-MHP6-PXH8-R675", "GHSA-MM9X-G8PC-W292", "GHSA-P9CF-QJXQ-VXW6", "GHSA-RJ7P-RFGP-852X", "GHSA-VRMW-2XHQ-HRMP", "GHSA-VWQQ-5VRC-XW9H", "GHSA-X3RH-M7VP-35F2", "GHSA-X64G-4XX9-FH6X"]}, {"type": "githubexploit", "idList": ["0FF82942-18BE-564C-8559-A8747AF02003", "1A203CD7-3FDD-5243-94EB-06C3564EB1A3", "4149EA3B-6A39-507B-A34C-22418BD1F20A", "4D38002E-58DF-5264-9A2E-9E446EDF6721", "90D8ACE9-AE14-5976-A039-C2AB9C529504", "92A898EB-09D3-5A57-B135-DD1C175B6B18", "D05BED3C-1405-5414-B868-D7E9E1AEC6EF", "F03542D2-479B-5B94-9D8B-B72D71D8CBCA"]}, {"type": "gitlab", "idList": ["GITLAB-5C34077F656744ADA65A57371F332F9A", "GITLAB-6E83EBC47DBC6934632B7FCFD2D48637", "GITLAB-F66DCF5D466CEC7E38E0C4381DADC55C"]}, {"type": "ibm", "idList": ["016248796F0D60834A9AE6D8C8659223A06C7DCF5A1BFEB093E2C71A7B706F76", "026861C8F37CB442AEB06F08CB67784AB6226E1C2C5830E2D4227D71E9453C5B", "029B79D2A1319C5BDC1C8DA56C4D9B225C64CFEF9D599A11A3FF8AED3FC903C3", "02EF8009E8FC77A6E66FFCE1B67A472B3B1B1D15700B7594E5084CE595A5CF52", "02FD10030B8366010758D75673B2286A0CD064A8561853F6F314CF7B7BC8B298", "04846E2257AD4BD33CFE7B37A3258269E52A6BC63F384BA08A706F7B8F8808F8", "0552F3A26220DDA3F5D387F494714842FF16F0E151708228326968DC82BDB134", "05996CA3681F693A59525A2CFB7913B00FD3EC80FA9669C448A3B527653DAB6F", "05F3B2BCBA66E63FF50CAB9D4E4610B2EAE6CD3DA38047220611B10B02307DE3", "066CC30FF07EA70663C1053750F35662E071CE8F2ADB63927D6FD5956CB157A7", "0681FE433B8BCB85261721415D3F794D3807E9F448C06FB726FADF1A29A35A9C", "089B564037CD6CBF124F570A0074A8E6C37E90240BCF8C5297D2EBD444E34F18", "08BE0A8BB84E3BC2898AB7755B7D1A3495C89B7E47A13AF2D70C5EEDFEB7423A", "099DD49202775CBB1F4948F66DB50FAE41385719EDE85DEF5171C85DA36B727F", "0AF4568867479D47E4352B7E039C8B495FFD7D263FC7B6E5D521CCBE61FFC605", "0B32FE452355B1C3468364CEE7BB901540B1401AA499444B7D5418E694FA963A", "0BDDBA484F3367829DBE683BE155B8F63CE6E7CF5747401F154DB308D91D8FD4", "0C49DC7FF9688CB3C8974272755591BF1B851989940E674D2850C0DB0FAA67A4", "0CF13F8FB4FD77C6593C265FA8F397D0C4324FC1F07F86C436B4937E98B25DBF", "0DB781AA08EB5BF3514B03091A0400B8238C108F721C116A9739CB261ED78D7F", "0F297F5F87FAC22F33127BF32110D0C0B158B6859BCE9E0ED4EB35484AD06F6A", "108B881F58BDABF9FFB471772510149AE93FEF1CA5E7083CA8DCD974DFD78412", "11D50567E527C1FAA2CC7E5BFC7E0A144943437DED5DC6E20F8744DBB47E7648", "124495DD455D7F5D1C3DB0D3404B8054E94AC8A5A5D620E6E377E96048271229", "126E1024546918D07264839DD88F2FF75D58789A0F611D0689966886112B533B", "146E5B6C7DEF48D9B9132CEF69C4B99A3655374C8A833C5CDB62A212794B3988", "14F4982730CEAFD5246C271622B4E77BD29429BC1475F327DD047BBD585280F3", "1684DEC3DF3BB9E78C84E76D9D7057965A40ADC07F69C113F4E928D34BF0D671", "16BD53FF8D4AF4008A6B9480C8D62C5AECEF46E4F486EC150D2D9BBC2C7349FC", "18A14947A726E488C2CEB7E8A6A20CBD52C5EAFEF83C6210553BEBC1948A02EA", "18E3835EB48610335189B66CA3B787759BF28CEA62D84163A3574C70FFE6874A", "1A7668E81452E83AB00678328095567DA17543F8BDE6DB1EE678E96C5B064FD6", "1B99BE15EF0865EC7D6CAAD98E1510DF110D3FC32411F14658640A57804FCBB5", "1CA5EFFF48503220FA8729D288342161A3477C54DF435407E3869B260531E400", "1E239D8C4813C8FA705CBB86F01F323B29B73D1086FDF65021C9CB4B0146A272", "1FF8E68E83BF3DB2672591959122E4AFEF74C0664CD23BFF44CDC08E383E49EC", "20CF2AD2EFF7DE6AD8F93586D48E59262F447700FFF48E5E610099B41CEE05B7", "2386F1AB0413EEF3A8C299A357E7BB8AB76A40C4C355F7A3F8BB00B41DA6A965", "25206297B6D314EFBA6A453E6E477EDBE6B461984AA3CA1C8DFEE5B6F69F28FC", "25465AE304B2A76CEF5AAA7B2ED23C6230565ED22DF8525A608DE70FB394D75E", "257282661EC40294AA6CD7D16D142C7D834B7703E989C3E4C143A5B9AF27C918", "25F67427B3CB716CD779279781C3805091614F56FBDF720352221C7BFCD61545", "26C2D2D50BF66B18D568B39D5C0159D92777EF3637170739E97769DB93D44C46", "276311EA26EA41FBAE81DFB3042788416A0F2799192780CD6BCD5F7081C47F5C", "28E0CB5C99EA2D9D29E76348BDEA32969117AF8D0FAE1B64E67CFEE258A643A3", "2B3C9C8FEB87062CB2249D828A603478C6CE6A6307CF7103B8825D9FE81CAD3A", "2BD4C17835FEE75B5DD82D43E16DF6D6AFA1DE77CB24213DFD8CE6D73C92BEDD", "2C2DAE3598B90C90576BD2F18C01B0F3350AAF6A99435251F77D87ABDDF8CDA1", "2D1C0AA1418FBF47302662148F950E7C026FF064EF3B9F6614CBF0F8FA30BD0A", "2E01377B53F391E376F1759320631A1C142B4E58121781793F84A5847C6E21D0", "2E3576FC9DB523E4FB2CBA935633AE28BB3DCBE18A90FB77A0F3E1112A899144", "2FE97BC0DB8A3B1BCF85FF8F69828770D4396C7CC3ABD37202D8089D2CADF87B", "30F126C0FEE1D6C0436DFF1A6751EE8FDE2C7921F8AC99F5FF4DF624573C80E8", "31C0D6F0198B5B32668729F457051BC27E8C565F391B61E6339D7B6015170602", "32E0DD5046A745AD2658461468D01145619C0232B4A373850B922EDB6BCB5949", "353C8048EB40D7C11CD60ABB9D7F5DFD666EDB60B698E9932FC1A04919041609", "35774A12657731256610BEB1ACB2AE99C105060354AA560F82DED28AE65A8B24", "366CE799D9AEE4234CE4D38A22D774A769300127F0319D9238DAEC27C48436E1", "3755B625DBADE7DE4185C0819F20F881E64A55AB634CC8F2D195BB7386CDA064", "3B8955E90A75DA2251988CD12D1FDBE7CE404EE0628540DC232E613A0739B512", "3BF2E5B5DC96CFF6560CACA72BDEFBC18C7F886DCC73DD4BC3A493BD7B4647F1", "3F8BFA161D8ACAADC208317BA26AAC30EE1793F948D454DB7BC13F5155B44393", "3FE63A3F5C5015BF12CBC5431C7DB0BF49847105404A82C433D9F62224F6903F", "4029D42CC914504E09EE100B22AC6776680410A3D499885D657894142CD104C8", "41CB9666A88AE67D4A0558674B8CFDA62F160B6DDCBA3C10576515447887CF12", "41DF23CE2735413DAB9CB5FEC88B4F08F99AD02C93EA5246E5E57959ACBB4A3D", "43889098AF27B56E1AAC2C0ADC87D15751A2B0CCE3BF25260E32BBE3CCA7CE93", "441A6459C1CBE843EDD7F5C4D862AA7C6F90584EA901F82EF1B6D31B418078EB", "44AB81145F56D1DFCE25BD0377256BF4F249F090106634935902C6B2AB63091D", "44D4BE9C6B3A5CA2D7E393A0C6B1DE6752C9B6BDF8F6BC23CA690D4063D3152B", "46F19B07C11D71E357D28FD4B0BFDE347B5C2272A359685427860584D313AC3E", "46F281D20C0C1095CC472ACBAF68237C65D334D0AB8DD55E297FA1FF26490AA9", "470748236CF687BBC17C70DFCCF5107CED7FA6CB57B3A02A0A94855B02E20BF9", "47274321AA3430917FC9FF88F99229CD7614CD6268ABCD535250486839A8D636", "476B017015C7BC4F8F39C2B41A3D687C1FD9E58B44A524C0A4CF05B7ED875145", "47AC8E33365C040A01C5CD6B775EE90932188BE66F1604397C6FBA4BF247B44B", "491394DDEE034747D7811D1973C25BFF278CF244B77553F19F191E2CAC5CF3CB", "4A1C188763F3119FDB44FDF3400E538CC823B6DC1E41575318DE1B1E213CBE04", "4BEC8E9463E4B27C09D4E3ECF5C98A9E0D6D193C06E6EFC3DEDB9F41368D7DC0", "4BF223391C936C5664E65BE0C1633537E0B423C3C637E028FA4ABFD7531FC294", "4C55D0F935CAC3173B24A2C1EC5A9D52352A95DF1F7DA61A873550097C4F2287", "4D42AAA4F789C7D1BA65614CE73F72CA7B880E7B175E5E14A5BA53020528C9D9", "4DFE5A6ED234327248E8451B57200F8C7A68429EC3CCCB0DFECC6728217B38C9", "4E2A0891FC6A9216C5F9B6391FCCE631A5FCFCA9CD4485D154F09E66D094E86B", "4EC468925EC1B01AC3E2235FC9136746880477512CE0A8130EE536AD1AADBEA0", "4EEA40866A50FD47B88CDEDFE5D4501E3C595A076C9874F03873B7D7BEC2B0F8", "4F83B26494F5C02A937F66487471A788F350B0FE1D9EABC80254DB502CA97A51", "50DC1B1994895BC1C226A92BC0B7264A641557390B46248C6B3F4616AE8CF0C5", "5100AC8D5E4B9B2820C8E97CB99708D3E6DA55A8125242DB99536FD592D317C2", "516C78282E257BAD924E6FC3088367963BA15FCD8305B1B9C4978CA225F03D64", "516E060FEEF277A36D6526C4E424F4FB4783A65B1BFD619BAE759477F50DF1B7", "534BE42CCFEBF334619AFF9C2FB1955CE0C058A0559E49A3D0C26AB6F743C73E", "54E686FBB2E60A0BDEAB59EFECEB36D61C77A784661FD44124BD8864158EE317", "552FD8E250C33622C92D4D81FCFD993060B032D714D05723F83EB943297F3CBD", "56F9723982132B683C4DD7E5CD0AB34DB6072851ACF97609CF6104E5D4621E6E", "570AF6CDC4F7E864E6852EBD03923041C13A884B424AC254820AD0EEB73694DF", "573F294E16A1C9B7682B48604209232E9D20CDAD4F9D09F633AA855F804E24CD", "574FC031AF9B64FDFC8B0BF65E22355456EDFA4CF1ECE74E592CA6972407F30F", "5E5C3542432C244148D8B1FE3AB5BF8C0F5F43AB9B9058BF91D5D4BFEA40DA5C", "5ED570DDC2DC18EDBE3A6F896450F75892C392B6E12D967BD6C8F6E5EB0809E5", "5F792F8D340FF2EE83DE40316936CA0AA1272904A4423A4CAF9FA698D9FD6BE0", "607040F58DA4793E739F08EA2C0296DFB8A3D91BFF1561FDED37EED2FF40B649", "60DB7F5346C5B9A16FA72AD40E93F7504EC85787EA9E05A8A2B66219C25CEE88", "61FF6F10F0D76277F85A8A525D2C9989283AB04F3D830BEC0894CE78DF0624A3", "628CB36753883231031D529A86E264092FF7A5CF21319F4F245464EF4C4FB0BA", "638BC9B9F1B860264859BBA0AE04F262C584B383B8D229DBFD85404C0046EBA0", "63C0560C61FE9A9777F6402C4988E794A31F66C8118AFA944D2596065F5D0454", "644A8D20EA5C122A543FD2875F814F29458A670A8F81310C4182A6D4DD814E43", "64ADFD088203597B59C398AB3DEF28DC4F72D37A4C48C7FA81C6531EDA6A9877", "656937FA945DE5E58B9B5C0431A830AA521D479596EA01ACED0A20A166C4E3B3", "66886B86D22AD162D05F9B987C32085ED4A1AA2754E87D356E718DE087B7313A", "6784BC34D0FCECB9B5FB794C704830365E6708545EE821C6E4407D5B8BFC90F7", "6834E3905AADC819DB5BF4042B617F874AC24BCB0AC2F484A2275161173B7A89", "68B092CBA8F5743587D161CDB98D1B53F61274CFB122FF0C24F25A5225B848B3", "69C147CB642B39AA3250947FC1868ED542CC9C2C3BED4BA821CAD9BA0F178E84", "6A183CCACC979B3E3450E7FF10F849177081B9FA384CBA6358BB786A20DBFBC3", "6C8F65238744CBD50867F0DE4F67D738F76BBC9B5A7E11C859713D69F6C221D3", "6F00ABE4CAE86046BA6F8DB98B699B35E1576BA3A41DF2CF932EECB6C3DA34B0", "6FC3A70E69693A6A15050339D9B2368FE0F69A247562F6FDA33037FBACD59417", "70A244D2ACF5F54C8A00B80F18E4E6BBB5679FDC6B106AC69D24FEF5900799DB", "73DEE30800CCC9325D5F1586487B2795A5B59E4F564CA3DF38C3A192975E9546", "7463232BD9391B70113F6779133DEEDF82C2F9FB5E2F9C9C4D0363B332E72184", "75EECDFC779DA9FD1966C5DAD1AE11A16457B1CE376CB9360156AA150266966E", "77A5CD46FD3C6940EFC34DE8C8AA831927106A12E0E3EAC862A5D46723F4092E", "77D1D444B20370DE0EDFF23D9E385D851AC796623E4D85D114F6A8AA31FAB59A", "77E3C17864071E6772CDF6C8E252ACF8E77FD5D30AB4631D569A5A980B8C27A1", "788251FD7397EDDA8B4E4DF8AACBE1D142303877A23213E980EDE042998B46CF", "7A34C5EA3878227646136480AF345DCC5DF882B26F65D3380EC0064BCCA45485", "7ABBC2216D89EE5076D0AB79D6300D3A5AE89E3041479BE2F8B35ABF99235A12", "7CFD15481B10EF25CA2897D79DF5E964CCBF6F259DAF4C8B56677086A6FA579A", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "807F02BF5D04D1D709B1D383A56D073A3E2ABB5E058B819FF145C9C80E083AF4", "81489FC3C5B7D5FCB5B59EA6F0E2BD3C9EE1E397EFC067E75215C457F66C5C91", "81D5F6F41E5617EDA7FF694BBE43496FC48B7577BB4C9C238127ECCCB1D40118", "82A9F24907A9B5CA433EF30634767972B95813695A7590E7216F059F1BAF1D8D", "873E4E7D31B3D0678D775F72B794EC936D165E1CF0679FF3C31754D430863C36", "88030D4F1517AC9EC8202290C87E6CA9AE0FE862783A643A8EA37C2CBB13C39A", "8B2AA49114B0E5F7D2BB4B82734BAD2524EA50B29A1FE570A4CBAEC23A3CFD3A", "8B4280038708174DEFB2BDC7E22A73E3623DD5A7DF7C81925677FB4F847C39F7", "8C2C4E2C0A521DE5440EB6823B48F550EFFAC9F2827DC45DF361442B5CC5D8BF", "8DE2E6E735F4C865DFF522FC1476032743D235229E5B6DE14A486A6D7ABC31A4", "8EFB8A654D3536DD4481500A7680D75E0B2A04D2F63C829CAE130B12A35D7ED3", "90246D34A2A9EC4005A1B788C09D0DF4366E66BC9D5DC5A39EEF5286DE79E161", "906B64791AA71F432F14BB58CCAEE6A9622AD741C3E459C5C2594F4C546B7BA9", "91D7C6C9A5739FEE5F42D389A6790AF75591DE3F4B00792DEC9B2F9736C9AA92", "9308099D073B8B4A5B875ABF63A2A8BA4F4ABCB691E71E14B89B4833B4ED12AD", "942E8FACD0350ED3215EB9DD3629B360E18E87D3ABD165831163EDE9AAB16C21", "948BCC9F22A9E406D5CD799F6EF0E00FD425491AC80A0EEC98CF827FE115B33E", "9770323F532BB10EA2CF6AA35FD83A103279F223480B36A5D157CEB2FDA4B9D8", "97A176E78EC8C5DE0F387E4307F253F702CEBE34D99D5F851133362E788CC9F6", "97D5F772EC68BDCD260FBB9DFB7A322AAAC657E9360305DF11F9C6A6A40D1B85", "9B7484C34C9F34F0426B6E8110F51B91DBBF139DD14849DC744E1B348D2F480F", "9B9D4DB8D308A54698E7B910C6E16622F6488912436BCD41BCF8F2EE256D66C8", "9C281E51011593E8EEB75C9B2ABA710432CC18DBD8E16DE56F7985BD8E4C1BBB", "9D10729AB8873D23F2244363D8A1DDDC6F4683B3420052FC513112D30B8E6FC8", "9D4EC30B388B671B00F0D192ACD964A17D2BA337E5388809BC8935D15D6F2731", "9D70765425B02FB4212DD4D5C134270A48CF65000E4A833405DF290005C5A2AB", "9D9A01E02514803E9E0E5DD88830752E1595E1F1CC50F35B26CA6DC44AE2E184", "9E6FA1F3A9A1191971251B93D23C36DEAAB0788ADEF80DBC0987592BC5E6D5C3", "A089D140B4F8AAFF5D139406914667261E4C8A001F7B52A9F7071052F2A5F55F", "A14B65EBA573DAF04C0BB9F6CE66AF135D8290DA8A5F45D119CC85DEA986374A", "A150C2E017839DE1F5CBC686332D12515358F881E715C75E1B2D5509C5D5362A", "A1F6DDF011DAD0291EC494B8A8870EB4294541EF775B653EAFE335D3158A3D92", "A2457C3A7B20059C90A8B0A06C0058C69C62F582C42EE25EB0BD86681744A856", "A2924B4DE05BD5A9DE02BD29915404543555C0C4AAE9016A5C570D5EE0CB6EA6", "A2BAC82E395F9C0C2BED37EEE45890A06C1C799AB1B521E972E4D70A5F31ECA7", "A39A2E00B5BABE0243F9671D1FBE1DA3F18A76F8A4B8F40C5F0A37733F567181", "A48ADDF9899AB448105F32C12994F7EA922B37508ADD048389980EDDF8728CD7", "A49FC03081B73A65E6CCF013015154811700EB0AF3A788F88F0A2DD80E7DDB14", "A5BDBA48582E84D9D511148A7D6686E035238126382034F25D0DE3123B69FAB0", "A658826ACEFD8281700AA4C5F1D1D4C5E783F73C590631B873055789D4BF0CFD", "A6CA3CD9F33BD687A0216486ED1C39CB8E3C63D1608D060DA9A4AE193481E9D3", "A6D9D4111807AA4EB0126419E70851CE3116CAE1D7000C36A1B26DAEBCF4424F", "AAE68AA2EFC385FF3EBD4382FB866664D480CC7F1DD4B169227644E77ADC4B20", "ACDFCA5E93908C1CC35E54B4EF854ED57BCD6CD2641A3590CD2418E8BCA917EA", "AEC0722767EA21CDE0F10129C001F976425E48E7F302D7C24108AFF251D12D6D", "AECDD98774A5980E703AFFC833E5B5E98A8AE7DAE415D42A7FA66AFA8E72DA18", "B203EF5DF64CC2A004506A72B6F905A1E68685BCA2E219723ECDB8CB0AE9351F", "B236D3400A0C6106EC62C77931DC3654EEBAB6EEA563B3344ECFF477FD634E81", "B2EA2FBA4D280351FEA7F9EC1921C448D44F4D9EC613590A87A15467F7D34153", "B3078CC20AA0193DE0BA1F24BF600DB307BF3971A7F9CDE1170DAADE21278824", "B43C19A7C3830FE0BD2A0DC67EEA1A869FB4BCDC9E39048C7D25BAD77DC3AA41", "B5810DD31544DECD338CCD71F5C05C78B267068FE3FD01928B5545B05BEE5FA0", "B5B313A73D0B335F18892EC4196F2ABB099764E6FF53E09B6A30800B58EACAB5", "B5B6C4769983441433B811EF3AAED6CFC993849D42BC924ECF1CCA5E34838148", "B9609A42BFED86C36189258C748597C29F9D824D3DD52ECECFEEA902FDA884B1", "BF119CD5AE7B1CEEC619337D68DF1C885594AAEA27E0074FFE3FA7844E97F734", "C034F4A93C7986F86B5276634B82B774DA1796B9A2CC2371DA4859670D82233E", "C1043F35FF1F630A47D32A8195A08331316B4A0E682E22CCC64ED3A8793D1A86", "C38AFDD82BC77228F8D7DDBD5DE927E97F8C97D1E6B1F76B6C890149323EE9E7", "C43D2CB156B7BD39FC113EAD22568306F95463D3E29CC3A697EB085F142533BB", "C51EF092095509DC47C909859351A8ADA43A7C16BBC9EEABB3105B07B38B2E02", "C58498E175EED7B50ADCA41367E25183DF7331A1B1B2B3A2B2F1666536E9A062", "C6324A3EF45791634807F1A3E649F45DC0E3697C2CBC966F21AF4D4D9E99531F", "C633E3F919C9BCD1EAFB625FB054DC01CA44ECB316E9D13E7A22A44BF1FFF391", "C63F9049147CBF2ED4A200A30AAC47716B2DCF79A16C7EDB82A67B451E5E892D", "C758ABF843AEA1CFD27E07A6C5B13C15DDBAF74E0B92D29DBBA15B245A620B72", "C95C9771121CCE6842ACFEDC26BFC21B9739D3FC215633C459D55FD458440B00", "CCF7B61DF8195BD1D2CD817C3BC2B2940DBCC4A364675129DCD77F07546B8815", "CE9B7DAE68B959C5E4A5F965424DF5CB00879B1AB1296B115DB9CB1B8ACD054F", "CEFB2CDD169330DA5EC688A529952C2E9694D94C3E8E4A50C9011E9A9F7FD71F", "CFB508E192BFFB751D9631B9CE3C163893BF7B51549ACB62841DFBA9CB491590", "D0934964E9B56702CBED525517F4EA576FF2F33A8BA6C800C34ECA9B7FE90236", "D0A5B555EDACB41BD2BEDD13B3049376A92A8FA6B3CD3CD4DD45A15DE1037171", "D0B36475A4B658E0814531AA499810EB812EB1431F68943B8310DF7002931DBE", "D0C8E5E0BEE4FABB79DB325BB83CABDE3FDAB4C4F1FED02D03D24818C3955365", "D0F7FDBF77C996BBB5122723C58E77017602E39AA56CB302D43EF4B7BF253795", "D119D49C63D565CF5FF1DB2A9639F03B8A262F13941341F6EE7F4F012125086C", "D1EE65B724C053B8C531DB8F905A57DF1D402D875E50E3E22DD86A5856E65A9D", "D27EFACE988E0DA785579AFC4E4F02D75C37EB0A939F3F361B5C5BBACBB61A4D", "D31BBFD6A0A5021EB4550D1A719864970BA2A6914CFB3A966A43FDBBFB5835C3", "D3DCE49F85FE68AF51C5D2B463504D5A7870D422F5ACFC1E2C0DCB64F7543F5E", "D4F9AE28EA501CF2A176391E0E920E7B7FC3A2D7D8CE5319FAE6CA44DF5B1E04", "D5EE91437C61DB828864546A9877E1F863FE9DDA2D0B0BA7C35A8B9BDD774A7D", "D64BC5FE778E62F52FAF1A558C46AB9C63D2D06A74FDE22CC1A16BB67C6A0E8C", "D6A278AD53F24F8C2A141B0CE86714271C028E265EA5E488D59254EE85EA8F0B", "D794EA27CA7E3FF8825CDCEFF3439F08F1C4C2B94C2E54C22629BF94087D371F", "D903156D589ED41A4C2153A02110B35359AF467BCC497635D64F8FD11ECCFB43", "D9933DC2F45243B1EECAAC88FFE4749460DD4954EC12DA4342D5EE3BE7459FB0", "DA815A7C4A42ED491F84873B4248BBC6BF0CD175F8AA4219C89E764FB61FECD4", "DC8B783B9EAA31C03B1E404FC721223E232D2BB78FAD1F0FF5BCC2915BC8629E", "DD7E796DC101D56D3818D53295F88146B9FC7EE7058C596477B1B5AFCE363B74", "DDB6BECDB2F6AD03325FC289A06D647AF83BD3A8B6A5886DB4466FD926B7E25D", "E050D8D5849896048324B8F6ECAD453BADAE5D7AC416C364A5AABAA7AD09C664", "E21998D79E596F7A4F4AD06719A7D4A56FFB91644A0EB3DE8A78FF10B1B0E770", "E24DA558C6C58E4DA05950B06D7C9C1BFB980CB0462AF1D70A81036D55BCE675", "E298AFAE6C10545EEFE2EDCB1E58ACEB81769C82FC173BB89206A046496B5501", "E2B86254D720126A86E0D868B69F73304F67BBA828605033D214DA145B7078F4", "E46E249A2A7ED001BEF59F483830A2690EC2B94A16D5E8A1028E94B1AA23DA4C", "E619F0B12EAE67CCCEC5CE0326BC6EB363C3E94F87723AB21878B776DD8B0317", "E677723D81339CA25FE5CB670D8786FB1ABB44D538C8C5D7C05E9A9FAE453FF7", "E6EE20198BD4C32711820E67FB3A052C1C4BCF0D11A5A4BBA683215A3FA5825E", "E74C53C459F7FE1C89AE67FEC29B42B1B0BF95AA1A5FE3D3CA36BD71ABE75230", "E775C68CA18D51E91E688F1880BD5AF1955B5F4DF7397FA28CC721E37DAFB99A", "E8369E4F0706AD67E1935A667DD2E6F656DC66DBF75209AA618BDB625E1D75DA", "E888E5EBE83D27A538FE4C5957DF731881D9808C40870DA1BFEB861547852D38", "E985F7DD50D9D8A298856E2C1DDC013C56A405C6DA86C2ECE58AB850F0AC19BE", "E9CDD69A151880279AA5C5E27039A10306BBC1E05EF41BEE24FB52ADDD64851C", "EA14EC6134110E482A82A70BFDEAD48335455A70FA71C151C62860AACE47AA41", "EB600CE5395CD89BA24F74E48B91CAA92CF18E64A90B1514E5930A42BF80F58A", "EBBA69401956060B98C4FDDE1CDAAA10D09B28A527F8C5C2F8D2998B16B675C4", "F0AFFAB5446BEF6A6B346CA7237A1583252E55B1EA002352E7DFDFFB5796363C", "F3A0AF7D427E6AED8E40B3D19585D93D61954607EC55F8F1D3E4A633C68E5576", "F4ACF6A7E5D7DE1275D32AC83A2605BD1EBE8A601F49D9C5C4F88B34B70CD57C", "F4CA880341B94608CA96ABB2752E8B1E313AAF497D8551E7FBFF02076E793142", "F52078C3CD6350F062D64B5C88176DBF009214F5DCC83CE7CB6761C3791B8AA3", "F6DD20E2A5E7EF327412295E91D769C6027CD2ECC3986ACAD58115C966FE6009", "F80C5E711C0351A31E0FF717B77CB85D7444954B128D05F999F7918282C0E604", "F86E22B7D4364B00DDE20B4FC7BF8FBECA6DFB9BBB025F902E24119D4762DB2F", "F8A4DDA029F2328327D7246A190F51A644FF83AC004365E8AAA5CD4EB466E729", "F9CD4ED7EAE495E6A1286F1C515E4B4F59C16F49BE7B4FA7E188219A3727D224", "F9ED99C3F4B2D868A3826BA34135EFCC7EF1978329C535488F23E6CF98DA913D", "FB0FED96F844946FA916BA96FE69D8FC255DE30F14533A361ECDC4784137B093"]}, {"type": "ics", "idList": ["ICSA-20-133-02"]}, {"type": "mageia", "idList": ["MGASA-2020-0319", "MGASA-2021-0034", "MGASA-2021-0133", "MGASA-2021-0168"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-SPRINGCLOUD_DIRECTORY_TRAVERSAL-"]}, {"type": "nessus", "idList": ["AL2_ALAS-2020-1482.NASL", "ALA_ALAS-2021-1533.NASL", "ALMA_LINUX_ALSA-2020-3176.NASL", "APACHE_LOG4J_1_X_MULTIPLE_VULNERABILITIES.NASL", "APACHE_LOG4J_2_13_2.NASL", "APACHE_SHIRO_CVE-2020-11989.NASL", "APACHE_SHIRO_CVE-2020-13933.NASL", "CENTOS8_RHSA-2020-3176.NASL", "CENTOS_RHSA-2020-3284.NASL", "CENTOS_RHSA-2020-3285.NASL", "DEBIAN_DLA-2161.NASL", "DEBIAN_DLA-2191.NASL", "DEBIAN_DLA-2273.NASL", "DEBIAN_DLA-2364.NASL", "DEBIAN_DLA-2726.NASL", "DEBIAN_DLA-2852.NASL", "DEBIAN_DSA-4885.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5196.NASL", "EULEROS_SA-2020-1596.NASL", "EULEROS_SA-2020-1677.NASL", "EULEROS_SA-2020-1799.NASL", "EULEROS_SA-2020-2102.NASL", "EULEROS_SA-2021-1113.NASL", "EULEROS_SA-2021-1165.NASL", "EULEROS_SA-2021-1349.NASL", "EULEROS_SA-2021-1457.NASL", "F5_BIGIP_SOL23157312.NASL", "FEDORA_2019-DF57551F6D.NASL", "FEDORA_2020-5A31CCFE66.NASL", "FEDORA_2020-CF8EF2F333.NASL", "FREEBSD_PKG_09EA1B081D3E4BF291A1D6573F4DA3D8.NASL", "GENTOO_GLSA-202107-32.NASL", "JENKINS_2_243.NASL", "JFROG_ARTIFACTORY_6_23_1.NASL", "JFROG_ARTIFACTORY_7_10_5.NASL", "MYSQL_ENTERPRISE_MONITOR_8_0_21_1243.NASL", "NEWSTART_CGSL_NS-SA-2021-0010_POSTGRESQL-JDBC.NASL", "NEWSTART_CGSL_NS-SA-2021-0087_POSTGRESQL-JDBC.NASL", "NEWSTART_CGSL_NS-SA-2021-0143_POSTGRESQL-JDBC.NASL", "NUTANIX_NXSA-AOS-5_20_3_5.NASL", "NUTANIX_NXSA-AOS-5_20_4.NASL", "NUTANIX_NXSA-AOS-6_0_2_6.NASL", "NUTANIX_NXSA-AOS-6_1_1.NASL", "OPENSUSE-2020-719.NASL", "OPENSUSE-2020-851.NASL", "ORACLELINUX_ELSA-2020-3176.NASL", "ORACLELINUX_ELSA-2020-3284.NASL", "ORACLELINUX_ELSA-2020-3285.NASL", "ORACLE_BPM_CPU_JAN_2021.NASL", "ORACLE_E-BUSINESS_CPU_APR_2021.NASL", "ORACLE_ENTERPRISE_MANAGER_CPU_APR_2021.NASL", "ORACLE_ENTERPRISE_MANAGER_CPU_JAN_2021.NASL", "ORACLE_ENTERPRISE_MANAGER_CPU_JUL_2021.NASL", "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_OCT_2020_CPU.NASL", "ORACLE_GOLDENGATE_CPU_OCT_2021.NASL", "ORACLE_JDEVELOPER_CPU_JUL_2021.NASL", "ORACLE_MYSQL_CONNECTORS_CPU_APR_2019.NASL", "ORACLE_NOSQL_CPU_APR_2021.NASL", "ORACLE_OATS_CPU_JAN_2021.NASL", "ORACLE_OBIEE_CPU_JUL_2023.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JUL_2020.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_JUL_2020.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2020.NASL", "ORACLE_PRIMAVERA_UNIFIER_CPU_OCT_2020.NASL", "ORACLE_RDBMS_CPU_JUL_2020.NASL", "ORACLE_RDBMS_CPU_JUL_2021.NASL", "ORACLE_RDBMS_CPU_OCT_2019.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_APR_2021.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_JAN_2021.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_OCT_2020.NBIN", "ORACLE_WEBCENTER_SITES_CPU_APR_2022.NASL", "ORACLE_WEBCENTER_SITES_OCT_2021_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JAN_2022.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2020.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2022.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2020.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2021.NASL", "REDHAT-RHSA-2019-2935.NASL", "REDHAT-RHSA-2019-2936.NASL", "REDHAT-RHSA-2019-2937.NASL", "REDHAT-RHSA-2020-0159.NASL", "REDHAT-RHSA-2020-0160.NASL", "REDHAT-RHSA-2020-0161.NASL", "REDHAT-RHSA-2020-0804.NASL", "REDHAT-RHSA-2020-0805.NASL", "REDHAT-RHSA-2020-0806.NASL", "REDHAT-RHSA-2020-0962.NASL", "REDHAT-RHSA-2020-2058.NASL", "REDHAT-RHSA-2020-2059.NASL", "REDHAT-RHSA-2020-2060.NASL", "REDHAT-RHSA-2020-2511.NASL", "REDHAT-RHSA-2020-2512.NASL", "REDHAT-RHSA-2020-2513.NASL", "REDHAT-RHSA-2020-2605.NASL", "REDHAT-RHSA-2020-2814.NASL", "REDHAT-RHSA-2020-2816.NASL", "REDHAT-RHSA-2020-3141.NASL", "REDHAT-RHSA-2020-3142.NASL", "REDHAT-RHSA-2020-3176.NASL", "REDHAT-RHSA-2020-3283.NASL", "REDHAT-RHSA-2020-3284.NASL", "REDHAT-RHSA-2020-3285.NASL", "REDHAT-RHSA-2020-3286.NASL", "REDHAT-RHSA-2020-3461.NASL", "REDHAT-RHSA-2020-3462.NASL", "REDHAT-RHSA-2020-3463.NASL", "REDHAT-RHSA-2020-3637.NASL", "REDHAT-RHSA-2020-3638.NASL", "REDHAT-RHSA-2020-3639.NASL", "REDHAT-RHSA-2020-3808.NASL", "REDHAT-RHSA-2020-3817.NASL", "REDHAT-RHSA-2020-3841.NASL", "REDHAT-RHSA-2020-4223.NASL", "REDHAT-RHSA-2020-4366.NASL", "REDHAT-RHSA-2021-0967.NASL", "REDHAT-RHSA-2021-0968.NASL", "REDHAT-RHSA-2021-0969.NASL", "REDHAT-RHSA-2021-1313.NASL", "REDHAT-RHSA-2022-8849.NASL", "REDHAT-RHSA-2022-8866.NASL", "SL_20200803_POSTGRESQL_JDBC_ON_SL6_X.NASL", "SL_20200803_POSTGRESQL_JDBC_ON_SL7_X.NASL", "SPRING_CLOUD_CONFIG_CVE-2020-5410.NASL", "SPRING_CVE-2020-5398.NASL", "UBUNTU_USN-4564-1.NASL", "UBUNTU_USN-4575-1.NASL", "UBUNTU_USN-4600-2.NASL", "UBUNTU_USN-4740-1.NASL", "UBUNTU_USN-6049-1.NASL", "UBUNTU_USN-6117-1.NASL", "WEBSPHERE_1288774.NASL", "WEBSPHERE_6322683.NASL", "WEBSPHERE_LIBERTY_6602039.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113657", "OPENVAS:1361412562310142400", "OPENVAS:1361412562310144238", "OPENVAS:1361412562310144239", "OPENVAS:1361412562310853182", "OPENVAS:1361412562310853223", "OPENVAS:1361412562310875653", "OPENVAS:1361412562310875658", "OPENVAS:1361412562310875739", "OPENVAS:1361412562310875809", "OPENVAS:1361412562310875836", "OPENVAS:1361412562310875944", "OPENVAS:1361412562310875964", "OPENVAS:1361412562310875998", "OPENVAS:1361412562310876032", "OPENVAS:1361412562310876132", "OPENVAS:1361412562310876185", "OPENVAS:1361412562310876215", "OPENVAS:1361412562310876220", "OPENVAS:1361412562310876248", "OPENVAS:1361412562310876257", "OPENVAS:1361412562310876270", "OPENVAS:1361412562310876291", "OPENVAS:1361412562310892161", "OPENVAS:1361412562310892191", "OPENVAS:1361412562310892273", "OPENVAS:1361412562311220201596", "OPENVAS:1361412562311220201677"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2019", "ORACLE:CPUAPR2020", "ORACLE:CPUAPR2021", "ORACLE:CPUAPR2022", "ORACLE:CPUJAN2020", "ORACLE:CPUJAN2021", "ORACLE:CPUJAN2022", "ORACLE:CPUJAN2023", "ORACLE:CPUJUL2019", "ORACLE:CPUJUL2020", "ORACLE:CPUJUL2021", "ORACLE:CPUJUL2022", "ORACLE:CPUJUL2023", "ORACLE:CPUOCT2019", "ORACLE:CPUOCT2020", "ORACLE:CPUOCT2021", "ORACLE:CPUOCT2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-3176", "ELSA-2020-3284", "ELSA-2020-3285"]}, {"type": "osv", "idList": ["OSV:DLA-2161-1", "OSV:DLA-2191-1", "OSV:DLA-2273-1", "OSV:DLA-2364-1", "OSV:DLA-2726-1", "OSV:DLA-2852-1", "OSV:DSA-4885-1", "OSV:DSA-5020-1", "OSV:DSA-5196-1", "OSV:GHSA-2VGM-WXR3-6W2J", "OSV:GHSA-2X6R-7427-95CM", "OSV:GHSA-32XF-JWMV-9HF3", "OSV:GHSA-37G7-8VJJ-PJPJ", "OSV:GHSA-3H29-52VH-PQGR", "OSV:GHSA-3WC8-659G-R88Q", "OSV:GHSA-42F2-F9VC-6365", "OSV:GHSA-4PV3-63JW-4JW2", "OSV:GHSA-58P8-9G59-Q2HR", "OSV:GHSA-63QC-P2X4-9FGF", "OSV:GHSA-6G88-99WJ-8MGG", "OSV:GHSA-72W9-FCJ5-3FCG", "OSV:GHSA-8222-6FC8-MHVF", "OSV:GHSA-88CC-G835-76RP", "OSV:GHSA-89MQ-4X47-5V83", "OSV:GHSA-8GRG-Q944-CCH5", "OSV:GHSA-8HXH-R6F7-JF45", "OSV:GHSA-8WX2-9Q48-VM9R", "OSV:GHSA-9JG9-6WM2-X7P5", "OSV:GHSA-9QCF-C26R-X5RF", "OSV:GHSA-9VFJ-5G7H-4P24", "OSV:GHSA-C27H-MCMW-48HV", "OSV:GHSA-CMX4-P4V5-HMR5", "OSV:GHSA-H4X4-5QP2-WP46", "OSV:GHSA-H79P-32MX-FJJ9", "OSV:GHSA-HFG5-XPVW-C9X4", "OSV:GHSA-HWJ3-M3P6-HJ38", "OSV:GHSA-JCQ3-CPRP-M333", "OSV:GHSA-JQ7P-26H5-W78R", "OSV:GHSA-M6MM-Q862-J366", "OSV:GHSA-M8P2-495H-CCMH", "OSV:GHSA-MHP6-PXH8-R675", "OSV:GHSA-MM9X-G8PC-W292", "OSV:GHSA-P9CF-QJXQ-VXW6", "OSV:GHSA-RJ7P-RFGP-852X", "OSV:GHSA-VRMW-2XHQ-HRMP", "OSV:GHSA-VWQQ-5VRC-XW9H", "OSV:GHSA-X3RH-M7VP-35F2", "OSV:GHSA-X64G-4XX9-FH6X", "OSV:GO-2021-0101"]}, {"type": "photon", "idList": ["PHSA-2023-3.0-0601"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D140886B3C4505719904327B06F12032"]}, {"type": "redhat", "idList": ["RHSA-2019:2935", "RHSA-2019:2936", "RHSA-2019:2937", "RHSA-2019:2938", "RHSA-2019:4243", "RHSA-2020:0159", "RHSA-2020:0160", "RHSA-2020:0161", "RHSA-2020:0164", "RHSA-2020:0445", "RHSA-2020:0556", "RHSA-2020:0804", "RHSA-2020:0805", "RHSA-2020:0806", "RHSA-2020:0811", "RHSA-2020:0951", "RHSA-2020:0961", "RHSA-2020:0962", "RHSA-2020:1422", "RHSA-2020:1538", "RHSA-2020:2058", "RHSA-2020:2059", "RHSA-2020:2060", "RHSA-2020:2061", "RHSA-2020:2067", "RHSA-2020:2112", "RHSA-2020:2321", "RHSA-2020:2333", "RHSA-2020:2391", "RHSA-2020:2511", "RHSA-2020:2512", "RHSA-2020:2513", "RHSA-2020:2515", "RHSA-2020:2565", "RHSA-2020:2605", "RHSA-2020:2618", "RHSA-2020:2751", "RHSA-2020:2813", "RHSA-2020:2814", "RHSA-2020:2816", "RHSA-2020:2905", "RHSA-2020:3005", "RHSA-2020:3017", "RHSA-2020:3133", "RHSA-2020:3141", "RHSA-2020:3142", "RHSA-2020:3143", "RHSA-2020:3144", "RHSA-2020:3176", "RHSA-2020:3196", "RHSA-2020:3197", "RHSA-2020:3209", "RHSA-2020:3247", "RHSA-2020:3248", "RHSA-2020:3283", "RHSA-2020:3284", "RHSA-2020:3285", "RHSA-2020:3286", "RHSA-2020:3461", "RHSA-2020:3462", "RHSA-2020:3463", "RHSA-2020:3464", "RHSA-2020:3501", "RHSA-2020:3539", "RHSA-2020:3585", "RHSA-2020:3587", "RHSA-2020:3626", "RHSA-2020:3637", "RHSA-2020:3638", "RHSA-2020:3639", "RHSA-2020:3642", "RHSA-2020:3675", "RHSA-2020:3678", "RHSA-2020:3779", "RHSA-2020:3808", "RHSA-2020:3817", "RHSA-2020:3841", "RHSA-2020:4220", "RHSA-2020:4223", "RHSA-2020:4252", "RHSA-2020:4366", "RHSA-2020:4960", "RHSA-2020:4961", "RHSA-2020:5249", "RHSA-2021:0110", "RHSA-2021:0384", "RHSA-2021:0417", "RHSA-2021:0603", "RHSA-2021:0967", "RHSA-2021:0968", "RHSA-2021:0969", "RHSA-2021:0974", "RHSA-2021:1044", "RHSA-2021:1313", "RHSA-2021:3140", "RHSA-2021:4767", "RHSA-2021:4918", "RHSA-2021:5134", "RHSA-2022:0497", "RHSA-2022:0507", "RHSA-2022:8849", "RHSA-2022:8866", "RHSA-2023:0274"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-1000873", "RH:CVE-2019-0205", "RH:CVE-2019-0210", "RH:CVE-2019-10202", "RH:CVE-2019-10219", "RH:CVE-2019-10768", "RH:CVE-2019-11777", "RH:CVE-2019-12406", "RH:CVE-2019-12423", "RH:CVE-2019-13990", "RH:CVE-2019-14900", "RH:CVE-2019-17566", "RH:CVE-2019-17638", "RH:CVE-2019-19343", "RH:CVE-2019-2692", "RH:CVE-2019-3773", "RH:CVE-2019-3774", "RH:CVE-2020-10683", "RH:CVE-2020-10740", "RH:CVE-2020-11612", "RH:CVE-2020-11971", "RH:CVE-2020-11972", "RH:CVE-2020-11973", "RH:CVE-2020-11980", "RH:CVE-2020-11989", "RH:CVE-2020-11994", "RH:CVE-2020-13692", "RH:CVE-2020-13933", "RH:CVE-2020-14326", "RH:CVE-2020-1714", "RH:CVE-2020-1719", "RH:CVE-2020-1950", "RH:CVE-2020-1960", "RH:CVE-2020-5398", "RH:CVE-2020-5410", "RH:CVE-2020-7226", "RH:CVE-2020-7676", "RH:CVE-2020-9488", "RH:CVE-2020-9489"]}, {"type": "rocky", "idList": ["RLSA-2020:3176"]}, {"type": "rosalinux", "idList": ["ROSA-SA-2021-1955"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0719-1", "OPENSUSE-SU-2020:0851-1", "OPENSUSE-SU-2020:1043-1"]}, {"type": "symantec", "idList": ["SMNTC-110539", "SMNTC-110540"]}, {"type": "thn", "idList": ["THN:6F9D6D4546C3D4DA1164354C8E552FDC"]}, {"type": "ubuntu", "idList": ["USN-4564-1", "USN-4575-1", "USN-4600-2", "USN-4740-1", "USN-5238-1", "USN-6049-1", "USN-6117-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-1000873", "UB:CVE-2019-0205", "UB:CVE-2019-0210", "UB:CVE-2019-10219", "UB:CVE-2019-10768", "UB:CVE-2019-13990", "UB:CVE-2019-17566", "UB:CVE-2019-17638", "UB:CVE-2019-19343", "UB:CVE-2019-2692", "UB:CVE-2020-10683", "UB:CVE-2020-11612", "UB:CVE-2020-11989", "UB:CVE-2020-13692", "UB:CVE-2020-13933", "UB:CVE-2020-14326", "UB:CVE-2020-1950", "UB:CVE-2020-5398", "UB:CVE-2020-7676", "UB:CVE-2020-9488", "UB:CVE-2020-9489"]}, {"type": "veracode", "idList": ["VERACODE:13236", "VERACODE:13238", "VERACODE:20694", "VERACODE:21556", "VERACODE:21591", "VERACODE:21791", "VERACODE:21926", "VERACODE:21982", "VERACODE:22174", "VERACODE:22265", "VERACODE:22312", "VERACODE:22317", "VERACODE:22475", "VERACODE:22529", "VERACODE:22744", "VERACODE:22967", "VERACODE:25055", "VERACODE:25075", "VERACODE:25078", "VERACODE:25376", "VERACODE:25389", "VERACODE:25417", "VERACODE:25439", "VERACODE:25440", "VERACODE:25442", "VERACODE:25519", "VERACODE:25566", "VERACODE:25586", "VERACODE:25614", "VERACODE:25636", "VERACODE:25684", "VERACODE:25693", "VERACODE:25737", "VERACODE:25845", "VERACODE:25873", "VERACODE:26340", "VERACODE:26346", "VERACODE:34795", "VERACODE:7649"]}]}, "score": {"value": 0.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "almalinux", "idList": ["ALSA-2020:3176"]}, {"type": "amazon", "idList": ["ALAS2-2020-1482"]}, {"type": "archlinux", "idList": ["ASA-202005-8"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BSERV-12196", "ATLASSIAN:FE-7344"]}, {"type": "attackerkb", "idList": ["AKB:770521DD-D057-4195-A187-66787A667266", "AKB:9C1D0E92-46E7-498E-99D8-8198572E25E3", "AKB:FB2F65B2-D10B-4622-AEE6-41AAD3C1E6E7"]}, {"type": "centos", "idList": ["CESA-2020:3284", "CESA-2020:3285"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-2209"]}, {"type": "cve", "idList": ["CVE-2018-1000873", "CVE-2019-10219", "CVE-2019-10768", "CVE-2019-17566", "CVE-2019-2692", "CVE-2020-10683", "CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973", "CVE-2020-13692", "CVE-2020-13933", "CVE-2020-14326", "CVE-2020-1714", "CVE-2020-1719", "CVE-2020-1950", "CVE-2020-1960", "CVE-2020-5410", "CVE-2020-7676", "CVE-2020-9488", "CVE-2020-9489"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2161-1:2B202", "DEBIAN:DLA-2191-1:AF8DE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-10768", "DEBIANCVE:CVE-2019-17566", "DEBIANCVE:CVE-2020-7676", "DEBIANCVE:CVE-2020-9488"]}, {"type": "f5", "idList": ["F5:K02349370", "F5:K23157312", "F5:K32412075"]}, {"type": "fedora", "idList": ["FEDORA:12DAE6051076", "FEDORA:2BBC46051742", "FEDORA:32EC36051065", "FEDORA:489136051065", "FEDORA:4DF45605106F", "FEDORA:62812605106F", "FEDORA:67F5A6051068", "FEDORA:7C4736051069", "FEDORA:82BA46051069", "FEDORA:957DA605174F", "FEDORA:9E3346051071", "FEDORA:B11A16051070", "FEDORA:B8E2D6051075", "FEDORA:C4FE16051044", "FEDORA:D1E836050C52", "FEDORA:E63546051071", "FEDORA:EC39E6051044"]}, {"type": "freebsd", "idList": ["09EA1B08-1D3E-4BF2-91A1-D6573F4DA3D8"]}, {"type": "gentoo", "idList": ["GLSA-202107-32"]}, {"type": "github", "idList": ["GHSA-2X6R-7427-95CM", "GHSA-32XF-JWMV-9HF3", "GHSA-3WC8-659G-R88Q", "GHSA-42F2-F9VC-6365", "GHSA-58P8-9G59-Q2HR", "GHSA-63QC-P2X4-9FGF", "GHSA-6G88-99WJ-8MGG", "GHSA-8222-6FC8-MHVF", "GHSA-89MQ-4X47-5V83", "GHSA-9VFJ-5G7H-4P24", "GHSA-H4X4-5QP2-WP46", "GHSA-H79P-32MX-FJJ9", "GHSA-HFG5-XPVW-C9X4", "GHSA-HWJ3-M3P6-HJ38", "GHSA-JQ7P-26H5-W78R", "GHSA-P9CF-QJXQ-VXW6", "GHSA-VWQQ-5VRC-XW9H", "GHSA-X3RH-M7VP-35F2", "GHSA-X64G-4XX9-FH6X"]}, {"type": "githubexploit", "idList": ["0FF82942-18BE-564C-8559-A8747AF02003", "1A203CD7-3FDD-5243-94EB-06C3564EB1A3", "4149EA3B-6A39-507B-A34C-22418BD1F20A", "4D38002E-58DF-5264-9A2E-9E446EDF6721", "90D8ACE9-AE14-5976-A039-C2AB9C529504", "92A898EB-09D3-5A57-B135-DD1C175B6B18", "D05BED3C-1405-5414-B868-D7E9E1AEC6EF", "F03542D2-479B-5B94-9D8B-B72D71D8CBCA"]}, {"type": "ibm", "idList": ["1A7668E81452E83AB00678328095567DA17543F8BDE6DB1EE678E96C5B064FD6", "43889098AF27B56E1AAC2C0ADC87D15751A2B0CCE3BF25260E32BBE3CCA7CE93", "644A8D20EA5C122A543FD2875F814F29458A670A8F81310C4182A6D4DD814E43", "7ABBC2216D89EE5076D0AB79D6300D3A5AE89E3041479BE2F8B35ABF99235A12", "82A9F24907A9B5CA433EF30634767972B95813695A7590E7216F059F1BAF1D8D", "9D10729AB8873D23F2244363D8A1DDDC6F4683B3420052FC513112D30B8E6FC8", "A14B65EBA573DAF04C0BB9F6CE66AF135D8290DA8A5F45D119CC85DEA986374A", "C034F4A93C7986F86B5276634B82B774DA1796B9A2CC2371DA4859670D82233E", "D64BC5FE778E62F52FAF1A558C46AB9C63D2D06A74FDE22CC1A16BB67C6A0E8C", "DD7E796DC101D56D3818D53295F88146B9FC7EE7058C596477B1B5AFCE363B74"]}, {"type": "ics", "idList": ["ICSA-20-133-02"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/ORACLE-MYSQL-CVE-2020-5398/", "MSF:ILITIES/ORACLE-WEBLOGIC-CVE-2020-5398/", "MSF:ILITIES/RED_HAT-JBOSS_EAP-CVE-2019-10202/"]}, {"type": "nessus", "idList": ["APACHE_LOG4J_2_13_2.NASL", "CENTOS_RHSA-2020-3284.NASL", "CENTOS_RHSA-2020-3285.NASL", "DEBIAN_DLA-2161.NASL", "DEBIAN_DLA-2191.NASL", "EULEROS_SA-2020-1596.NASL", "EULEROS_SA-2020-1799.NASL", "F5_BIGIP_SOL23157312.NASL", "FEDORA_2020-5A31CCFE66.NASL", "FREEBSD_PKG_09EA1B081D3E4BF291A1D6573F4DA3D8.NASL", "OPENSUSE-2020-719.NASL", "ORACLELINUX_ELSA-2020-3176.NASL", "ORACLELINUX_ELSA-2020-3284.NASL", "ORACLELINUX_ELSA-2020-3285.NASL", "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_OCT_2020_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2021.NASL", "REDHAT-RHSA-2020-0804.NASL", "REDHAT-RHSA-2020-0805.NASL", "REDHAT-RHSA-2020-0806.NASL", "REDHAT-RHSA-2020-0962.NASL", "REDHAT-RHSA-2020-3176.NASL", "REDHAT-RHSA-2020-3283.NASL", "REDHAT-RHSA-2020-3284.NASL", "REDHAT-RHSA-2020-3285.NASL", "REDHAT-RHSA-2020-3286.NASL", "REDHAT-RHSA-2020-3461.NASL", "REDHAT-RHSA-2020-3462.NASL", "REDHAT-RHSA-2020-3463.NASL", "REDHAT_UPDATE_LEVEL.NASL", "SL_20200803_POSTGRESQL_JDBC_ON_SL6_X.NASL", "SL_20200803_POSTGRESQL_JDBC_ON_SL7_X.NASL", "UBUNTU_USN-4564-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113657", "OPENVAS:1361412562310142400", "OPENVAS:1361412562310853182", "OPENVAS:1361412562310875653", "OPENVAS:1361412562310875658", "OPENVAS:1361412562310875739", "OPENVAS:1361412562310875809", "OPENVAS:1361412562310875836", "OPENVAS:1361412562310875944", "OPENVAS:1361412562310875964", "OPENVAS:1361412562310875998", "OPENVAS:1361412562310876032", "OPENVAS:1361412562310876132", "OPENVAS:1361412562310876185", "OPENVAS:1361412562310876215", "OPENVAS:1361412562310876220", "OPENVAS:1361412562310876248", "OPENVAS:1361412562310876257", "OPENVAS:1361412562310876270", "OPENVAS:1361412562310876291", "OPENVAS:1361412562310892161", "OPENVAS:1361412562310892191", "OPENVAS:1361412562311220201596"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2021"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-3176"]}, {"type": "redhat", "idList": ["RHSA-2020:1422", "RHSA-2020:1538", "RHSA-2020:2061", "RHSA-2020:3209", "RHSA-2020:3248"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-10219", "RH:CVE-2019-10768", "RH:CVE-2019-11777", "RH:CVE-2019-12406", "RH:CVE-2019-12423", "RH:CVE-2019-13990", "RH:CVE-2019-14900", "RH:CVE-2019-17566", "RH:CVE-2019-17638", "RH:CVE-2019-19343", "RH:CVE-2019-2692", "RH:CVE-2019-3774", "RH:CVE-2020-10683", "RH:CVE-2020-11612", "RH:CVE-2020-11971", "RH:CVE-2020-11972", "RH:CVE-2020-11973", "RH:CVE-2020-11980", "RH:CVE-2020-11989", "RH:CVE-2020-11994", "RH:CVE-2020-13692", "RH:CVE-2020-13933", "RH:CVE-2020-14326", "RH:CVE-2020-1714", "RH:CVE-2020-1719", "RH:CVE-2020-1950", "RH:CVE-2020-1960", "RH:CVE-2020-5398", "RH:CVE-2020-5410", "RH:CVE-2020-7226", "RH:CVE-2020-7676", "RH:CVE-2020-9488", "RH:CVE-2020-9489"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0719-1"]}, {"type": "thn", "idList": ["THN:6F9D6D4546C3D4DA1164354C8E552FDC"]}, {"type": "ubuntu", "idList": ["USN-4564-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-14326"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-1000873", "epss": 0.00205, "percentile": 0.56961, "modified": "2023-05-07"}, {"cve": "CVE-2019-0205", "epss": 0.00301, "percentile": 0.64969, "modified": "2023-05-07"}, {"cve": "CVE-2019-0210", "epss": 0.00328, "percentile": 0.66495, "modified": "2023-05-07"}, {"cve": "CVE-2019-10202", "epss": 0.00904, "percentile": 0.8043, "modified": "2023-05-07"}, {"cve": "CVE-2019-10219", "epss": 0.00187, "percentile": 0.54524, "modified": "2023-05-07"}, {"cve": "CVE-2019-10768", "epss": 0.00091, "percentile": 0.37373, "modified": "2023-05-07"}, {"cve": "CVE-2019-11777", "epss": 0.00125, "percentile": 0.45619, "modified": "2023-05-07"}, {"cve": "CVE-2019-12406", "epss": 0.00245, "percentile": 0.61, "modified": "2023-05-07"}, {"cve": "CVE-2019-12423", "epss": 0.00239, "percentile": 0.60455, "modified": "2023-05-07"}, {"cve": "CVE-2019-13990", "epss": 0.00354, "percentile": 0.67753, "modified": "2023-05-07"}, {"cve": "CVE-2019-14900", "epss": 0.00104, "percentile": 0.40942, "modified": "2023-05-07"}, {"cve": "CVE-2019-17566", "epss": 0.00172, "percentile": 0.52802, "modified": "2023-05-07"}, {"cve": "CVE-2019-17638", "epss": 0.0042, "percentile": 0.70398, "modified": "2023-05-07"}, {"cve": "CVE-2019-19343", "epss": 0.00133, "percentile": 0.47019, "modified": "2023-05-07"}, {"cve": "CVE-2019-2692", "epss": 0.00045, "percentile": 0.12338, "modified": "2023-05-07"}, {"cve": "CVE-2019-3773", "epss": 0.00636, "percentile": 0.76036, "modified": "2023-05-07"}, {"cve": "CVE-2019-3774", "epss": 0.00835, "percentile": 0.79635, "modified": "2023-05-07"}, {"cve": "CVE-2020-10683", "epss": 0.00261, "percentile": 0.623, "modified": "2023-05-07"}, {"cve": "CVE-2020-10740", "epss": 0.00333, "percentile": 0.66786, "modified": "2023-05-07"}, {"cve": "CVE-2020-11612", "epss": 0.00593, "percentile": 0.75137, "modified": "2023-05-07"}, {"cve": "CVE-2020-11971", "epss": 0.00107, "percentile": 0.42123, "modified": "2023-05-07"}, {"cve": "CVE-2020-11972", "epss": 0.00884, "percentile": 0.80191, "modified": "2023-05-07"}, {"cve": "CVE-2020-11973", "epss": 0.01072, "percentile": 0.82091, "modified": "2023-05-07"}, {"cve": "CVE-2020-11980", "epss": 0.00071, "percentile": 0.28928, "modified": "2023-05-07"}, {"cve": "CVE-2020-11989", "epss": 0.26221, "percentile": 0.96023, "modified": "2023-05-07"}, {"cve": "CVE-2020-11994", "epss": 0.00056, "percentile": 0.20981, "modified": "2023-05-07"}, {"cve": "CVE-2020-13692", "epss": 0.0064, "percentile": 0.76157, "modified": "2023-05-07"}, {"cve": "CVE-2020-13933", "epss": 0.00075, "percentile": 0.30427, "modified": "2023-05-07"}, {"cve": "CVE-2020-14326", "epss": 0.00084, "percentile": 0.34298, "modified": "2023-05-07"}, {"cve": "CVE-2020-1714", "epss": 0.00387, "percentile": 0.69221, "modified": "2023-05-07"}, {"cve": "CVE-2020-1719", "epss": 0.00054, "percentile": 0.20499, "modified": "2023-05-07"}, {"cve": "CVE-2020-1950", "epss": 0.00055, "percentile": 0.20836, "modified": "2023-05-07"}, {"cve": "CVE-2020-1960", "epss": 0.00042, "percentile": 0.05667, "modified": "2023-05-07"}, {"cve": "CVE-2020-5398", "epss": 0.97067, "percentile": 0.99604, "modified": "2023-05-07"}, {"cve": "CVE-2020-5410", "epss": 0.9712, "percentile": 0.99628, "modified": "2023-05-07"}, {"cve": "CVE-2020-7226", "epss": 0.00932, "percentile": 0.80718, "modified": "2023-05-07"}, {"cve": "CVE-2020-7676", "epss": 0.0022, "percentile": 0.58442, "modified": "2023-05-07"}, {"cve": "CVE-2020-9488", "epss": 0.0026, "percentile": 0.62247, "modified": "2023-05-07"}, {"cve": "CVE-2020-9489", "epss": 0.00055, "percentile": 0.20836, "modified": "2023-05-07"}], "vulnersScore": 0.7}, "_state": {"dependencies": 1691153456, "score": 1691153695, "epss": 0}, "_internal": {"score_hash": "8edc671ab22bfd526f477032c2cabfcc"}, "affectedPackage": [], "vendorCvss": {"severity": "important"}}

{"ibm": [{"lastseen": "2023-02-27T21:52:09", "description": "## Summary\n\nApache Camel's JMX, Apache Camel RabbitMQ and Apache Camel Netty are used by IBM Operations Analytics Predictive Insights. IBM Operations Analytics Predictive Insights has addressed the applicable CVEs. See Remediation/Fixes section to apply the recommended fixes.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-11971](<https://vulners.com/cve/CVE-2020-11971>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to obtain sensitive information, caused by a rebind flaw in JMX. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181961](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181961>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-11973](<https://vulners.com/cve/CVE-2020-11973>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Java application component in Netty. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181963](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181963>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11972](<https://vulners.com/cve/CVE-2020-11972>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Java application component in RabbitMQ. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181962](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181962>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Operations Analytics Predictive Insights| 1.3.6 \n \n\n\n## Remediation/Fixes\n\nApply 1.3.6 Interim Fix 2 or later. \n\n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&amp;release=1.3.6](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&release=1.3.6> \"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Predictive+Insights&release=1.3.6\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-11T14:33:29", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Camel's JMX, Apache Camel RabbitMQ and Apache Camel Netty affects IBM Operations Analytics Predictive Insights (CVE-2020-11971, CVE-2020-11972, CVE-2020-11973)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973"], "modified": "2020-08-11T14:33:29", "id": "0DB781AA08EB5BF3514B03091A0400B8238C108F721C116A9739CB261ED78D7F", "href": "https://www.ibm.com/support/pages/node/6258035", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:54:00", "description": "## Summary\n\nApache Camel is a dependency component shipped with the IBM Netcool/OMNIbus Probe DSL Factory Framework. Information about the security vulnerabilities affecting Apache Camel has been published. (CVE-2020-11971, CVE-2020-11973, CVE-2020-11972)\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2020-11971](<https://vulners.com/cve/CVE-2020-11971>) \n**DESCRIPTION: **Apache Camel could allow a remote attacker to obtain sensitive information, caused by a rebind flaw in JMX. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181961](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181961>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID: **[CVE-2020-11973](<https://vulners.com/cve/CVE-2020-11973>) \n**DESCRIPTION: **Apache Camel could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Java application component in Netty. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181963](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181963>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID: **[CVE-2020-11972](<https://vulners.com/cve/CVE-2020-11972>) \n**DESCRIPTION: **Apache Camel could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Java application component in RabbitMQ. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181962](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181962>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \n \nNetcool/OMNIbus Probe DSL Factory Framework\n\n| \n\nprobe-dsl-framework-1_0 up to and including probe-dsl-framework-6_0 \n \n## Remediation/Fixes\n\nAffected Product(s) | Version(s) \n---|--- \nNetcool/OMNIbus Probe DSL Factory Framework | \n\n[probe-dsl-framework-7_0](<https://www.ibm.com/support/pages/node/727019> \"probe-dsl-framework-7_0\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-16T05:05:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in Apache Camel shipped with IBM Netcool/OMNIbus Probe DSL Factory Framework", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973"], "modified": "2020-07-16T05:05:01", "id": "31C0D6F0198B5B32668729F457051BC27E8C565F391B61E6339D7B6015170602", "href": "https://www.ibm.com/support/pages/node/6244498", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:54:51", "description": "## Summary\n\nIBM Jazz for Service Management is vulnerable to Apache Camel Core vulnerabilities (CVE-2020-11971, CVE-2020-11973, CVE-2020-11972)\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-11971](<https://vulners.com/cve/CVE-2020-11971>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to obtain sensitive information, caused by a rebind flaw in JMX. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181961](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181961>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-11973](<https://vulners.com/cve/CVE-2020-11973>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Java application component in Netty. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181963](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181963>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11972](<https://vulners.com/cve/CVE-2020-11972>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Java application component in RabbitMQ. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181962](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181962>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nJazz for Service Management| 1.1.3 \n \n\n\n## Remediation/Fixes\n\n**Affected JazzSM Version**| **Recommended Fix** \n---|--- \nJazz for Service Management version 1.1.3| The following two patches need to be installed \n\n1\\. Install : [1.1.3-TIV-JazzSM-multi-FP006](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> \"1.1.3-TIV-JazzSM-multi-FP006\" )\n\n2\\. Install: [1.1.3.6-TIV-JazzSM-DASH-iFix-0002](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> \"1.1.3.6-TIV-JazzSM-DASH-iFix-0002\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-15T06:00:57", "type": "ibm", "title": "Security Bulletin: IBM Jazz for Service Management is vulnerable to Apache Camel Core vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973"], "modified": "2020-06-15T06:00:57", "id": "5E5C3542432C244148D8B1FE3AB5BF8C0F5F43AB9B9058BF91D5D4BFEA40DA5C", "href": "https://www.ibm.com/support/pages/node/6232458", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:50:23", "description": "## Summary\n\nIBM Resilient SOAR is using Apache Camel that has known vulnerabilities, as described below. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0188](<https://vulners.com/cve/CVE-2019-0188>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by an outdated JSON-lib library. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to read arbitrary files on the system. \nCVSS Base score: 5.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/161424](<https://exchange.xforce.ibmcloud.com/vulnerabilities/161424>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-11972](<https://vulners.com/cve/CVE-2020-11972>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Java application component in RabbitMQ. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181962](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181962>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11973](<https://vulners.com/cve/CVE-2020-11973>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Java application component in Netty. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181963](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181963>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nResilient OnPrem| IBM Security SOAR \n \n\n\n## Remediation/Fixes\n\nUsers must upgrade to v38.0 of IBM Resilient in order to obtain a fix for this vulnerability. \n\nYou can upgrade the platform by following the instructions in the \"[Upgrade Procedure](<https://www.ibm.com/support/knowledgecenter/SSBRUQ_38.0.0/doc/install/resilient_install_upgrading.html> \"Upgrade Procedure\" )\" section in the IBM Knowledge Center. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-01T12:30:09", "type": "ibm", "title": "Security Bulletin:IBM Resilient SOAR is Using Components with Known Vulnerabilities - Apache Camel ( CVE-2019-0188, CVE-2020-11972, CVE-2020-11973)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0188", "CVE-2020-11972", "CVE-2020-11973"], "modified": "2020-10-01T12:30:09", "id": "D9933DC2F45243B1EECAAC88FFE4749460DD4954EC12DA4342D5EE3BE7459FB0", "href": "https://www.ibm.com/support/pages/node/6340097", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-24T01:39:08", "description": "## Summary\n\nMultiple vulenerabilities CVE-2019-0205, CVE-2019-0210 in thrift package \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0205](<https://vulners.com/cve/CVE-2019-0205>) \n** DESCRIPTION: **In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169460](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169460>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n \n** CVEID: **[CVE-2019-0210](<https://vulners.com/cve/CVE-2019-0210>) \n** DESCRIPTION: **In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169459](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169459>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Machine Learning CE| 1.6.0 \nIBM Watson Machine Learning CE| 1.6.1 \nIBM Watson Machine Learning CE| 1.6.2 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| APAR| Remediation / First Fix \n---|---|---|--- \nIBM Watson Machine Learning CE| 1.6.2| None| thrift-cpp 0.12.0 580.gf96fa62 ibmdl/export/pub/software/server/ibm-ai/conda \n \nFix: thrift-cpp version updated to 0.12.0 for CVE-2019-0210 and including code fix/changes for CVE-2019-0205.\n\nBefore installation, verify that the specific build of cudf is available in the conda channel using the command: \nconda search cudf=0.9.0 -c <https://public.dhe.ibm.com/ibmdl/export/pub/software/server/ibm-ai/conda/>\n\nOutput of the above command should contain the following (in addition to other builds of cudf): \n# Name Version Build Channel \ncudf 0.9.0 cuda10.1_py36_626.gddcad2d ibmdl/export/pub/software/server/ibm-ai/conda \ncudf 0.9.0 cuda10.1_py37_626.gddcad2d ibmdl/export/pub/software/server/ibm-ai/conda\n\nFew other packages that will be updated automatically to the following versions when the above build of cudf is installed: \narrow-cpp 0.15.1 py36_603.g702c836 ibmdl/export/pub/software/server/ibm-ai/conda \narrow-cpp 0.15.1 py37_603.g702c836 ibmdl/export/pub/software/server/ibm-ai/conda \npyarrow 0.15.1 py36_609.g3a6717a ibmdl/export/pub/software/server/ibm-ai/conda \npyarrow 0.15.1 py37_609.g3a6717a ibmdl/export/pub/software/server/ibm-ai/conda \nparquet-cpp 1.5.1 579.g6eecc60 ibmdl/export/pub/software/server/ibm-ai/conda \nlibcudf 0.9.0 cuda10.1_609.g113236a ibmdl/export/pub/software/server/ibm-ai/conda \nthrift-cpp 0.12.0 580.gf96fa62 ibmdl/export/pub/software/server/ibm-ai/conda\n\nInstallation of fix: Install the fix for python3.6 conda environment using the following command. \nconda install -c <https://public.dhe.ibm.com/ibmdl/export/pub/software/server/ibm-ai/conda/> cudf=0.9.0=cuda10.1_py36_626.gddcad2d\n\nVerification: The following command should pass and give one line output in python3.6 conda environment: \nconda list cudf | grep cuda10.1_py36_626.gddcad2d\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: Multiple vulenerabilities CVE-2019-0205, CVE-2019-0210 in thrift package", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0205", "CVE-2019-0210"], "modified": "2019-12-20T08:47:33", "id": "82A9F24907A9B5CA433EF30634767972B95813695A7590E7216F059F1BAF1D8D", "href": "https://www.ibm.com/support/pages/node/1120701", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-06-13T17:35:26", "description": "## Summary\n\nIBM Business Automation Workflow packages a vulnerable version of angular js.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-14863](<https://vulners.com/cve/CVE-2019-14863>) \n** DESCRIPTION: **Angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173893](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173893>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-7676](<https://vulners.com/cve/CVE-2020-7676>) \n** DESCRIPTION: **angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183379>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-10768](<https://vulners.com/cve/CVE-2019-10768>) \n** DESCRIPTION: **AngularJS could allow a remote attacker to bypass security restrictions, caused by a prototype pollution flaw in the merge function. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172185](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172185>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s)| Status \n---|---|--- \nIBM Business Automation Workflow containers| \n\nV22.0.2 all fixes\n\n| not affected \nIBM Business Automation Workflow containers| \n\nV22.0.1 all fixes \nV21.0.3 - V21.0.3-IFT020 \nV21.0.2 all fixes \nV20.0.0.2 all fixes \nV20.0.0.1 all fixes\n\n| affected \nIBM Business Automation Workflow traditional| V22.0.2| not affected \nIBM Business Automation Workflow traditional| V22.0.1 \nV21.0.1 - V21.0.3.1 \nV20.0.0.1 - V20.0.0.2 \nV19.0.0.1 - V19.0.0.3| affected \nIBM Business Automation Workflow Enterprise Service Bus| V22.0.2| not affected \n \nFor earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.\n\n \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR [DT213423](<https://www.ibm.com/mysupport/aCI3p000000CyKe> \"DT213423\" ) as soon as practical. \n\nAffected Product(s)| Version(s)| Remediation / Fix \n---|---|--- \nIBM Business Automation Workflow containers| V22.0.1| Upgrade to Business Automation Workflow on Containers 22.0.2 and apply [22.0.2-IF005](<https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-2202-interim-fixes> \"22.0.1-IF005\" ) \nIBM Business Automation Workflow containers| V21.0.3| Apply [21.0.3-IF021](<https://www.ibm.com/support/pages/node/6574109> \"21.0.3-IF021\" ) \nor upgrade to [22.0.2 latest ifix](<https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-2202-interim-fixes> \"22.0.2 latest ifix\" ) \nIBM Business Automation Workflow containers| V21.0.2 \nV20.0.0.1 - V20.0.0.2| Upgrade to [21.0.3-IF021](<https://www.ibm.com/support/pages/node/6574109> \"21.0.3-IF021\" ) \nor upgrade to [22.0.2 latest ifix](<https://www.ibm.com/support/pages/readme-ibm-business-automation-workflow-containers-2202-interim-fixes> \"22.0.2 latest ifix\" ) \nIBM Business Automation Workflow traditional| V21.0.3.1| \n\nApply [DT213423](<https://www.ibm.com/mysupport/aCI3p000000CyKe> \"DT213423\" ) \nor upgrade to [IBM Business Automation Workflow traditional V22.0.2](<https://www.ibm.com/support/pages/node/6830489> \"IBM Business Automation Workflow traditional V22.0.2\" ) \n \nIBM Business Automation Workflow traditional| V20.0.0.2| Upgrade to [IBM Business Automation Workflow traditional V22.0.2](<https://www.ibm.com/support/pages/node/6830489> \"IBM Business Automation Workflow traditional V22.0.2\" ) \nIBM Business Automation Workflow traditional| V22.0.1 \nV21.0.2 \nV20.0.0.1 \nV19.0.0.3| Upgrade to a long term support release or the latest SSCD version. See [IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum](<https://www.ibm.com/support/pages/ibm-business-automation-workflow-and-ibm-integration-designer-software-support-lifecycle-addendum> \"IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-06-05T19:42:57", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in angular.js may affect IBM Business Automation Workflow ( CVE-2019-14863, CVE-2020-7676, CVE-2019-10768)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10768", "CVE-2019-14863", "CVE-2020-7676"], "modified": "2023-06-05T19:42:57", "id": "4C55D0F935CAC3173B24A2C1EC5A9D52352A95DF1F7DA61A873550097C4F2287", "href": "https://www.ibm.com/support/pages/node/7001343", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-24T06:16:41", "description": "## Summary\n\nIBM has addressed the applicable CVEs\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-7676](<https://vulners.com/cve/CVE-2020-7676>) \n** DESCRIPTION: **angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183379>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-14863](<https://vulners.com/cve/CVE-2019-14863>) \n** DESCRIPTION: **Angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173893](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173893>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-10768](<https://vulners.com/cve/CVE-2019-10768>) \n** DESCRIPTION: **AngularJS could allow a remote attacker to bypass security restrictions, caused by a prototype pollution flaw in the merge function. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172185](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172185>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** Third Party Entry: **172544 \n** DESCRIPTION: **AngularJS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the document.implementation.createHTMLDocument(). A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/172544 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172544>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** Third Party Entry: **172550 \n** DESCRIPTION: **AngularJS is vulnerable to a denial of service, caused by the failure of the $sanitize sanitizer to traverse the HTML when one or more of the elements in the HTML have been &amp;#34;clobbered&amp;#34;. A remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/172550 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172550>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** Third Party Entry: **172543 \n** DESCRIPTION: **AngularJS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the $http function. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/172543 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172543>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM DataPower Gateway V10 CD| 10.0.2.0 \nIBM DataPower Gateway 10.0.1| 10.0.1.0-10.0.1.4 \nIBM DataPower Gateway| 2018.4.1.0-2018.4.1.16 \n \n\n\n## Remediation/Fixes\n\nAffected Product \n| Fixed in version \n| APAR \n \n---|---|--- \nIBM DataPower Gateway V10 CD \n| 10.0.3.0 \n| [IT37933](<https://www.ibm.com/support/pages/apar/IT37933> \"IT37933\" ) \n \nIBM DataPower Gateway 10.0.1 \n| 10.0.1.4 \n| [IT37933](<https://www.ibm.com/support/pages/apar/IT37933> \"IT37933\" ) \nIBM DataPower Gateway 2018.4.1 \n| 2018.4.1.17 \n| [IT37933](<https://www.ibm.com/support/pages/apar/IT37933> \"IT37933\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-08-16T15:43:07", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in AngularJS", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10768", "CVE-2019-14863", "CVE-2020-7676"], "modified": "2021-08-16T15:43:07", "id": "7ABBC2216D89EE5076D0AB79D6300D3A5AE89E3041479BE2F8B35ABF99235A12", "href": "https://www.ibm.com/support/pages/node/6481681", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-24T06:16:43", "description": "## Summary\n\nIBM MQ Appliance has resolved multiple AngularJS vulnerabilities.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-7676](<https://vulners.com/cve/CVE-2020-7676>) \n** DESCRIPTION: **angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim&amp;#39;s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim&amp;#39;s cookie-based authentication credentials. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183379>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-14863](<https://vulners.com/cve/CVE-2019-14863>) \n** DESCRIPTION: **Angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim&amp;#39;s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim&amp;#39;s cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173893](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173893>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2019-10768](<https://vulners.com/cve/CVE-2019-10768>) \n** DESCRIPTION: **AngularJS could allow a remote attacker to bypass security restrictions, caused by a prototype pollution flaw in the merge function. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172185](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172185>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** Third Party Entry: **172544 \n** DESCRIPTION: **AngularJS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the document.implementation.createHTMLDocument(). A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim&amp;#39;s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim&amp;#39;s cookie-based authentication credentials. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/172544 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172544>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** Third Party Entry: **172550 \n** DESCRIPTION: **AngularJS is vulnerable to a denial of service, caused by the failure of the $sanitize sanitizer to traverse the HTML when one or more of the elements in the HTML have been &amp;#34;clobbered&amp;#34;. A remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/172550 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172550>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** Third Party Entry: **172543 \n** DESCRIPTION: **AngularJS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the $http function. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim&amp;#39;s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim&amp;#39;s cookie-based authentication credentials. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/172543 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172543>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM MQ Appliance| 9.1 LTS \nIBM MQ Appliance| 9.2 CD \nIBM MQ Appliance| 9.2 LTS \nIBM MQ Appliance| 9.1 CD \n \n## Remediation/Fixes\n\nThis vulnerability is addressed under APAR IT37277.\n\n \n\n\n**IBM MQ Appliance version 9.1 LTS**\n\nApply iFix IT37277, or later firmware. &lt;Link TBC&gt;\n\n \n\n\n**IBM MQ Appliance version 9.1 CD**\n\nUpgrade to 9.2.2 CD iFix IT37277, or later firmware. &lt;Link TBC&gt;\n\n \n\n\n**IBM MQ Appliance version 9.2 LTS**\n\nApply iFix IT37277, or later firmware. &lt;Link TBC&gt;\n\n \n\n\n**IBM MQ Appliance version 9.2 CD**\n\nApply iFix IT37277, or later firmware. &lt;Link TBC&gt;\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-08-13T22:11:10", "type": "ibm", "title": "Security Bulletin: IBM MQ Appliance is affected by multiple AngularJS vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10768", "CVE-2019-14863", "CVE-2020-7676"], "modified": "2021-08-13T22:11:10", "id": "C758ABF843AEA1CFD27E07A6C5B13C15DDBAF74E0B92D29DBBA15B245A620B72", "href": "https://www.ibm.com/support/pages/node/6466723", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:54:45", "description": "## Summary\n\nIBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Apache Tika.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-9489](<https://vulners.com/cve/CVE-2020-9489>) \n** DESCRIPTION: **Apache Tika is vulnerable to a denial of service, caused by an out of memory error and infinite loop flaw in the ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180712](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180712>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-1951](<https://vulners.com/cve/CVE-2020-1951>) \n** DESCRIPTION: **Apache Tika is vulnerable to a denial of service, caused by an error in the PSDParser. By persuading a victim to open a specially-crafted PSD file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178089](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178089>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-1950](<https://vulners.com/cve/CVE-2020-1950>) \n** DESCRIPTION: **Apache Tika is vulnerable to a denial of service, caused by an excessive memory usage flaw in the PSDParser. By persuading a victim to open a specially-crafted PSD file, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178088](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178088>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nICP - Discovery| 2.0.0-2.1.2 \n \n\n\n## Remediation/Fixes\n\nUpgrade to IBM Watson Discovery 2.1.3 \n \n<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-06-19T05:12:26", "type": "ibm", "title": "Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Tika", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1950", "CVE-2020-1951", "CVE-2020-9489"], "modified": "2020-06-19T05:12:26", "id": "0B32FE452355B1C3468364CEE7BB901540B1401AA499444B7D5418E694FA963A", "href": "https://www.ibm.com/support/pages/node/6228090", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-16T17:45:31", "description": "## Summary\n\nIBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of Apache Thrift.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0205](<https://vulners.com/cve/CVE-2019-0205>) \n** DESCRIPTION: **Apache Thrift is vulnerable to a denial of service, caused by an error when processing untrusted Thrift payload. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169460](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169460>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0210](<https://vulners.com/cve/CVE-2019-0210>) \n** DESCRIPTION: **Apache Thrift is vulnerable to a denial of service, caused by an out-of-bounds read in a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol. A remote attacker could exploit this vulnerability to cause the application to panic. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169459](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169459>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-13949](<https://vulners.com/cve/CVE-2020-13949>) \n** DESCRIPTION: **Apache Thrift is vulnerable to a denial of service, caused by improper input validation. By sending specially-crafted messages, a remote attacker could exploit this vulnerability to cause a large memory allocation. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/196738](<https://exchange.xforce.ibmcloud.com/vulnerabilities/196738>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nWatson Discovery| 4.0.0-4.6.3 \n \n## Remediation/Fixes\n\nUpgrade to IBM Watson Discovery 4.6.5\n\n<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-05-02T22:53:35", "type": "ibm", "title": "Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Thrift", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0205", "CVE-2019-0210", "CVE-2020-13949"], "modified": "2023-05-02T22:53:35", "id": "05996CA3681F693A59525A2CFB7913B00FD3EC80FA9669C448A3B527653DAB6F", "href": "https://www.ibm.com/support/pages/node/6983567", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-06-06T17:58:20", "description": "## Summary\n\nA cross-site scripting vulnerability in Angular.js used by IBM InfoSphere Information Server was addressed.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2020-7676](<https://vulners.com/cve/CVE-2020-7676>) \n**DESCRIPTION: **angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183379>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nInfoSphere Information Server | 11.7 \nInfoSphere Information Server | 11.5 \n \n## Remediation/Fixes\n\n## \n\n_Product_ | _VRMF_ | _APAR_ | _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Analyzer, Information Server on Cloud | 11.7 | [JR62969](<http://www.ibm.com/support/docview.wss?uid=swg1JR62969> \"JR62969\" ) \n| \\--Apply InfoSphere Information Server version [11.7.1.0](<https://www.ibm.com/support/docview.wss?uid=ibm10878310> \"11.7.1.0\" ) \n\\--Apply InfoSphere Information Server version [11.7.1.0 Fix Pack 1](<https://www.ibm.com/support/pages/node/6209196> \"11.7.1.0 Fix Pack 1\" ) \n\\--Apply InfoSphere Information Server [11.7.1.1 Service Pack 1](<https://www.ibm.com/support/pages/node/6438057> \"11.7.1.1 Service Pack 1\" ) \n \nFor Red Hat 8 installations contact IBM Customer support \nInfoSphere Information Analyzer, Information Server on Cloud | 11.5 | [JR62969](<http://www.ibm.com/support/docview.wss?uid=swg1JR62969> \"JR62969\" ) \n| \\--Apply InfoSphere Information Server version [11.5.0.2](<http://www.ibm.com/support/docview.wss?uid=swg24043666>) \n\\--Apply InfoSphere [Information Analyzer Security patch ](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is11502_Security_JR62969_services_multi*> \"Information Analyzer Security patch\" ) \n \n**Contact Technical Support:**\n\nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [contacts for other countries](<http://www.ibm.com/planetwide/> \"contacts for other countries\" ) outside of the United States. \nElectronically [open a Service Request](<http://www.ibm.com/software/support/probsub.html> \"open a Service Request\" ) with Information Server Technical Support.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-06-17T23:04:52", "type": "ibm", "title": "Security Bulletin: A cross-site scripting vulnerability in Angular.js affects IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2021-06-17T23:04:52", "id": "50DC1B1994895BC1C226A92BC0B7264A641557390B46248C6B3F4616AE8CF0C5", "href": "https://www.ibm.com/support/pages/node/6437195", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T17:42:06", "description": "## Summary\n\nIBM Tivoli Monitoring Data provider is vulnerable to Apache Camel Core vulnerabilty CVE-2020-11971\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-11971](<https://vulners.com/cve/CVE-2020-11971>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to obtain sensitive information, caused by a rebind flaw in JMX. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181961](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181961>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Monitoring| 6.3.0.7 Service Pack 6 up to Service Pack 12 \n \n\n\n## Remediation/Fixes\n\nFix| VRMF| Remediation/Fix \n---|---|--- \n6.3.0.7-TIV-ITM-SP0013| 6.3.0.7 | [IBM Tivoli Monitoring Service Pack 6.3.0.7-TIV-ITM-SP0013](<https://www.ibm.com/support/pages/ibm-tivoli-monitoring-630-fix-pack-7-service-pack-13-6307-tiv-itm-sp0013> \"IBM Tivoli Monitoring Service Pack 6.3.0.7-TIV-ITM-SP0013\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-12-30T17:31:59", "type": "ibm", "title": "Security Bulletin: Apache Camel Core vulnerability in IBM Tivoli Monitoring Data Provider (CVE-2020-11971)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11971"], "modified": "2022-12-30T17:31:59", "id": "81489FC3C5B7D5FCB5B59EA6F0E2BD3C9EE1E397EFC067E75215C457F66C5C91", "href": "https://www.ibm.com/support/pages/node/6825717", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T06:02:19", "description": "## Summary\n\nIBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777)\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) and Version(s)| Affecting Product(s) and Version(s) \n---|--- \n \nIBM WebSphere Hybrid Edition\n\n * 5.1\n| \n\nlBM WebSphere Appllcation Server Liberty\n\n * 17.0.0.3 - 22.0.0.7 \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH45750 as described in [Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777)](<https://www.ibm.com/support/pages/node/6602039>). \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-14T16:24:13", "type": "ibm", "title": "Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2022-07-14T16:24:13", "id": "0552F3A26220DDA3F5D387F494714842FF16F0E151708228326968DC82BDB134", "href": "https://www.ibm.com/support/pages/node/6603713", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T06:02:35", "description": "## Summary\n\nThere is a vulnerability in the Eclipse Paho library used by IBM WebSphere Application Server Liberty with the rtcomm-1.0 or rtcommGateway-1.0 feature enabled. This has been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11777](<https://vulners.com/cve/CVE-2019-11777>) \n** DESCRIPTION: **Eclipse Paho Java client could allow a remote attacker to bypass security restrictions, caused by the failure to check the result when connecting to an MQTT server using TLS and setting a host name verifier. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow one MQTT server to impersonate another and provide the client library with incorrect information. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167068](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167068>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM WebSphere Application Server Liberty| 17.0.0.3 - 22.0.0.7 \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH45750. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to [How to determine if Liberty is using a specific feature](<https://www.ibm.com/support/pages/node/6553910> \"How to determine if Liberty is using a specific feature\" ). \n \n**For IBM WebSphere Application Server Liberty 17.0.0.3 - 22.0.0.7 using the rtcomm-1.0 or rtcommGateway-1.0 feature(s): ** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PH45750](<https://www.ibm.com/support/pages/node/6601889> \"PH45750\" ) \n\\--OR-- \n\u00b7 Apply Liberty Fix Pack 22.0.0.8 or later (targeted availability 3Q2022). \n \nAdditional interim fixes may be available and linked off the interim fix download page.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-07T17:54:29", "type": "ibm", "title": "Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2022-07-07T17:54:29", "id": "CCF7B61DF8195BD1D2CD817C3BC2B2940DBCC4A364675129DCD77F07546B8815", "href": "https://www.ibm.com/support/pages/node/6602039", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T06:02:18", "description": "## Summary\n\nIBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777)\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) and Version(s)| Affecting Product(s) and Version(s) \n---|--- \n \nIBM Cloud Pak for Applications\n\n * 5.1\n| \n\nIBM WebSphere Application Server Liberty\n\n * 17.0.0.3 - 22.0.0.7 \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH45750 as described in [Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777)](<https://www.ibm.com/support/pages/node/6602039>).\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-14T16:27:59", "type": "ibm", "title": "Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2022-07-14T16:27:59", "id": "02EF8009E8FC77A6E66FFCE1B67A472B3B1B1D15700B7594E5084CE595A5CF52", "href": "https://www.ibm.com/support/pages/node/6603717", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T05:55:39", "description": "## Summary\n\nThere is a vulnerability in the Eclipse Paho library used by IBM WebSphere Application Server Liberty with the rtcomm-1.0 or rtcommGateway-1.0 feature enabled. Provided that IBM Match 360 uses WebSphere Liberty Profile, this vulnerability has been addressed in IBM Match 360 v4.5.2 and prior.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11777](<https://vulners.com/cve/CVE-2019-11777>) \n** DESCRIPTION: **Eclipse Paho Java client could allow a remote attacker to bypass security restrictions, caused by the failure to check the result when connecting to an MQTT server using TLS and setting a host name verifier. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow one MQTT server to impersonate another and provide the client library with incorrect information. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167068](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167068>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nICP - IBM Match 360| All \n \n\n\n## Remediation/Fixes\n\n<https://www.ibm.com/support/pages/node/6602039>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-10-06T04:10:57", "type": "ibm", "title": "Security Bulletin: CP4D Match 360 is impacted due to vulnerability in IBM WebSphere Application Server Liberty spoofing due to Eclipse Paho (CVE-2019-11777)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2022-10-06T04:10:57", "id": "A089D140B4F8AAFF5D139406914667261E4C8A001F7B52A9F7071052F2A5F55F", "href": "https://www.ibm.com/support/pages/node/6825899", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:49:29", "description": "## Summary\n\nTerracotta Quartz Scheduler could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the initDocumentParser function in xml/XMLSchedulingDataProcessor.java. By persuading a victim to open specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-13990](<https://vulners.com/cve/CVE-2019-13990>) \n** DESCRIPTION: **Terracotta could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the initDocumentParser function in xml/XMLSchedulingDataProcessor.java. By persuading a victim to open specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165431](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165431>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nResilient OnPrem| IBM Security SOAR \n \n## Remediation/Fixes\n\nUsers must upgrade to v38.2 of IBM Resilient in order to obtain a fix for this vulnerability.\n\nYou can upgrade the platform by following the instructions in the \"[Upgrade Procedure](<https://www.ibm.com/support/knowledgecenter/SSBRUQ_38.0.0/doc/install/resilient_install_upgrading.html> \"Upgrade Procedure\" )\" section in the IBM Knowledge Center. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-27T23:52:58", "type": "ibm", "title": "Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities - Terracotta Quartz ( CVE-2019-13990)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13990"], "modified": "2020-10-27T23:52:58", "id": "2386F1AB0413EEF3A8C299A357E7BB8AB76A40C4C355F7A3F8BB00B41DA6A965", "href": "https://www.ibm.com/support/pages/node/6356107", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:48:50", "description": "## Summary\n\nIn Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with other data. Thread1 then proceeds to write the buffer that now contains different data. This results in client1, which issued request1 seeing data from another request or response which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-17638](<https://vulners.com/cve/CVE-2019-17638>) \n** DESCRIPTION: **Eclipse Jetty, as bundled in Jenkins, could allow a remote attacker to obtain sensitive information, caused by an issue with corrupt HTTP response buffer being sent to different clients. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 9.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185436](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185436>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nUCD - IBM UrbanCode Deploy| 6.2.7.4 \nUCD - IBM UrbanCode Deploy| 6.2.7.3 \nUCD - IBM UrbanCode Deploy| 7.0.4.0 \nUCD - IBM UrbanCode Deploy| 7.0.3.0 \nUCD - IBM UrbanCode Deploy| All \n \n\n\n## Remediation/Fixes\n\nUpgrade to 6.2.7.9, 7.0.5.4, 7.1.1.0 or later. \n\n * [https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=6.2.7.9-IBM-UrbanCode-Deploy&amp;continue=1](<https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=6.2.7.9-IBM-UrbanCode-Deploy&continue=1>)\n * [https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.0.5.4-IBM-UrbanCode-Deploy&amp;continue=1](<https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.0.5.4-IBM-UrbanCode-Deploy&continue=1>)\n * [https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.1.1.0.ifix01-IBM-UrbanCode-Deploy&amp;continue=1](<https://www.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=7.1.1.0.ifix01-IBM-UrbanCode-Deploy&continue=1>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-11-18T20:33:15", "type": "ibm", "title": "Security Bulletin: CVE-2019-17638 jetty double-release of a byte buffer", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17638"], "modified": "2020-11-18T20:33:15", "id": "08BE0A8BB84E3BC2898AB7755B7D1A3495C89B7E47A13AF2D70C5EEDFEB7423A", "href": "https://www.ibm.com/support/pages/node/6370095", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:47:46", "description": "## Summary\n\nAn issue was identified with Eclipse Jetty that is bundled within IBM MQ Explorer\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-17638](<https://vulners.com/cve/CVE-2019-17638>) \n**DESCRIPTION: **Eclipse Jetty, as bundled in Jenkins, could allow a remote attacker to obtain sensitive information, caused by an issue with corrupt HTTP response buffer being sent to different clients. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 9.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185436](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185436>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM MQ | 9.2 CD \nIBM MQ | 9.2 LTS \n \n## Remediation/Fixes\n\n**IBM MQ 9.2 LTS**\n\n[Apply Fixpack 9.2.0.1](<https://www.ibm.com/support/pages/downloading-ibm-mq-version-9201> \"Apply Fixpack 9.2.0.1\" )\n\n**IBM MQ 9.2 CD**\n\n[Upgrade to IBM MQ 9.2.1](<https://www.ibm.com/support/pages/downloading-ibm-mq-921-continuous-delivery> \"Upgrade to IBM MQ 9.2.1\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-12-23T13:52:05", "type": "ibm", "title": "Security Bulletin: IBM MQ is affected by a vulnerability in Eclipse Jetty (CVE-2019-17638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17638"], "modified": "2020-12-23T13:52:05", "id": "C51EF092095509DC47C909859351A8ADA43A7C16BBC9EEABB3105B07B38B2E02", "href": "https://www.ibm.com/support/pages/node/6393332", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:50:54", "description": "## Summary\n\nEclipse Jetty, as bundled in Jenkins, could allow a remote attacker to obtain sensitive information, caused by an issue with corrupt HTTP response buffer being sent to different clients. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-17638](<https://vulners.com/cve/CVE-2019-17638>) \n** DESCRIPTION: **Eclipse Jetty, as bundled in Jenkins, could allow a remote attacker to obtain sensitive information, caused by an issue with corrupt HTTP response buffer being sent to different clients. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 9.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185436](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185436>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \neDiscovery Analyzer| 2.2.2 \n \n\n\n## Remediation/Fixes\n\n**Product \n** | **VRM**| **Remediation** \n---|---|--- \nIBM eDiscovery Analyzer| 2.2.2| \n\nUse IBM eDiscovery Analyzer [2.2.2 Fix Pack 4 IF002 WIN](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FInfoSphere+eDiscovery+Analyzer&fixids=2.2.2.4-EDA-WIN-FP0004-IF002&source=SAR> \"2.2.2 Fix Pack 4 IF002 WIN\" ) and [2.2.2 Fix Pack 4 IF002 AIX](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FInfoSphere+eDiscovery+Analyzer&fixids=2.2.2.4-EDA-AIX-FP0004-IF002&source=SAR> \"2.2.2 Fix Pack 4 AIX\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-09-15T19:39:42", "type": "ibm", "title": "Security Bulletin: Publicly disclosed vulnerability found by vFinder in IBM eDiscovery Analyzer", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17638"], "modified": "2020-09-15T19:39:42", "id": "2E01377B53F391E376F1759320631A1C142B4E58121781793F84A5847C6E21D0", "href": "https://www.ibm.com/support/pages/node/6333089", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T22:06:57", "description": "## Summary\n\ni2 Analyze uses a version of Jetty wth known vulnerabilities.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-17638](<https://vulners.com/cve/CVE-2019-17638>) \n** DESCRIPTION: **Eclipse Jetty, as bundled in Jenkins, could allow a remote attacker to obtain sensitive information, caused by an issue with corrupt HTTP response buffer being sent to different clients. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 9.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185436](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185436>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM i2 Analyst's Notebook Premium| IBM i2 Analyze 4.3.2 \n \n\n\n## Remediation/Fixes\n\nPlease visit your IBM customer portal to download the 4.4.0 continuous delivery update\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2021-07-29T07:55:08", "type": "ibm", "title": "Security Bulletin: i2 Analyze has an information disclosure vulnerability (CVE-2019-17638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17638"], "modified": "2021-07-29T07:55:08", "id": "A1F6DDF011DAD0291EC494B8A8870EB4294541EF775B653EAFE335D3158A3D92", "href": "https://www.ibm.com/support/pages/node/6476592", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T05:59:56", "description": "## Summary\n\nIBM WebSphere Application Server Liberty used by Rational Asset Analyzer is vulnerable to spoofing in the Eclipse Paho library with the rtcomm-1.0 or rtcommGateway-1.0 feature enabled. This has been addressed. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11777](<https://vulners.com/cve/CVE-2019-11777>) \n** DESCRIPTION: **Eclipse Paho Java client could allow a remote attacker to bypass security restrictions, caused by the failure to check the result when connecting to an MQTT server using TLS and setting a host name verifier. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow one MQTT server to impersonate another and provide the client library with incorrect information. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167068](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167068>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nRational Asset Analyzer (RAA)| 6.1.0.0 - 6.1.0.23 \n \n\n\n## Remediation/Fixes\n\nApply the corresponding fix from FIX Central. Note the release date of 2022/09/01 \n\n**Windows Version**| [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/IBM+Rational+Asset+Analyzer&release=6.1.0.23&platform=Windows&function=all&source=fc> \"Fix Central\" ) \n---|--- \n**z/OS Version**| [Fix Central](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ERational&product=ibm/Rational/IBM+Rational+Asset+Analyzer&release=6.1.0.23&platform=z/OS&function=all> \"Fix Central\" ) \n \nIBM strongly recommends addressing the vulnerability now by upgrading.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-06T23:14:26", "type": "ibm", "title": "Security Bulletin: Rational Asset analyzer is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2022-09-06T23:14:26", "id": "2C2DAE3598B90C90576BD2F18C01B0F3350AAF6A99435251F77D87ABDDF8CDA1", "href": "https://www.ibm.com/support/pages/node/6618599", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T05:58:49", "description": "## Summary\n\nWebSphere Application Server Liberty is shipped as part of IBM Business Automation Workflow containers and as part of the optional components Process Federation Server (since 8.5.6), and User Management Service (since 18.0.0.1) in IBM Business Automation Workflow traditional and IBM Business Process Manager. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s)| Status| Note \n---|---|---|--- \nIBM Business Automation Workflow containers| V22.0.1 \nV21.0.2 - V21.0.3 \nV20.0.0.1 - V20.0.0.2| not affected| \nIBM Business Automation Workflow traditional| V22.0.1 \nV21.0.1 - V21.0.3 \nV20.0.0.1 - V20.0.0.2 \nV19.0.0.1 - V19.0.0.3 \nV18.0.0.0 - V18.0.0.2| affected| Cumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed. \nIBM Business Process Manager| V8.6.0.0 - V8.6.0.201803 \nV8.5.0.0 - V8.5.0.201706| affected| Cumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed. \n \nFor earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.\n\n## Remediation/Fixes\n\nPlease consult the security bulletin: [IBM WebSphere Application Server Liberty is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777)](<https://www.ibm.com/support/pages/node/6602039> \"IBM WebSphere Application Server Liberty is vulnerable to spoofing due to Eclipse Paho \\(CVE-2019-11777\\)\" ) for vulnerability details and information about fixes.\n\nAffected Product(s)| Version(s)| Remediation / Fix \n---|---|--- \nIBM Business Automation Workflow traditional| V22.0.1 \nV21.0.1 - V21.0.3 \nV20.0.0.1 - V20.0.0.2 \nV19.0.0.1 - V19.0.0.3 \nV18.0.0.0 - V18.0.0.2| Follow the instructions from the security bulletin mentioned above. \nIBM Business Process Manager| V8.6.0.0 - V8.6.0.201803 \nV8.5.0.0 - V8.5.0.201706| Follow the instructions from the security bulletin mentioned above. \n \n \n \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-14T15:28:14", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Business Automation Workflow and IBM Business Process Manager (CVE-2019-11777)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2022-09-14T15:28:14", "id": "6A183CCACC979B3E3450E7FF10F849177081B9FA384CBA6358BB786A20DBFBC3", "href": "https://www.ibm.com/support/pages/node/6603361", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-07T21:41:47", "description": "## Summary\n\nWebSphere Application Server Liberty is used by IBM CICS TX Standard to provide a web based administration console. The fix removes the spoofing vulnerability CVE-2019-11777 from Liberty. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11777](<https://vulners.com/cve/CVE-2019-11777>) \n** DESCRIPTION: **Eclipse Paho Java client could allow a remote attacker to bypass security restrictions, caused by the failure to check the result when connecting to an MQTT server using TLS and setting a host name verifier. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow one MQTT server to impersonate another and provide the client library with incorrect information. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167068](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167068>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM CICS TX Standard| All \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability by downloading and applying the interim fixes from the table below \n\nProduct| Version| Defect| Remediation / First Fix \n---|---|---|--- \nIBM CICS TX Standard| \n\n11.1\n\n| 127796| [Download fix here](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FCICS+TX+Standard&fixids=ibm-cics-tx-standard-image-11.1.0.0-ifix3&source=SAR&function=fixId&parent=ibm/Other%20software> \"Download fix here\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-02-14T21:14:53", "type": "ibm", "title": "Security Bulletin: IBM CICS TX Standard is vulnerable to spoofing due to a flaw in Eclipse Paho, used by IBM WebSphere Application Server Liberty (CVE-2019-11777)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2023-02-14T21:14:53", "id": "029B79D2A1319C5BDC1C8DA56C4D9B225C64CFEF9D599A11A3FF8AED3FC903C3", "href": "https://www.ibm.com/support/pages/node/6695821", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T05:57:43", "description": "## Summary\n\nTXSeries for Multiplatforms has addressed the following identity spoofing vulnerability in Eclipse Paho reported by IBM\u00ae WebSphere Application Server Liberty\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11777](<https://vulners.com/cve/CVE-2019-11777>) \n** DESCRIPTION: **Eclipse Paho Java client could allow a remote attacker to bypass security restrictions, caused by the failure to check the result when connecting to an MQTT server using TLS and setting a host name verifier. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow one MQTT server to impersonate another and provide the client library with incorrect information. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167068](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167068>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM TXSeries for Multiplatforms| 8.2 \nIBM TXSeries for Multiplatforms| 9.1 \n \n\n\n## Remediation/Fixes\n\nProduct \n\n| \n\nVersion\n\n| \n\nDefect\n\n| \n\nRemediation / First Fix \n \n---|---|---|--- \n \nIBM TXSeries for Multiplatforms v9.1\n\n| \n\n9.1.0.0 \n9.1.0.2\n\n| \n\n127796\n\n| [Download fix here](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FTXSeries+for+Multiplatforms&fixids=TXSeries_91_SpecialFIX_Liberty_092022&source=SAR&function=fixId&parent=ibm/Other%20software> \"Download fix here\" ) \n \nIBM TXSeries for Multiplatforms v8.2\n\n| \n\n8.2.0.0 \n8.2.0.1 \n8.2.0.2\n\n| \n\n127796\n\n| [Download fix here](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FTXSeries+for+Multiplatforms&fixids=TXSeries_82_SpecialFIX_Liberty_092022&source=SAR&function=fixId&parent=ibm/Other%20software> \"Download fix here\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-22T11:42:06", "type": "ibm", "title": "Security Bulletin: A spoofing vulnerablity due to an exposure in Eclipse Paho used by IBM WebSphere Application Server Liberty affects TXSeries for Multiplatforms", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2022-09-22T11:42:06", "id": "E050D8D5849896048324B8F6ECAD453BADAE5D7AC416C364A5AABAA7AD09C664", "href": "https://www.ibm.com/support/pages/node/6695795", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T17:57:37", "description": "## Summary\n\nVulnerabilities identified in IBM Guardium Data Encryption (GDE). These vulnerabilities have been fixed, please apply the latest version to obtain the fix.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-7676](<https://vulners.com/cve/CVE-2020-7676>) \n** DESCRIPTION: **angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183379>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)\n\n| \n\nVersion \n \n---|--- \n \nGDE\n\n| \n\n4.0.0 \n \n \n\n\n## Remediation/Fixes\n\nListed vulnerabilities (in this security bulletin) are address in below version of IBM Guardium Data Encryption (GDE). Please apply the latest version to obtain the fix.\n\nProduct\n\n| \n\nFixed Version\n\n| \n\nLink for Fixes \n \n---|---|--- \n \nGDE \n\n| \n\n5.0.0.x\n\n| \n\nThales Portal -&gt; My Products -&gt; Guardium Data Encryption Components-&gt; GCKM 1.10\n\n[https://supportportal.thalesgroup.com/csm?id=kb_article_view&amp;sys_kb_id=c439a9281b042490f2888739cd4bcbb0&amp;sysparm_article=KB0023084](<https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=c439a9281b042490f2888739cd4bcbb0&sysparm_article=KB0023084>) \n \n \n\n\n## Workarounds and Mitigations\n\nPlease apply the latest version to obtain the fixes.\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-07-27T06:09:04", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Guardium Data Encryption (GDE) (CVE-2020-7676)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2021-07-27T06:09:04", "id": "E21998D79E596F7A4F4AD06719A7D4A56FFB91644A0EB3DE8A78FF10B1B0E770", "href": "https://www.ibm.com/support/pages/node/6475607", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T17:51:48", "description": "## Summary\n\nA vulnerability to cross-site scripting exists in angular.js which is used in IBM Guardium Data Encryption (GDE). Please apply the latest version for the fixes.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-7676](<https://vulners.com/cve/CVE-2020-7676>) \n** DESCRIPTION: **angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183379>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nProduct Name| Component Name| Affected Version \n---|---|--- \nIBM Guardium Data Encryption (GDE)| Guardium Cloud Key Manager (GCKM)| GCKM 1.10.1 and lower \n \n\n\n## Remediation/Fixes\n\nPlease apply the fix linked below. \nNote: In order to get the fix, customer needs to login to Thales portal. \n\nComponent Name | Fixed in Version| Patch/Upgrade link \n---|---|--- \nGCKM (Guardium Cloud Key Manager)| 1.10.2| [https://supportportal.thalesgroup.com/csm?id=kb_article_view&amp;sys_kb_id=3f16cf99dbc20110f0e3220805961916&amp;sysparm_article=KB0025602](<https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=3f16cf99dbc20110f0e3220805961916&sysparm_article=KB0025602>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-03-09T08:53:47", "type": "ibm", "title": "Security Bulletin: IBM Guardium Data Encryption is vulnerable to cross-site scripting (CVE-2020-7676)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2022-03-09T08:53:47", "id": "D0F7FDBF77C996BBB5122723C58E77017602E39AA56CB302D43EF4B7BF253795", "href": "https://www.ibm.com/support/pages/node/6562165", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:46:48", "description": "## Summary\n\nThe web server in IBM Security Verify Information Queue (ISIQ) uses an older version of the angular.js package that has a cross-site scripting vulnerability. As of v10.0.0, ISIQ has upgraded to a newer, secure version of angular.js. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-7676](<https://vulners.com/cve/CVE-2020-7676>) \n** DESCRIPTION: **angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183379>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Verify Information Queue| 1.0.6, 1.0.7 \n \n\n\n## Remediation/Fixes\n\nDownload and install the latest IBM Security Verify Information Queue images (tagged at 10.0.0 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-02-10T16:50:25", "type": "ibm", "title": "Security Bulletin: IBM Security Verify Information Queue uses a Node.js package with a cross-site scripting vulnerability (CVE-2020-7676)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2021-02-10T16:50:25", "id": "B203EF5DF64CC2A004506A72B6F905A1E68685BCA2E219723ECDB8CB0AE9351F", "href": "https://www.ibm.com/support/pages/node/6414347", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:48:50", "description": "## Summary\n\nApache Shiro as used by Master Console is vulnerable to improper acceess control \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-13933](<https://vulners.com/cve/CVE-2020-13933>) \n** DESCRIPTION: **Apache Shiro could allow a remote attacker to bypass security restrictions, caused by improper authentication validation. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to bypass access restrictions. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186901](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186901>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nMaster Console| 0.7.0 - 1.0.0 \n \n\n\n## Remediation/Fixes\n\n[Master Console 1.0.1](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=Linux&function=fixId&fixids=1.0.1-QRADAR-QRCONSOLE-20200925141744&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp> \"Master Console 1.0.1\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-11-18T21:15:06", "type": "ibm", "title": "Security Bulletin: Apache Shiro as used by Master Console is vulnerable to improper acceess control (CVE-2020-13933)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13933"], "modified": "2020-11-18T21:15:06", "id": "607040F58DA4793E739F08EA2C0296DFB8A3D91BFF1561FDED37EED2FF40B649", "href": "https://www.ibm.com/support/pages/node/6370105", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-07T22:06:30", "description": "## Summary\n\nThe product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-13990](<https://vulners.com/cve/CVE-2019-13990>) \n** DESCRIPTION: **Terracotta could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the initDocumentParser function in xml/XMLSchedulingDataProcessor.java. By persuading a victim to open specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165431](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165431>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-8908](<https://vulners.com/cve/CVE-2020-8908>) \n** DESCRIPTION: **Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192996](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192996>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-9488](<https://vulners.com/cve/CVE-2020-9488>) \n** DESCRIPTION: **Apache Log4j is vulnerable to a man-in-the-middle attack, caused by improper certificate validation with host mismatch in the SMTP appender. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180824](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180824>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-13956](<https://vulners.com/cve/CVE-2020-13956>) \n** DESCRIPTION: **Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189572](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189572>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-25649](<https://vulners.com/cve/CVE-2020-25649>) \n** DESCRIPTION: **FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192648](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192648>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nIBM Disconnected Log Collector v1.0 - v1.5\n\n \n\n\n## Remediation/Fixes\n\n[IBM Disconnected Log Collector v1.6](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=Linux&function=fixId&fixids=DLC-1.6.0&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"IBM Disconnected Log Collector v1.6\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T20:12:09", "type": "ibm", "title": "Security Bulletin: IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13990", "CVE-2020-13956", "CVE-2020-25649", "CVE-2020-8908", "CVE-2020-9488"], "modified": "2021-08-10T20:12:09", "id": "C633E3F919C9BCD1EAFB625FB054DC01CA44ECB316E9D13E7A22A44BF1FFF391", "href": "https://www.ibm.com/support/pages/node/6479907", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T05:55:10", "description": "## Summary\n\nThere is a vulnerability in the Eclipse Paho library used by Liberty for Java for IBM Cloud with the rtcomm-1.0 or rtcommGateway-1.0 feature enabled. This has been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11777](<https://vulners.com/cve/CVE-2019-11777>) \n** DESCRIPTION: **Eclipse Paho Java client could allow a remote attacker to bypass security restrictions, caused by the failure to check the result when connecting to an MQTT server using TLS and setting a host name verifier. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow one MQTT server to impersonate another and provide the client library with incorrect information. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167068](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167068>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect all versions of Liberty for Java for IBM Cloud up to and including v3.72.\n\n \n\n\n## Remediation/Fixes\n\nTo upgrade to Liberty for Java for IBM Cloud v3.73-20220816-0814 or higher, you must re-stage or re-push your application. \n\nTo find the current version of Liberty for Java for IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:\n\ncf ssh &lt;appname&gt; -c \"cat staging_info.yml\"\n\nLook for similar lines:\n\n{\u201cdetected_buildpack\u201d:\u201cLiberty for Java(TM) (WAR, liberty-xxx, 3.73-20220816-0814, xxx, env)\u201c,\u201dstart_command\u201d:\u201c.liberty/initial_startup.rb\u201d}\n\nTo re-stage your application using the command-line Cloud Foundry client, use the following command:\n\ncf restage &lt;appname&gt;\n\nTo re-push your application using the command-line Cloud Foundry client, use the following command:\n\ncf push &lt;appname&gt;\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-10-07T16:09:39", "type": "ibm", "title": "Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2022-10-07T16:09:39", "id": "D27EFACE988E0DA785579AFC4E4F02D75C37EB0A939F3F361B5C5BBACBB61A4D", "href": "https://www.ibm.com/support/pages/node/6616659", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T05:55:33", "description": "## Summary\n\nIBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-11777](<https://vulners.com/cve/CVE-2019-11777>) \n**DESCRIPTION: **Eclipse Paho Java client could allow a remote attacker to bypass security restrictions, caused by the failure to check the result when connecting to an MQTT server using TLS and setting a host name verifier. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow one MQTT server to impersonate another and provide the client library with incorrect information. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167068](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167068>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Tivoli Netcool Impact | 7.1.0 \n \n## Remediation/Fixes\n\nProduct | VRMF | APAR | Remediation \n---|---|---|--- \nIBM Tivoli Netcool Impact 7.1.0 | 7.1.0.27 | IJ41340 | Upgrade to [IBM Tivoli Netcool Impact 7.1.0 FP27](<https://www.ibm.com/support/pages/node/6617985> \"IBM Tivoli Netcool Impact 7.1.0 FP27\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-10-06T04:36:23", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2019-11777)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2022-10-06T04:36:23", "id": "18A14947A726E488C2CEB7E8A6A20CBD52C5EAFEF83C6210553BEBC1948A02EA", "href": "https://www.ibm.com/support/pages/node/6826613", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T05:47:09", "description": "## Summary\n\nWebSphere Application Server Liberty is used by IBM CICS TX Advanced to provide a web based administration console. The fix removes the spoofing vulnerability CVE-2019-11777 from Liberty. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11777](<https://vulners.com/cve/CVE-2019-11777>) \n** DESCRIPTION: **Eclipse Paho Java client could allow a remote attacker to bypass security restrictions, caused by the failure to check the result when connecting to an MQTT server using TLS and setting a host name verifier. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow one MQTT server to impersonate another and provide the client library with incorrect information. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167068](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167068>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM CICS TX Advanced| 10.1 \nIBM CICS TX Advanced| 11.1 \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability by downloading and applying the interim fixes from the table below \n\nProduct\n\n| Version| Defect| Remediation / First Fix \n---|---|---|--- \nIBM CICS TX Advanced| \n\n11.1\n\n| 127796| [Download fix from here](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FCICS+TX+on+Cloud&fixids=ibm-cics-tx-advanced-image-11.1.0.0-ifix3&source=SAR&function=fixId&parent=ibm/Other%20software> \"Download fix from here\" ) \nIBM CICS TX Advanced| \n\n10.1\n\n| 127796| [Download fix from here](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FCICS+TX+on+Cloud&fixids=ibm-cics-tx-advanced-docker-image-10.1.0.0-ifix10&source=SAR&function=fixId&parent=ibm/Other%20software> \"Download fix from here\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-02-14T21:04:36", "type": "ibm", "title": "Security Bulletin: IBM CICS TX Advanced is vulnerable to spoofing due to a flaw in Eclipse Paho, used by IBM WebSphere Application Server Liberty (CVE-2019-11777)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2023-02-14T21:04:36", "id": "04846E2257AD4BD33CFE7B37A3258269E52A6BC63F384BA08A706F7B8F8808F8", "href": "https://www.ibm.com/support/pages/node/6695831", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T05:56:10", "description": "## Summary\n\nBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable, Eclipse Paho Java client could allow a remote attacker to bypass security restrictions, caused by the failure to check the result when connecting to an MQTT server using TLS and setting a host name verifier. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow one MQTT server to impersonate another and provide the client library with incorrect information.(CVE-2019-11777)\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-11777](<https://vulners.com/cve/CVE-2019-11777>) \n** DESCRIPTION: **Eclipse Paho Java client could allow a remote attacker to bypass security restrictions, caused by the failure to check the result when connecting to an MQTT server using TLS and setting a host name verifier. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow one MQTT server to impersonate another and provide the client library with incorrect information. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/167068](<https://exchange.xforce.ibmcloud.com/vulnerabilities/167068>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\n[ \nAffected](<https://public.dhe.ibm.com/systems/virtualization/Novalink/readme/NovaLink_2.0.1_readme.html> \"\" ) Product(s)| Version(s) \n---|--- \nPowerVM Novalink| 2.0 \nPowerVM Novalink| 2.0.1 \nPowerVM Novalink| 2.0.2 \nPowerVM Novalink| 2.0.2.1 \nPowerVM Novalink| 2.0.3 \nPowerVM Novalink| 2.0.3.1 \n \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by upgrading based on the table below.**\n\nProduct| Version| Remediation \n---|---|--- \nPowerVM Novalink | 2.0.0.0| \n\n[Update to pvm-novalink 2.0.1-220908](<https://public.dhe.ibm.com/systems/virtualization/Novalink/readme/NovaLink_2.0.1_readme.html> \"\" )\n\nor \n\n[Update to pvm-novalink_2.0.3.1.1-220923](<https://public.dhe.ibm.com/systems/virtualization/Novalink/readme/NovaLink_2.0.3.1_readme.html> \"Update to pvm-novalink_2.0.3.1.1-220923\" ) \n \nPowerVM Novalink| 2.0.1| \n\n[Update to pvm-novalink 2.0.1-220908](<https://public.dhe.ibm.com/systems/virtualization/Novalink/readme/NovaLink_2.0.1_readme.html> \"\" )\n\nor\n\n[Update to pvm-novalink_2.0.3.1.1-220923](<https://public.dhe.ibm.com/systems/virtualization/Novalink/readme/NovaLink_2.0.3.1_readme.html> \"Update to pvm-novalink_2.0.3.1.1-220923\" ) \n \nPowerVM Novalink| 2.0.2| [Update to pvm-novalink_2.0.3.1.1-220923](<https://public.dhe.ibm.com/systems/virtualization/Novalink/readme/NovaLink_2.0.3.1_readme.html> \"Update to pvm-novalink_2.0.3.1.1-220923\" ) \nPowerVM Novalink| 2.0.2.1| [Update to pvm-novalink_2.0.3.1.1-220923](<https://public.dhe.ibm.com/systems/virtualization/Novalink/readme/NovaLink_2.0.3.1_readme.html> \"Update to pvm-novalink_2.0.3.1.1-220923\" ) \nPowerVM Novalink| 2.0.3| [Update to pvm-novalink_2.0.3.1.1-220923](<https://public.dhe.ibm.com/systems/virtualization/Novalink/readme/NovaLink_2.0.3.1_readme.html> \"Update to pvm-novalink_2.0.3.1.1-220923\" ) \nPowerVM Novalink| 2.0.3.1| [Update to pvm-novalink_2.0.3.1.1-220923](<https://public.dhe.ibm.com/systems/virtualization/Novalink/readme/NovaLink_2.0.3.1_readme.html> \"Update to pvm-novalink_2.0.3.1.1-220923\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-27T13:17:10", "type": "ibm", "title": "Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable, Eclipse Paho Java client could allow a remote attacker to bypass security restrictions.", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2022-09-27T13:17:10", "id": "F80C5E711C0351A31E0FF717B77CB85D7444954B128D05F999F7918282C0E604", "href": "https://www.ibm.com/support/pages/node/6824137", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-28T21:36:55", "description": "## Summary\n\nThere is a vulnerability in the Eclipse Paho library used by IBM WebSphere Application Server Liberty with the rtcomm-1.0 or rtcommGateway-1.0 feature enabled. Following IBM\u00ae Engineering Lifecycle Engineering product is vulnerable to this attack, it has been addressed in this bulletin: IBM Engineering Requirements Management DOORS Next\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nVersion(s) | Affected Product(s) \n---|--- \n7.0, \n7.0.1, \n7.0.2| IBM Engineering Requirements Management DOORS Next \n \n\n\n## Remediation/Fixes\n\nThis vulnerability affects IBM\u00ae Engineering Lifecycle Engineering product mentioned above, uses the Eclipse Paho library which is used by IBM WebSphere Application Server Liberty versions 17.0.0.3 - 22.0.0.5. \n\nIf the Product is deployed on one of the above versions, Please follow the instruction given in the following article \n\nLink - <https://www.ibm.com/support/pages/node/6602039>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2022-12-23T10:03:27", "type": "ibm", "title": "Security Bulletin: The IBM\u00ae Engineering Lifecycle Engineering products using IBM WebSphere Application Server Liberty is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-11777"], "modified": "2022-12-23T10:03:27", "id": "6C8F65238744CBD50867F0DE4F67D738F76BBC9B5A7E11C859713D69F6C221D3", "href": "https://www.ibm.com/support/pages/node/6851571", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-27T21:54:56", "description": "## Summary\n\nA security vulnerability in Quartz which could allow a remote attacker to obtain sensitive information affects IBM Spectrum Protect Plus.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-13990](<https://vulners.com/cve/CVE-2019-13990>) \n** DESCRIPTION: **Terracotta could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the initDocumentParser function in xml/XMLSchedulingDataProcessor.java. By persuading a victim to open specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165431](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165431>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Protect Plus| 10.1.0-10.1.5 \n \n## Remediation/Fixes\n\n**Spectrum Protect** \n**Plus Release**| **First Fixing** \n**VRM Level**| **Platform**| **Link to Fix** \n---|---|---|--- \n10.1| 10.1.6| Linux| <https://www.ibm.com/support/pages/node/5693313> \n \n** **\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-12T20:12:45", "type": "ibm", "title": "Security Bulletin: Quartz vulnerability affects IBM Spectrum Protect Plus (CVE-2019-13990)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13990"], "modified": "2020-06-12T20:12:45", "id": "9D4EC30B388B671B00F0D192ACD964A17D2BA337E5388809BC8935D15D6F2731", "href": "https://www.ibm.com/support/pages/node/6221196", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:51:34", "description": "## Summary\n\nIBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Terracotta Quartz Scheduler.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-13990](<https://vulners.com/cve/CVE-2019-13990>) \n** DESCRIPTION: **Terracotta could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the initDocumentParser function in xml/XMLSchedulingDataProcessor.java. By persuading a victim to open specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165431](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165431>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nICP - Discovery| 2.0.0-2.1.3 \n \n\n\n## Remediation/Fixes\n\nUpgrade to IBM Watson Discovery 2.1.4 \n \n<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-29T08:57:53", "type": "ibm", "title": "Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Terracotta Quartz Scheduler", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13990"], "modified": "2020-08-29T08:57:53", "id": "516E060FEEF277A36D6526C4E424F4FB4783A65B1BFD619BAE759477F50DF1B7", "href": "https://www.ibm.com/support/pages/node/6323253", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:47:41", "description": "## Summary\n\nIBM MQ Appliance has addressed a cross-site scripting vulnerability.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2020-7676](<https://vulners.com/cve/CVE-2020-7676>) \n**DESCRIPTION: **angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a web page that would be executed in a victim's web browser within the security context of the hosting web site, when the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183379>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM MQ Appliance | 9.1 LTS \nIBM MQ Appliance | 9.1 CD \nIBM MQ Appliance | 9.2 \n \n## Remediation/Fixes\n\n**IBM MQ Appliance 9.1 LTS**\n\nApply [fixpack 9.1.0.7](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+MQ+Appliance+M2000&function=fixId&fixids=9.1.0.7-IBM-MQ-Appliance-U0000&includeSupersedes=1> \"\" ), or later maintenance\n\n**IBM MQ Appliance 9.1 CD**\n\nUpgrade to [9.2.1](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+MQ+Appliance+M2000&release=All&function=fixId&fixids=9.2.1-IBM-MQ-Appliance-U0000&includeSupersedes=1> \"9.2.1\" ), or later continuous delivery release\n\n**IBM MQ Appliance 9.2 LTS**\n\nUpgrade to [9.2.0.1](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+MQ+Appliance+M2000&function=fixId&fixids=9.2.0.1-IBM-MQ-Appliance-U0000&includeSupersedes=1> \"\" ), or later maintenance\n\n## Workarounds and Mitigations\n\n**IBM MQ Appliance 9.2**\n\nThis vulnerability is only applicable if the web console has been switched from the New Web Console (which is the default web console for IBM MQ Appliance V9.2.0) to the Dashboard Web Console (which was the web console for earlier versions of IBM MQ Appliance).\n\nFor instructions on how to switch between console types, see: <https://www.ibm.com/support/knowledgecenter/en/SS5K6E_9.2.0/com.ibm.mqa.doc/administering/co00690_copyto.htm>\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-01-06T13:23:25", "type": "ibm", "title": "Security Bulletin: IBM MQ Appliance is affected by a cross-site scripting vulnerability (CVE-2020-7676)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2021-01-06T13:23:25", "id": "32E0DD5046A745AD2658461468D01145619C0232B4A373850B922EDB6BCB5949", "href": "https://www.ibm.com/support/pages/node/6361623", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:48:11", "description": "## Summary\n\nA security vulnerability in angular.js affects IBM Cloud Pak for Multicloud Management Infrastructure Management and Managed Service.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-7676](<https://vulners.com/cve/CVE-2020-7676>) \n** DESCRIPTION: **angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183379>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud Pak for Multicloud Management| 2.0 \n \n## Remediation/Fixes\n\nUpgrade to IBM Cloud Pak for Multicloud Management 2.1 by following the instructions in <https://www.ibm.com/support/knowledgecenter/en/SSFC4F_2.1.0/install/upgrade.html>.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-12-14T18:31:49", "type": "ibm", "title": "Security Bulletin: A security vulnerability in angular.js affects IBM Cloud Pak for Multicloud Management Infrastructure Management and Managed Service.", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2020-12-14T18:31:49", "id": "A48ADDF9899AB448105F32C12994F7EA922B37508ADD048389980EDDF8728CD7", "href": "https://www.ibm.com/support/pages/node/6350225", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:48:45", "description": "## Summary\n\nA security vulnerability in angular.js affects IBM Cloud Automation Manager.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-7676](<https://vulners.com/cve/CVE-2020-7676>) \n** DESCRIPTION: **angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183379](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183379>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud Automation Manager| 4.2.0.1 \n \n\n\n## Remediation/Fixes\n\nDownload IBM Cloud Automation Manager 4.2.0.1 ifix 1 from [https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=icp-cam-3.2.1-build565648&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-cam-3.2.1-build565648&includeSupersedes=0>)\n\nFollow the instructions in Readme link in [https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=icp-cam-3.2.1-build565648&amp;includeSupersedes=0](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-cam-3.2.1-build565648&includeSupersedes=0>) to install the ifix 1 to your IBM Cloud Automation Manager 4.2.0.1.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-11-26T21:28:07", "type": "ibm", "title": "Security Bulletin: A security vulnerability in angular.js affects IBM Cloud Automation Manager.", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2020-11-26T21:28:07", "id": "14F4982730CEAFD5246C271622B4E77BD29429BC1475F327DD047BBD585280F3", "href": "https://www.ibm.com/support/pages/node/6373010", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-24T01:39:09", "description": "## Summary\n\nMultiple vulnerabilities CVE-2019-12410, CVE-2019-12408 in arrow package\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-12410](<https://vulners.com/cve/CVE-2019-12410>) \n** DESCRIPTION: **While investigating UBSAN errors in <https://github.com/apache/arrow/pull/5365> it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171169](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171169>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n \n** CVEID: **[CVE-2019-12408](<https://vulners.com/cve/CVE-2019-12408>) \n** DESCRIPTION: **It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171097](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171097>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM PowerAI 1.6.2| 1.6.2 \n \n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| APAR| Remediation / First Fix \n---|---|---|--- \nIBM Watson Machine Learning CE| 1.6.2| None| arrow-cpp 0.15.1 py36_603.g702c836 \n \nPackages affected: thrift-cpp, libcudf, cudf\n\nFix: thrift-cpp version updated to 0.12.0 for CVE-2019-0210 and including code fix/changes for CVE-2019-0205.\n\nBefore installation, verify that the specific build of cudf is available in the conda channel using the command: \nconda search cudf=0.9.0 -c <https://public.dhe.ibm.com/ibmdl/export/pub/software/server/ibm-ai/conda/>\n\nOutput of the above command should contain the following (in addition to other builds of cudf): \n# Name Version Build Channel \ncudf 0.9.0 cuda10.1_py36_626.gddcad2d ibmdl/export/pub/software/server/ibm-ai/conda \ncudf 0.9.0 cuda10.1_py37_626.gddcad2d ibmdl/export/pub/software/server/ibm-ai/conda\n\nFew other packages that will be updated automatically to the following versions when the above build of cudf is installed: \narrow-cpp 0.15.1 py36_603.g702c836 ibmdl/export/pub/software/server/ibm-ai/conda \narrow-cpp 0.15.1 py37_603.g702c836 ibmdl/export/pub/software/server/ibm-ai/conda \npyarrow 0.15.1 py36_609.g3a6717a ibmdl/export/pub/software/server/ibm-ai/conda \npyarrow 0.15.1 py37_609.g3a6717a ibmdl/export/pub/software/server/ibm-ai/conda \nparquet-cpp 1.5.1 579.g6eecc60 ibmdl/export/pub/software/server/ibm-ai/conda \nlibcudf 0.9.0 cuda10.1_609.g113236a ibmdl/export/pub/software/server/ibm-ai/conda \nthrift-cpp 0.12.0 580.gf96fa62 ibmdl/export/pub/software/server/ibm-ai/conda\n\nInstallation of fix: Install the fix for python3.6 conda environment using the following command. \nconda install -c <https://public.dhe.ibm.com/ibmdl/export/pub/software/server/ibm-ai/conda/> cudf=0.9.0=cuda10.1_py36_626.gddcad2d\n\nVerification: The following command should pass and give one line output in python3.6 conda environment: \nconda list cudf | grep cuda10.1_py36_626.gddcad2d\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities CVE-2019-12410, CVE-2019-12408 in arrow package", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0205", "CVE-2019-0210", "CVE-2019-12408", "CVE-2019-12410"], "modified": "2019-12-20T08:47:33", "id": "75EECDFC779DA9FD1966C5DAD1AE11A16457B1CE376CB9360156AA150266966E", "href": "https://www.ibm.com/support/pages/node/1125075", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-06-24T06:00:11", "description": "## Summary\n\nIBM TRIRIGA discloses CVE-2019-10219\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-10219](<https://vulners.com/cve/CVE-2019-10219>) \n** DESCRIPTION: **Hibernate-Validator is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the SafeHtml validator annotation A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171317](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171317>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM TRIRIGA Application Platform| 3.6. \nIBM TRIRIGA Application Platform| 3.7 \nIBM TRIRIGA Application Platform | 3.8 \nIBM TRIRIGA Application Platform | 4.0 \nIBM TRIRIGA Application Platform | 4.1 \n \n\n\n## Remediation/Fixes\n\n**Product**| **VRMF**| \n\n**Remediation/First Fix** \n \n---|---|--- \nIBM TRIRIGA Application Platform| 3.6.1.3| The fix is available for download on [FixCentral](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%203.6.1.3&language=en_US> \"FixCentral\" ). \nIBM TRIRIGA Application Platform| 3.7.0.1| The fix is available for download on [FixCentral](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%203.7.0.1&language=en_US> \"FixCental\" ) \nIBM TRIRIGA Application Platform| 3.8.0.1| The fix is available for download on [FixCentral](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%203.8.0.1&language=en_US> \"FixCental\" ) \nIBM TRIRIGA Application Platform| 4.0.2| The fix is available for download on [FixCentral](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%204.0.2&language=en_US> \"FixCental\" ) \nIBM TRIRIGA Application Platform| 4.1.1| The fix is available for download on [FixCentral](<https://www.ibm.com/mysupport/s/ibm-community-support-search-results?q=Tririga%204.1.1&language=en_US> \"FixCental\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-08-30T16:38:56", "type": "ibm", "title": "Security Bulletin:IBM TRIRIGA discloses CVE-2019-10219", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10219"], "modified": "2022-08-30T16:38:56", "id": "68B092CBA8F5743587D161CDB98D1B53F61274CFB122FF0C24F25A5225B848B3", "href": "https://www.ibm.com/support/pages/node/6616283", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-05-17T16:22:38", "description": "## Summary\n\nNetty is vulnerable to a denial of service, caused by unbounded memory allocation while decoding a ZlibEncoded byte stream in the ZlibDecoders on IBM Watson Machine Learning Server\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-11612](<https://vulners.com/cve/CVE-2020-11612>) \n** DESCRIPTION: **Netty is vulnerable to a denial of service, caused by unbounded memory allocation while decoding a ZlibEncoded byte stream in the ZlibDecoders. By sending a large ZlibEncoded byte stream, a remote attacker could exploit this vulnerability to exhaust memory resources. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180530](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180530>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Machine Learning Server on-prem| 2.0.0 \n \n\n\n## Remediation/Fixes\n\nFix is available on WMLServer 2.0.0.1 release . \nDownload WMLS from Passport Advantage: <https://www.ibm.com/support/pages/passport-advantage-and-passport-advantage-express>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-03T15:03:44", "type": "ibm", "title": "Security Bulletin: Netty security vulnerabilities with ZlibDecoders on IBM Watson Machine Learning Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11612"], "modified": "2021-05-03T15:03:44", "id": "B3078CC20AA0193DE0BA1F24BF600DB307BF3971A7F9CDE1170DAADE21278824", "href": "https://www.ibm.com/support/pages/node/6449284", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-27T21:47:33", "description": "## Summary\n\nA vulnerability was identified and remediated in the IBM MaaS360 Mobile Enterprise Gateway \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-11612](<https://vulners.com/cve/CVE-2020-11612>) \n** DESCRIPTION: **Netty is vulnerable to a denial of service, caused by unbounded memory allocation while decoding a ZlibEncoded byte stream in the ZlibDecoders. By sending a large ZlibEncoded byte stream, a remote attacker could exploit this vulnerability to exhaust memory resources. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180530](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180530>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM MaaS360 Mobile Enterprise Gateway | 2.102 and prior \n \n\n\n## Remediation/Fixes\n\nUpdate the IBM MaaS360 Mobile Enterprise Gateway to version 2.103.x or greater.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-01-13T17:55:03", "type": "ibm", "title": "Security Bulletin: IBM MaaS360 Mobile Enterprise Gateway vulnerable to denial of service (CVE-2020-11612)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11612"], "modified": "2021-01-13T17:55:03", "id": "A49FC03081B73A65E6CCF013015154811700EB0AF3A788F88F0A2DD80E7DDB14", "href": "https://www.ibm.com/support/pages/node/6403860", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhat": [{"lastseen": "2023-08-04T12:27:59", "description": "This release of Red Hat build of Quarkus 1.3.4 SP1 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.\n\nSecurity Fix(es):\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML(CVE-2020-13692)\n\n* RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)\n\nFor more details about the security issues and their impact, the CVSS score, acknowledgments, and other related information see the CVE pages listed in the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-07-30T13:31:37", "type": "redhat", "title": "(RHSA-2020:3248) Important: Red Hat build of Quarkus 1.3.4 SP1 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13692", "CVE-2020-14326"], "modified": "2020-07-30T13:32:35", "id": "RHSA-2020:3248", "href": "https://access.redhat.com/errata/RHSA-2020:3248", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-04T12:27:59", "description": "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.8.1 serves as an update to Red Hat Decision Manager 7.8.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jdbc-postgresql: postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\n* keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-08T09:26:02", "type": "redhat", "title": "(RHSA-2020:3675) Important: Red Hat Decision Manager 7.8.1 Security Update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13692", "CVE-2020-1714"], "modified": "2020-09-08T09:29:34", "id": "RHSA-2020:3675", "href": "https://access.redhat.com/errata/RHSA-2020:3675", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-04T12:27:59", "description": "This release of Red Hat build of Quarkus 1.7.5 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.\n\nSecurity Fix(es):\n\n* hibernate-validator: Improper input validation in the interpolation of constraint error messages(CVE-2020-10693)\n\n* netty: compression/decompression codecs don't enforce limits on buffer allocation sizes(CVE-2020-11612)\n\n* keycloak: security headers missing on REST endpoints(CVE-2020-1728)\n\n* keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution(CVE-2020-1714)\n\n* hibernate: SQL injection issue in Hibernate ORM(CVE-2019-14900)\n\nFor more details about the security issues and their impact, the CVSS score, acknowledgments, and other related information see the CVE pages listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-14T11:13:06", "type": "redhat", "title": "(RHSA-2020:4252) Important: Red Hat build of Quarkus 1.7.5 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14900", "CVE-2020-10693", "CVE-2020-11612", "CVE-2020-1714", "CVE-2020-1728"], "modified": "2020-10-14T11:13:54", "id": "RHSA-2020:4252", "href": "https://access.redhat.com/errata/RHSA-2020:4252", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-04T12:27:59", "description": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.8.1 serves as an update to Red Hat Process Automation Manager 7.8.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jdbc-postgresql: postgresql-jdbc: XML external entity (XXE) vulnerability\nin PgSQLXML (CVE-2020-13692)\n\n* keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-08T09:35:31", "type": "redhat", "title": "(RHSA-2020:3678) Important: Red Hat Process Automation Manager 7.8.1 Security Update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13692", "CVE-2020-1714"], "modified": "2020-09-08T09:36:21", "id": "RHSA-2020:3678", "href": "https://access.redhat.com/errata/RHSA-2020:3678", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-04T12:27:59", "description": "Red Hat Data Grid is a distributed, in-memory datastore.\n\nThis release of Red Hat Data Grid 8.1.0 replaces Red Hat Data Grid 8.0, and includes bug fixes and enhancements, which are documented in the Release Notes, linked to in the References section.\n\nSecurity Fix(es):\n\n* netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612)\n\n* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-03T16:46:15", "type": "redhat", "title": "(RHSA-2020:3626) Moderate: Red Hat Data Grid 8.1.0 Security Update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 5.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 7.8, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10746", "CVE-2020-11612", "CVE-2020-9488"], "modified": "2020-10-19T13:17:18", "id": "RHSA-2020:3626", "href": "https://access.redhat.com/errata/RHSA-2020:3626", "cvss": {"score": 5.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:C"}}, {"lastseen": "2023-08-04T12:27:59", "description": "Red Hat JBoss Enterprise Application Platform CD20 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform CD20 includes bug fixes and enhancements. \n\nSecurity Fix(es):\n\n* jsf-impl: mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter (CVE-2018-14371)\n\n* jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)\n\n* hibernate-core: hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)\n\n* jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673)\n\n* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)\n\n* undertow: Memory exhaustion issue in HttpReadListener via \"Expect: 100-continue\" header (CVE-2020-10705)\n\n* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)\n\n* undertow: invalid HTTP request with large chunk size (CVE-2020-10719)\n\n* wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740)\n\n* netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612)\n\n* wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719)\n\n* cxf-core: cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\n* jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-31T15:36:27", "type": "redhat", "title": "(RHSA-2020:3585) Important: EAP Continuous Delivery Technical Preview Release 20 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3720", "CVE-2018-14371", "CVE-2019-10172", "CVE-2019-14900", "CVE-2020-10673", "CVE-2020-10683", "CVE-2020-10705", "CVE-2020-10714", "CVE-2020-10719", "CVE-2020-10740", "CVE-2020-11612", "CVE-2020-1719", "CVE-2020-1954", "CVE-2020-6950"], "modified": "2020-08-31T15:37:09", "id": "RHSA-2020:3585", "href": "https://access.redhat.com/errata/RHSA-2020:3585", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-04T12:28:04", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nSecurity Fix(es):\n\n* The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) \n\n* libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205)\n\n* libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)\n\n* undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-24T11:07:40", "type": "redhat", "title": "(RHSA-2020:0962) Important: Red Hat JBoss Enterprise Application Platform 7.3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0205", "CVE-2019-0210", "CVE-2019-14887", "CVE-2020-1745"], "modified": "2020-03-24T11:21:45", "id": "RHSA-2020:0962", "href": "https://access.redhat.com/errata/RHSA-2020:0962", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-08-04T12:28:04", "description": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nSecurity Fix(es):\n\n* The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) \n\n* libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205)\n\n* libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)\n\n* undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-24T11:06:38", "type": "redhat", "title": "(RHSA-2020:0961) Important: Red Hat JBoss Enterprise Application Platform 7.3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0205", "CVE-2019-0210", "CVE-2019-14887", "CVE-2020-1745"], "modified": "2020-03-24T11:06:59", "id": "RHSA-2020:0961", "href": "https://access.redhat.com/errata/RHSA-2020:0961", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-08-16T15:33:04", "description": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. \n\nThis release of Red Hat AMQ Broker 7.8.1 serves as a replacement for Red Hat AMQ Broker 7.8.0, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* jetty: buffer not correctly recycled in Gzip Request inflation (CVE-2020-27218)\n\n* guava: local information disclosure via temporary directory created with unsafe permissions (CVE-2020-8908)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-02-04T13:31:57", "type": "redhat", "title": "(RHSA-2021:0417) Moderate: Red Hat AMQ Broker 7.8.1 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10768", "CVE-2020-27218", "CVE-2020-7676", "CVE-2020-8908", "CVE-2021-26118"], "modified": "2021-06-29T16:06:06", "id": "RHSA-2021:0417", "href": "https://access.redhat.com/errata/RHSA-2021:0417", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "fedora": [{"lastseen": "2023-06-13T15:03:54", "description": "Eclipse features and plugins that are useful for C and C++ development. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:28", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-cdt-9.11.1-8.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:28", "id": "FEDORA:BACE03098BA0", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XE6OXX2AYSWZGK75IGU2LQS7LBEKKDFC/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": "Remote Services provides an extensible remote services framework. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-remote-3.0.1-6.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:7A1EA3098BA2", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CYHSEP2KQHZB4RIY4CH3YRIDJ23HZWIL/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": "The Graphical Editing Framework (GEF) allows developers to create a rich graphical editor from an existing application model. GEF is completely application neutral and provides the groundwork to build almost any application, including but not limited to: activity diagrams, GUI builders, class diagram editors, state machines, and even WYSIWYG text editors. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-gef-3.11.0-13.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:1364530979AB", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/G5NN7PR7XAFENH54SGKB2BN2LWNBLOML/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": "Eclipse Webtools. This contains sub-packages for different sub-projects of Eclipse Webtools project, including Server Tools, SourceEditing Tools, Webservices Tools, Java EE Tools, JSF Tools, and Dali (JPA) Tools. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-webtools-3.18.0-4.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:94A8C309799A", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GYWVBWBZ2A7YYHKHMDFFU53PQZXFQT4Z/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": "Apache Lucene is a high-performance, full-featured text search engine library written entirely in Java. It is a technology suitable for nearly any application that requires full-text search, especially cross-platform. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: lucene-8.4.1-9.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:C6AD93098B94", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QOZX3KV6DJMBTIWAWF2T7TJYOKD7NVTJ/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": "The goal of the m2ec project is to provide a first-class Apache Maven suppo rt in the Eclipse IDE, making it easier to edit Maven's pom.xml, run a build f rom the IDE and much more. For Java developers, the very tight integration with JDT greatly simplifies the consumption of Java artifacts either being hosted on open source repositories such as Maven Central, or in your in-house Maven reposi tory. m2e is also a platform that let others provide better integration with additional Maven plugins (e.g. Android, web development, etc.), and facilit ates the distribution of those extensions through the m2e marketplace. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-m2e-core-1.16.1-1.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:2BD533098BA0", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4KSWIWOCHSM44NPNJXPEMVWUP4MNY4SL/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": "ECF is a set of frameworks for building communications into applications and services. It provides a lightweight, modular, transport-independent, fully compliant implementation of the OSGi Remote Services standard. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:28", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-ecf-3.14.8-4.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:28", "id": "FEDORA:D4B143098BA2", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KZITNZIUYSH7CL7XAB4F5JXXHOYWLLWF/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": "The Eclipse Marketplace Client provides access to extension catalogs. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-mpc-1.8.3-2.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:49205309799A", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SNUZYQI72GXVRLAXBPDX2AMJ7JNEQSKF/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": "ECJ is the Java bytecode compiler of the Eclipse Platform. It is also know n as the JDT Core batch compiler. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:28", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: ecj-4.16-4.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:28", "id": "FEDORA:85B0430979AB", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VLWLODMFCKDKJ26QBIPK5AR3MQNOSPFG/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": "Mylyn integrates task support into Eclipse. It supports offline editing for certain task repositories and monitors work activity to hide information that is not relevant to the current task. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-mylyn-3.25.0-3.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:61A713098ED5", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DUVW7XMW4GUBOXWKE3HY6J7JQCKHDUTY/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": "uniVocity-parsers is a suite of extremely fast and reliable parsers for Java. It provides a consistent interface for handling different file formats, and a solid framework for the development of new parsers. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: univocity-parsers-2.8.4-5.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:E0E2C3098BA0", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FSVLOHVDA54H3E4OREVT7H5BXMBIUABW/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": " Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in ord er to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate server/container solutions, this means that your web server and web application run in the same process, without interconnection overheads and complications. Furthermore, as a pure java component, Jetty can be simp ly included in your application for demonstration, distribution or deployment. Jetty is available on all Java supported platforms. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:29", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: jetty-9.4.31-2.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:29", "id": "FEDORA:AF19730979AB", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LYCAMDYHCQXK5C2737VBXFCPEIVTHIT3/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": "Batik is a Java(tm) technology based toolkit for applications that want to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as viewing, generation or manipulation. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:28", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: batik-1.13-1.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:28", "id": "FEDORA:0D7F230979AB", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N3V3MJVGDUNTVPXXGYR335PZJJK7LDXC/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": "The Eclipse platform is designed for building integrated development environments (IDEs), server-side applications, desktop applications, and everything in between. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:28", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-4.16-11.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:28", "id": "FEDORA:9F2FE3098B94", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XE6US6VPZHOWFMUSFGDS5V2DNQPY5MKB/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T15:03:54", "description": "The Eclipse Modeling Framework (EMF) and XML Schema Definition (XSD) plug-i ns. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-31T15:50:28", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: eclipse-emf-2.22.0-2.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2020-08-31T15:50:28", "id": "FEDORA:EDF1E309799A", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ABABGHU7WQLUFAROWJAVMWZ3ZM7UNIYN/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-18T15:06:27", "description": "Updates to the latest upstream release of Eclipse. See the upstream release notes for details:\nhttps://www.eclipse.org/eclipseide/2020-06/noteworthy/\n\nAlso contains security fixes for CVE-2019-17566 and CVE-2019-17638.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-09-01T00:00:00", "type": "nessus", "title": "Fedora 32 : 1:ecj / 1:eclipse / 1:eclipse-emf / 2:eclipse-cdt / batik / etc (2020-cf8ef2f333)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17566", "CVE-2019-17638"], "modified": "2022-12-07T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:ecj", "p-cpe:/a:fedoraproject:fedora:1:eclipse", "p-cpe:/a:fedoraproject:fedora:1:eclipse-emf", "p-cpe:/a:fedoraproject:fedora:2:eclipse-cdt", "p-cpe:/a:fedoraproject:fedora:batik", "p-cpe:/a:fedoraproject:fedora:eclipse-ecf", "p-cpe:/a:fedoraproject:fedora:eclipse-gef", "p-cpe:/a:fedoraproject:fedora:eclipse-m2e-core", "p-cpe:/a:fedoraproject:fedora:eclipse-mpc", "p-cpe:/a:fedoraproject:fedora:eclipse-mylyn", "p-cpe:/a:fedoraproject:fedora:eclipse-remote", "p-cpe:/a:fedoraproject:fedora:eclipse-webtools", "p-cpe:/a:fedoraproject:fedora:jetty", "p-cpe:/a:fedoraproject:fedora:lucene", "p-cpe:/a:fedoraproject:fedora:univocity-parsers", "cpe:/o:fedoraproject:fedora:32"], "id": "FEDORA_2020-CF8EF2F333.NASL", "href": "https://www.tenable.com/plugins/nessus/140107", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-cf8ef2f333.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140107);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2019-17566\", \"CVE-2019-17638\");\n script_xref(name:\"FEDORA\", value:\"2020-cf8ef2f333\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"Fedora 32 : 1:ecj / 1:eclipse / 1:eclipse-emf / 2:eclipse-cdt / batik / etc (2020-cf8ef2f333)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Updates to the latest upstream release of Eclipse. See the upstream\nrelease notes for details:\nhttps://www.eclipse.org/eclipseide/2020-06/noteworthy/\n\nAlso contains security fixes for CVE-2019-17566 and CVE-2019-17638.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-cf8ef2f333\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:ecj\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:eclipse\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:eclipse-emf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:eclipse-cdt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:batik\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-ecf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-gef\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-m2e-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-mpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-mylyn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-remote\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:eclipse-webtools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jetty\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:lucene\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:univocity-parsers\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"ecj-4.16-4.fc32\", epoch:\"1\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-4.16-11.fc32\", epoch:\"1\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-emf-2.22.0-2.fc32\", epoch:\"1\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-cdt-9.11.1-8.fc32\", epoch:\"2\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"batik-1.13-1.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-ecf-3.14.8-4.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-gef-3.11.0-13.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-m2e-core-1.16.1-1.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-mpc-1.8.3-2.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-mylyn-3.25.0-3.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-remote-3.0.1-6.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"eclipse-webtools-3.18.0-4.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"jetty-9.4.31-2.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"lucene-8.4.1-9.fc32\")) flag++;\nif (rpm_check(release:\"FC32\", reference:\"univocity-parsers-2.8.4-5.fc32\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:ecj / 1:eclipse / 1:eclipse-emf / 2:eclipse-cdt / batik / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:27:50", "description": "The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the January 2021 Critical Patch Update (CPU). It is, therefore, affected by the following vulnerabilities:\n\n - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework (Apache Commons Compress)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebCenter Portal (CVE-2019-12402).\n\n - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework (Netty)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal (CVE-2020-11612). \n\n - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework (Apache Tika)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle WebCenter Portal executes to compromise Oracle WebCenter Portal. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebCenter Portal (CVE-2020-9489).\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-04-22T00:00:00", "type": "nessus", "title": "Oracle WebCenter Portal Multiple Vulnerabilities (Apr 2021 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-12402", "CVE-2020-11612", "CVE-2020-9489"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:webcenter_portal"], "id": "ORACLE_WEBCENTER_PORTAL_CPU_APR_2021.NASL", "href": "https://www.tenable.com/plugins/nessus/148925", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148925);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-12402\", \"CVE-2020-9489\", \"CVE-2020-11612\");\n script_xref(name:\"IAVA\", value:\"2021-A-0326\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle WebCenter Portal Multiple Vulnerabilities (Apr 2021 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the January 2021\nCritical Patch Update (CPU). It is, therefore, affected by the following vulnerabilities:\n\n - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework \n (Apache Commons Compress)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. \n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently \n repeatable crash (complete DOS) of Oracle WebCenter Portal (CVE-2019-12402).\n\n - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework \n (Netty)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. Successful attacks of \n this vulnerability can result in takeover of Oracle WebCenter Portal (CVE-2020-11612). \n\n - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework \n (Apache Tika)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability\n allows unauthenticated attacker with logon to the infrastructure where Oracle WebCenter Portal executes to \n compromise Oracle WebCenter Portal. Successful attacks require human interaction from a person other than the \n attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of Oracle WebCenter Portal (CVE-2020-9489).\n\nNote that Nessus has not attempted to exploit these issues but has instead relied only on the application's\nself-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpuapr2021cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuapr2021.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2021 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11612\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:webcenter_portal\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_webcenter_portal_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle WebCenter Portal\");\n\n exit(0);\n}\n\ninclude('vcf_extras_oracle_webcenter_portal.inc');\n\nvar app_info = vcf::oracle_webcenter_portal::get_app_info();\n\nvar constraints = [\n {'min_version' : '11.1.1.9', 'fixed_version' : '11.1.1.9.210115'},\n {'min_version' : '12.2.1.3', 'fixed_version' : '12.2.1.3.210225'},\n {'min_version' : '12.2.1.4', 'fixed_version' : '12.2.1.4.210225'}\n];\n\nvcf::oracle_webcenter_portal::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-15T15:14:55", "description": "According to the versions of the thrift packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.(CVE-2019-0210)\n\n - In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.(CVE-2019-0205)\n\n - Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.(CVE-2018-1320)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.6.6 : thrift (EulerOS-SA-2021-1457)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1320", "CVE-2019-0205", "CVE-2019-0210"], "modified": "2021-03-16T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:thrift-lib-cpp", "p-cpe:/a:huawei:euleros:thrift-lib-python", "cpe:/o:huawei:euleros:uvp:3.0.6.6"], "id": "EULEROS_SA-2021-1457.NASL", "href": "https://www.tenable.com/plugins/nessus/147467", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147467);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/16\");\n\n script_cve_id(\n \"CVE-2018-1320\",\n \"CVE-2019-0205\",\n \"CVE-2019-0210\"\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.6.6 : thrift (EulerOS-SA-2021-1457)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the thrift packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - In Apache Thrift 0.9.3 to 0.12.0, a server implemented\n in Go using TJSONProtocol or TSimpleJSONProtocol may\n panic when feed with invalid input data.(CVE-2019-0210)\n\n - In Apache Thrift all versions up to and including\n 0.12.0, a server or client may run into an endless loop\n when feed with specific input data. Because the issue\n had already been partially fixed in version 0.11.0,\n depending on the installed version it affects only\n certain language bindings.(CVE-2019-0205)\n\n - Apache Thrift Java client library versions 0.5.0\n through 0.11.0 can bypass SASL negotiation isComplete\n validation in the\n org.apache.thrift.transport.TSaslTransport class. An\n assert used to determine if the SASL handshake had\n successfully completed could be disabled in production\n settings making the validation\n incomplete.(CVE-2018-1320)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1457\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?401be034\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected thrift packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1320\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:thrift-lib-cpp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:thrift-lib-python\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.6\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.6\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"thrift-lib-cpp-0.9.3.1-1\",\n \"thrift-lib-cpp-0.9.3.1-1.i586\",\n \"thrift-lib-python-0.9.3.1-1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"thrift\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:51", "description": "The remote host is affected by the vulnerability described in GLSA-202107-32 (Apache Thrift: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Apache Thrift. Please review the CVE identifiers referenced below for details.\n Impact :\n\n Please review the referenced CVE identifiers for details.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2022-01-24T00:00:00", "type": "nessus", "title": "GLSA-202107-32 : Apache Thrift: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0205", "CVE-2019-0210", "CVE-2020-13949"], "modified": "2022-01-26T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:thrift", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202107-32.NASL", "href": "https://www.tenable.com/plugins/nessus/157019", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202107-32.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(157019);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/26\");\n\n script_cve_id(\"CVE-2019-0205\", \"CVE-2019-0210\", \"CVE-2020-13949\");\n script_xref(name:\"GLSA\", value:\"202107-32\");\n\n script_name(english:\"GLSA-202107-32 : Apache Thrift: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202107-32\n(Apache Thrift: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Apache Thrift. Please\n review the CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202107-32\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Apache Thrift users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-python/thrift-0.14.1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0205\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:thrift\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-python/thrift\", unaffected:make_list(\"ge 0.14.1\"), vulnerable:make_list(\"lt 0.14.1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Apache Thrift\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-30T14:16:25", "description": "Apache Shiro before 1.6.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-06-01T00:00:00", "type": "nessus", "title": "Apache Shiro < 1.6.0 Authentication Bypass", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13933"], "modified": "2022-06-02T00:00:00", "cpe": ["cpe:/a:apache:shiro"], "id": "APACHE_SHIRO_CVE-2020-13933.NASL", "href": "https://www.tenable.com/plugins/nessus/161733", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161733);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/02\");\n\n script_cve_id(\"CVE-2020-13933\");\n\n script_name(english:\"Apache Shiro < 1.6.0 Authentication Bypass\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A Java security framework is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Apache Shiro before 1.6.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an\nauthentication bypass.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://shiro.apache.org/security-reports.html#cve_2020_13933\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Shiro 1.6.0 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13933\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:shiro\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"shiro_jar_detection.nbin\");\n script_require_keys(\"installed_sw/Apache Shiro\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::get_app_info(app:'Apache Shiro');\n\nvar constraints = [\n {'fixed_version' : '1.6.0'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-15T16:16:42", "description": "Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-06-01T00:00:00", "type": "nessus", "title": "Apache Shiro < 1.5.3 Authentication Bypass", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11989"], "modified": "2022-06-02T00:00:00", "cpe": ["cpe:/a:apache:shiro"], "id": "APACHE_SHIRO_CVE-2020-11989.NASL", "href": "https://www.tenable.com/plugins/nessus/161727", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161727);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/02\");\n\n script_cve_id(\"CVE-2020-11989\");\n\n script_name(english:\"Apache Shiro < 1.5.3 Authentication Bypass\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A Java security framework is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may \ncause an authentication bypass.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://shiro.apache.org/security-reports.html#cve_2020_11989\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Shiro 1.5.3 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11989\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:shiro\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"shiro_jar_detection.nbin\");\n script_require_keys(\"installed_sw/Apache Shiro\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::get_app_info(app:'Apache Shiro');\n\nvar constraints = [\n {'fixed_version' : '1.5.3'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:41", "description": "The version of IBM WebSphere Application Server Liberty running on the remote host is affected by a vulnerability as referenced in the 6602039 advisory.\n\n - In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information. (CVE-2019-11777)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-07T00:00:00", "type": "nessus", "title": "IBM WebSphere Application Server Liberty 17.0.0.3 < 22.0.0.8 (6602039)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11777"], "modified": "2022-09-07T00:00:00", "cpe": ["cpe:/a:ibm:websphere_application_server"], "id": "WEBSPHERE_LIBERTY_6602039.NASL", "href": "https://www.tenable.com/plugins/nessus/164809", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164809);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/07\");\n\n script_cve_id(\"CVE-2019-11777\");\n\n script_name(english:\"IBM WebSphere Application Server Liberty 17.0.0.3 < 22.0.0.8 (6602039)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of IBM WebSphere Application Server Liberty running on the remote host is affected by a vulnerability as\nreferenced in the 6602039 advisory.\n\n - In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and\n setting a host name verifier, the result of that verification is not checked. This could allow one MQTT\n server to impersonate another and provide the client library with incorrect information. (CVE-2019-11777)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.ibm.com/support/pages/node/6602039\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to IBM WebSphere Application Server Liberty version 22.0.0.8 or later. Alternatively, upgrade to the minimal fix\npack levels required by the interim fix and then apply Interim Fix PH45750.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11777\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:websphere_application_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"websphere_liberty_detect.nbin\");\n script_require_keys(\"installed_sw/IBM WebSphere Application Server\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app = 'IBM WebSphere Application Server';\nvar app_info = vcf::combined_get_app_info(app:app);\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\nif (app_info['Product'] != app + ' Liberty')\n audit(AUDIT_HOST_NOT, app + ' Liberty');\n\n# If the detection is only remote, Source will be set, and we should require paranoia\nif (!empty_or_null(app_info['Source']) && app_info['Source'] != 'unknown' && report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nif ('PH45750' >< app_info['Fixes'])\n audit(AUDIT_INST_VER_NOT_VULN, app);\n\nvar constraints = [\n { 'min_version' : '17.0.0.3', 'fixed_version' : '22.0.0.8', 'fixed_display' : '22.0.0.8 or Interim Fix PH45750' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:03:26", "description": "The remote Redhat Enterprise Linux 6 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0962 advisory.\n\n - thrift: Endless loop when feed with specific input data (CVE-2019-0205)\n\n - thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)\n\n - wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887)\n\n - undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-03-24T00:00:00", "type": "nessus", "title": "RHEL 6 / 8 : Red Hat JBoss Enterprise Application Platform 7.3 (RHSA-2020:0962)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0205", "CVE-2019-0210", "CVE-2019-14887", "CVE-2020-1745"], "modified": "2023-01-23T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:eap7-jaegertracing-jaeger-client-java", "p-cpe:/a:redhat:enterprise_linux:eap7-jaegertracing-jaeger-client-java-core", "p-cpe:/a:redhat:enterprise_linux:eap7-jaegertracing-jaeger-client-java-thrift", "p-cpe:/a:redhat:enterprise_linux:eap7-thrift", "p-cpe:/a:redhat:enterprise_linux:eap7-undertow", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl-java", "p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl-linux-x86_64"], "id": "REDHAT-RHSA-2020-0962.NASL", "href": "https://www.tenable.com/plugins/nessus/134870", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:0962. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134870);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/23\");\n\n script_cve_id(\n \"CVE-2019-0205\",\n \"CVE-2019-0210\",\n \"CVE-2019-14887\",\n \"CVE-2020-1745\"\n );\n script_xref(name:\"RHSA\", value:\"2020:0962\");\n\n script_name(english:\"RHEL 6 / 8 : Red Hat JBoss Enterprise Application Platform 7.3 (RHSA-2020:0962)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 / 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:0962 advisory.\n\n - thrift: Endless loop when feed with specific input data (CVE-2019-0205)\n\n - thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)\n\n - wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is\n in use (CVE-2019-14887)\n\n - undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-0205\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-0210\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14887\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-1745\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:0962\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1764607\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1764612\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1772008\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1807305\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1745\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(125, 285, 400, 757);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jaegertracing-jaeger-client-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jaegertracing-jaeger-client-java-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-jaegertracing-jaeger-client-java-thrift\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-thrift\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-undertow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-openssl-linux-x86_64\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release_list(operator: 'ge', os_version: os_ver, rhel_versions: ['6','8'])) audit(AUDIT_OS_NOT, 'Red Hat 6.x / 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/layered/rhel8/x86_64/jbeap/7.3/debug',\n 'content/dist/layered/rhel8/x86_64/jbeap/7.3/os',\n 'content/dist/layered/rhel8/x86_64/jbeap/7.3/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jaegertracing-jaeger-client-java-core-0.34.1-1.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jaegertracing-jaeger-client-java-thrift-0.34.1-1.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-thrift-0.13.0-1.redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-undertow-2.0.28-4.SP1_redhat_00002.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-openssl-java-1.0.9-2.SP03_redhat_00001.1.el8eap', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el8eap', 'cpu':'x86_64', 'release':'8', 'el_string':'el8eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel/server/6/6Server/x86_64/jbeap/7.3/debug',\n 'content/dist/rhel/server/6/6Server/x86_64/jbeap/7.3/os',\n 'content/dist/rhel/server/6/6Server/x86_64/jbeap/7.3/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jaegertracing-jaeger-client-java-core-0.34.1-1.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-jaegertracing-jaeger-client-java-thrift-0.34.1-1.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-thrift-0.13.0-1.redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-undertow-2.0.28-4.SP1_redhat_00002.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-openssl-java-1.0.9-2.SP03_redhat_00001.1.el6eap', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'},\n {'reference':'eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el6eap', 'cpu':'x86_64', 'release':'6', 'el_string':'el6eap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'eap7-jboss'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'eap7-jaegertracing-jaeger-client-java / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:09:29", "description": "Jenkins Security Advisory : Description(Critical) SECURITY-1983 / CVE-2019-17638 Buffer corruption in bundled Jetty", "cvss3": {}, "published": "2020-08-18T00:00:00", "type": "nessus", "title": "FreeBSD : jenkins -- Buffer corruption in bundled Jetty (09ea1b08-1d3e-4bf2-91a1-d6573f4da3d8)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17638"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:jenkins", "p-cpe:/a:freebsd:freebsd:jenkins-lts", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_09EA1B081D3E4BF291A1D6573F4DA3D8.NASL", "href": "https://www.tenable.com/plugins/nessus/139640", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139640);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-17638\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"FreeBSD : jenkins -- Buffer corruption in bundled Jetty (09ea1b08-1d3e-4bf2-91a1-d6573f4da3d8)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Jenkins Security Advisory : Description(Critical) SECURITY-1983 /\nCVE-2019-17638 Buffer corruption in bundled Jetty\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.jenkins.io/security/advisory/2020-08-17/\");\n # https://vuxml.freebsd.org/freebsd/09ea1b08-1d3e-4bf2-91a1-d6573f4da3d8.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?71e34d5a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins-lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"jenkins<2.243\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"jenkins-lts<2.235.5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "gentoo": [{"lastseen": "2023-07-16T16:49:28", "description": "### Background\n\nApache Thrift is a software framework that combines a software stack with a code generation engine to build services that work efficiently and seamlessly between many languages. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Apache Thrift. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Apache Thrift users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-python/thrift-0.14.1\"", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-14T00:00:00", "type": "gentoo", "title": "Apache Thrift: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0205", "CVE-2019-0210", "CVE-2020-13949"], "modified": "2021-07-14T00:00:00", "id": "GLSA-202107-32", "href": "https://security.gentoo.org/glsa/202107-32", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "github": [{"lastseen": "2023-06-06T15:20:33", "description": "Server-Side Template Injection and arbitrary file disclosure on Camel templating components", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-29T18:08:48", "type": "github", "title": "Server side template injection in Apache Camel", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11994"], "modified": "2023-02-01T05:04:21", "id": "GHSA-9VFJ-5G7H-4P24", "href": "https://github.com/advisories/GHSA-9vfj-5g7h-4p24", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:20:15", "description": "Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-07T15:53:10", "type": "github", "title": "Improper Authentication in Apache Shiro", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11989"], "modified": "2023-02-01T05:05:30", "id": "GHSA-72W9-FCJ5-3FCG", "href": "https://github.com/advisories/GHSA-72w9-fcj5-3fcg", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:20:34", "description": "Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-21T21:09:04", "type": "github", "title": "Apache Camel Netty enables Java deserialization by default", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11973"], "modified": "2023-01-27T05:04:39", "id": "GHSA-H79P-32MX-FJJ9", "href": "https://github.com/advisories/GHSA-h79p-32mx-fjj9", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:19:40", "description": "In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an \"admin\" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a \"viewer\" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as \"viewer\" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a \"viewer\" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. Users should update to Apache Karaf 4.2.9 or newer.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2022-02-10T23:04:32", "type": "github", "title": "Server-Side Request Forgery in Karaf", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11980"], "modified": "2023-02-01T05:05:37", "id": "GHSA-9JG9-6WM2-X7P5", "href": "https://github.com/advisories/GHSA-9jg9-6wm2-x7p5", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:20:10", "description": "Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel users should upgrade to 3.2.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-21T19:20:30", "type": "github", "title": "Improper Input Validation in Apache Camel", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11971"], "modified": "2023-04-14T19:27:10", "id": "GHSA-HFG5-XPVW-C9X4", "href": "https://github.com/advisories/GHSA-hfg5-xpvw-c9x4", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:19:34", "description": "A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-18T17:58:59", "type": "github", "title": "RESTEasy 4.5.5.Final in hash flooding", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14326"], "modified": "2023-01-27T05:01:59", "id": "GHSA-37G7-8VJJ-PJPJ", "href": "https://github.com/advisories/GHSA-37g7-8vjj-pjpj", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-06T15:20:14", "description": "Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-07T15:54:23", "type": "github", "title": "Authentication bypass in Apache Shiro", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13933"], "modified": "2023-02-01T05:05:41", "id": "GHSA-2VGM-WXR3-6W2J", "href": "https://github.com/advisories/GHSA-2vgm-wxr3-6w2j", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-13T17:14:00", "description": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-10T23:05:04", "type": "github", "title": "SQL Injection in Hibernate ORM", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14900"], "modified": "2023-02-01T05:05:29", "id": "GHSA-8GRG-Q944-CCH5", "href": "https://github.com/advisories/GHSA-8grg-q944-cch5", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:20:10", "description": "Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-21T19:20:47", "type": "github", "title": "Deserialization of Untrusted Data in Apache Camel RabbitMQ", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11972"], "modified": "2023-02-01T05:06:04", "id": "GHSA-2X6R-7427-95CM", "href": "https://github.com/advisories/GHSA-2x6r-7427-95cm", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T14:37:36", "description": "In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-09-17T22:47:11", "type": "github", "title": "Improper Handling of Exceptional Conditions and Origin Validation Error in Eclipse Paho Java client library", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2023-02-01T05:02:35", "id": "GHSA-63QC-P2X4-9FGF", "href": "https://github.com/advisories/GHSA-63qc-p2x4-9fgf", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:20:15", "description": "A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-05-07T15:53:40", "type": "github", "title": "Missing Release of Memory after Effective Lifetime in Apache Tika", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9489"], "modified": "2023-05-01T19:38:51", "id": "GHSA-4PV3-63JW-4JW2", "href": "https://github.com/advisories/GHSA-4pv3-63jw-4jw2", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-13T17:14:49", "description": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-01T17:55:03", "type": "github", "title": "XML external entity injection in Terracotta Quartz Scheduler", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13990"], "modified": "2023-01-29T05:06:35", "id": "GHSA-9QCF-C26R-X5RF", "href": "https://github.com/advisories/GHSA-9qcf-c26r-x5rf", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-17T09:38:13", "description": "angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping `<option>` elements in `<select>` ones changes parsing behavior, leading to possibly unsanitizing code.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-06-18T14:19:58", "type": "github", "title": "Cross site scripting in Angular", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2023-09-08T20:50:35", "id": "GHSA-MHP6-PXH8-R675", "href": "https://github.com/advisories/GHSA-mhp6-pxh8-r675", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-08-22T22:14:09", "description": "A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-24T17:21:23", "type": "github", "title": "Wildfly Unsafe Deserialization Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10740"], "modified": "2023-08-22T14:34:12", "id": "GHSA-VRMW-2XHQ-HRMP", "href": "https://github.com/advisories/GHSA-vrmw-2xhq-hrmp", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-01-09T05:06:59", "description": "### Impact\nA server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a transitive dependency on netty-codec-4.1.45.Final, which is affected by [CVE-2020-11612](https://app.snyk.io/vuln/SNYK-JAVA-IONETTY-564897).\n\n### Patches\nUpgrade to http4s-async-http-client >= 0.21.8. All 1.0 milestones are also safe.\n\n### Workarounds\nAdd an explicit runtime dependency on async-http-client's netty dependencies that evicts them to an unaffected version:\n\n```scala\nlibraryDependencies ++= Seq(\n \"io.netty\" % \"netty-codec\" % \"4.1.53.Final\" % Runtime,\n \"io.netty\" % \"netty-codec-socks\" % \"4.1.53.Final\" % Runtime,\n \"io.netty\" % \"netty-handler-proxy\" % \"4.1.53.Final\" % Runtime,\n \"io.netty\" % \"netty-common\" % \"4.1.53.Final\" % Runtime,\n \"io.netty\" % \"netty-transport\" % \"4.1.53.Final\" % Runtime,\n \"io.netty\" % \"netty-handler\" % \"4.1.53.Final\" % Runtime,\n \"io.netty\" % \"netty-resolver-dns\" % \"4.1.53.Final\" % Runtime\n)\n```\n\n### References\n* https://app.snyk.io/vuln/SNYK-JAVA-IONETTY-564897\n* https://github.com/http4s/http4s/issues/3681\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [http4s](https://github.com/http4s/http4s/issues/new)\n* Contact a maintainer privately per [http4s' security policy](https://github.com/http4s/http4s/blob/master/SECURITY.md#reporting-a-vulnerability)", "cvss3": {}, "published": "2020-10-16T17:03:43", "type": "github", "title": "Memory exhaustion in http4s-async-http-client with large or malicious compressed responses", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-11612"], "modified": "2023-01-09T05:04:15", "id": "GHSA-8HXH-R6F7-JF45", "href": "https://github.com/advisories/GHSA-8hxh-r6f7-jf45", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntucve": [{"lastseen": "2023-07-28T02:16:56", "description": "Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic\ncontrollers, a specially crafted request may cause an authentication\nbypass.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-22T00:00:00", "type": "ubuntucve", "title": "CVE-2020-11989", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11989"], "modified": "2020-06-22T00:00:00", "id": "UB:CVE-2020-11989", "href": "https://ubuntu.com/security/CVE-2020-11989", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-28T00:46:22", "description": "A flaw was found in Undertow when using Remoting as shipped in Red Hat\nJboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to\nholding remote connections indefinitely may lead to denial of service.\nVersions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are\nbelieved to be vulnerable.\n\n#### Bugs\n\n * <https://bugzilla.redhat.com/show_bug.cgi?id=1780445>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-23T00:00:00", "type": "ubuntucve", "title": "CVE-2019-19343", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19343"], "modified": "2021-03-23T00:00:00", "id": "UB:CVE-2019-19343", "href": "https://ubuntu.com/security/CVE-2019-19343", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-27T23:59:40", "description": "A vulnerability was found in RESTEasy, where RootNode incorrectly caches\nroutes. This issue results in hash flooding, leading to slower requests\nwith higher CPU time spent searching and adding the entry. This flaw allows\nan attacker to cause a denial of service.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-02T00:00:00", "type": "ubuntucve", "title": "CVE-2020-14326", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14326"], "modified": "2021-06-02T00:00:00", "id": "UB:CVE-2020-14326", "href": "https://ubuntu.com/security/CVE-2020-14326", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-07-28T02:31:10", "description": "A carefully crafted or corrupt file may trigger a System.exit in Tika's\nOneNote Parser. Crafted or corrupted files can also cause out of memory\nerrors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser,\nSAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should\nupgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were\npartially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency\nto org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we\nupgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-04-27T00:00:00", "type": "ubuntucve", "title": "CVE-2020-9489", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9489"], "modified": "2020-04-27T00:00:00", "id": "UB:CVE-2020-9489", "href": "https://ubuntu.com/security/CVE-2020-9489", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-09-07T17:53:11", "description": "Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted\nHTTP request may cause an authentication bypass.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-17T00:00:00", "type": "ubuntucve", "title": "CVE-2020-13933", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13933"], "modified": "2020-08-17T00:00:00", "id": "UB:CVE-2020-13933", "href": "https://ubuntu.com/security/CVE-2020-13933", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-07-28T04:05:13", "description": "A vulnerability was found in Hibernate-Validator. The SafeHtml validator\nannotation fails to properly sanitize payloads consisting of potentially\nmalicious code in HTML comments and instructions. This vulnerability can\nresult in an XSS attack.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-11-08T00:00:00", "type": "ubuntucve", "title": "CVE-2019-10219", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10219"], "modified": "2019-11-08T00:00:00", "id": "UB:CVE-2019-10219", "href": "https://ubuntu.com/security/CVE-2019-10219", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-29T14:11:55", "description": "angular.js prior to 1.8.0 allows cross site scripting. The regex-based\ninput HTML replacement may turn sanitized code into unsanitized one.\nWrapping \"<option>\" elements in \"<select>\" ones changes parsing behavior,\nleading to possibly unsanitizing code.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-06-08T00:00:00", "type": "ubuntucve", "title": "CVE-2020-7676", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2020-06-08T00:00:00", "id": "UB:CVE-2020-7676", "href": "https://ubuntu.com/security/CVE-2020-7676", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-07-28T04:49:33", "description": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta\nQuartz Scheduler through 2.3.0 allows XXE attacks via a job description.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933169>\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933170>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-26T00:00:00", "type": "ubuntucve", "title": "CVE-2019-13990", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13990"], "modified": "2019-07-26T00:00:00", "id": "UB:CVE-2019-13990", "href": "https://ubuntu.com/security/CVE-2019-13990", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-06T14:08:06", "description": "A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-22T18:15:00", "type": "cve", "title": "CVE-2020-10740", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10740"], "modified": "2020-07-10T18:10:00", "cpe": [], "id": "CVE-2020-10740", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10740", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-06T14:22:57", "description": "Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-17T21:15:00", "type": "cve", "title": "CVE-2020-13933", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13933"], "modified": "2022-03-31T02:01:00", "cpe": ["cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2020-13933", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13933", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:17:53", "description": "Server-Side Template Injection and arbitrary file disclosure on Camel templating components", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-08T16:15:00", "type": "cve", "title": "CVE-2020-11994", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11994"], "modified": "2022-04-01T15:33:00", "cpe": ["cpe:/a:apache:camel:2.22.5", "cpe:/a:oracle:communications_diameter_signaling_router:8.5.0", "cpe:/a:apache:camel:2.25.1", "cpe:/a:oracle:enterprise_manager_base_platform:13.4.0.0", "cpe:/a:apache:camel:2.25.0", "cpe:/a:oracle:enterprise_repository:11.1.1.7.0", "cpe:/a:apache:camel:2.23.4", "cpe:/a:apache:camel:3.3.0", "cpe:/a:apache:camel:2.24.3"], "id": "CVE-2020-11994", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11994", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:apache:camel:2.22.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.25.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.25.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.24.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:3.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.23.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.5.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:17:50", "description": "Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-14T17:15:00", "type": "cve", "title": "CVE-2020-11971", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11971"], "modified": "2022-05-12T15:00:00", "cpe": ["cpe:/a:oracle:communications_diameter_intelligence_hub:8.1.0", "cpe:/a:apache:camel:3.1.0", "cpe:/a:oracle:flexcube_private_banking:12.1.0", "cpe:/a:oracle:communications_diameter_signaling_router:8.2.2", "cpe:/a:oracle:enterprise_manager_base_platform:13.4.0.0", "cpe:/a:oracle:flexcube_private_banking:12.0.0", "cpe:/a:oracle:enterprise_manager_base_platform:13.3.0.0", "cpe:/a:oracle:communications_diameter_intelligence_hub:8.2.3"], "id": "CVE-2020-11971", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11971", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T14:54:50", "description": "A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are believed to be vulnerable.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-23T21:15:00", "type": "cve", "title": "CVE-2019-19343", "cwe": ["CWE-404"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19343"], "modified": "2022-05-03T13:05:00", "cpe": ["cpe:/a:netapp:active_iq_unified_manager:-", "cpe:/a:redhat:undertow:2.0.25", "cpe:/a:redhat:jboss-remoting:5.0.14"], "id": "CVE-2019-19343", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19343", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:redhat:jboss-remoting:5.0.14:-:*:*:*:*:*:*", "cpe:2.3:a:redhat:undertow:2.0.25:-:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*"]}, {"lastseen": "2023-06-13T14:42:02", "description": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-06T19:15:00", "type": "cve", "title": "CVE-2019-14900", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14900"], "modified": "2022-04-29T17:08:00", "cpe": ["cpe:/a:redhat:openstack:13", "cpe:/a:redhat:jboss_enterprise_application_platform:7.2", "cpe:/a:quarkus:quarkus:1.5.2", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "cpe:/a:redhat:jboss_enterprise_application_platform:7.3", "cpe:/a:redhat:single_sign-on:-", "cpe:/a:redhat:jboss_data_grid:7.0.0", "cpe:/a:redhat:jboss_enterprise_application_platform:-", "cpe:/a:redhat:build_of_quarkus:-", "cpe:/a:redhat:openstack:14", "cpe:/a:redhat:jboss_middleware_text-only_advisories:-", "cpe:/a:redhat:openstack:10", "cpe:/a:redhat:decision_manager:7.0"], "id": "CVE-2019-14900", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14900", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", "cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:-:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:text-only:*:*:*", "cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:quarkus:quarkus:1.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:17:50", "description": "In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an \"admin\" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a \"viewer\" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as \"viewer\" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a \"viewer\" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. Users should update to Apache Karaf 4.2.9 or newer.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-06-12T22:15:00", "type": "cve", "title": "CVE-2020-11980", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11980"], "modified": "2021-01-07T19:02:00", "cpe": [], "id": "CVE-2020-11980", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11980", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-06T14:18:06", "description": "Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-22T19:15:00", "type": "cve", "title": "CVE-2020-11989", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11989"], "modified": "2022-05-03T13:59:00", "cpe": [], "id": "CVE-2020-11989", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11989", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-06T14:17:49", "description": "Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-14T17:15:00", "type": "cve", "title": "CVE-2020-11972", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11972"], "modified": "2021-03-15T22:15:00", "cpe": ["cpe:/a:apache:camel:3.1.0", "cpe:/a:oracle:flexcube_private_banking:12.1.0", "cpe:/a:oracle:communications_diameter_signaling_router:8.2.2", "cpe:/a:oracle:enterprise_manager_base_platform:13.4.0.0", "cpe:/a:apache:camel:2.25.0", "cpe:/a:oracle:flexcube_private_banking:12.0.0", "cpe:/a:oracle:enterprise_manager_base_platform:13.3.0.0"], "id": "CVE-2020-11972", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11972", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.25.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:17:52", "description": "Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-14T17:15:00", "type": "cve", "title": "CVE-2020-11973", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11973"], "modified": "2022-10-05T20:53:00", "cpe": ["cpe:/a:apache:camel:3.1.0", "cpe:/a:oracle:flexcube_private_banking:12.1.0", "cpe:/a:oracle:communications_diameter_signaling_router:8.5.0", "cpe:/a:oracle:enterprise_manager_base_platform:13.4.0.0", "cpe:/a:apache:camel:2.25.0", "cpe:/a:oracle:flexcube_private_banking:12.0.0", "cpe:/a:oracle:enterprise_manager_base_platform:13.3.0.0"], "id": "CVE-2020-11973", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11973", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:camel:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.25.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T14:50:48", "description": "In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with other data. Thread1 then proceeds to write the buffer that now contains different data. This results in client1, which issued request1 seeing data from another request or response which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.). If the Jetty version cannot be upgraded, the vulnerability can be significantly reduced by configuring a responseHeaderSize significantly larger than the requestHeaderSize (12KB responseHeaderSize and 8KB requestHeaderSize).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-07-09T18:15:00", "type": "cve", "title": "CVE-2019-17638", "cwe": ["CWE-672"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17638"], "modified": "2021-06-14T18:15:00", "cpe": ["cpe:/a:eclipse:jetty:9.4.28", "cpe:/a:eclipse:jetty:9.4.29", "cpe:/a:eclipse:jetty:9.4.27"], "id": "CVE-2019-17638", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17638", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:eclipse:jetty:9.4.28:20200408:*:*:*:*:*:*", "cpe:2.3:a:eclipse:jetty:9.4.27:20200227:*:*:*:*:*:*", "cpe:2.3:a:eclipse:jetty:9.4.29:20200521:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T14:32:47", "description": "Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter \"rs.security.keystore.type\" to \"jwk\". For this case all keys are returned in this file \"as is\", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. \"oct\" keys, which contain secret keys, are not returned at all.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-01-16T18:15:00", "type": "cve", "title": "CVE-2019-12423", "cwe": ["CWE-522"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12423"], "modified": "2021-06-17T17:24:00", "cpe": ["cpe:/a:oracle:communications_session_route_manager:8.1.1", "cpe:/a:oracle:communications_diameter_signaling_router:8.2.2", "cpe:/a:oracle:communications_session_route_manager:8.2.1", "cpe:/a:oracle:flexcube_private_banking:12.1.0", "cpe:/a:oracle:communications_session_route_manager:8.2.0", "cpe:/a:oracle:communications_element_manager:8.2.2", "cpe:/a:oracle:commerce_guided_search:11.3.2", "cpe:/a:oracle:communications_session_report_manager:8.2.2", "cpe:/a:oracle:flexcube_private_banking:12.0.0", "cpe:/a:oracle:retail_order_broker:15.0"], "id": "CVE-2019-12423", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12423", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_report_manager:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_element_manager:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T14:38:00", "description": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-26T19:15:00", "type": "cve", "title": "CVE-2019-13990", "cwe": ["CWE-611"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13990"], "modified": "2023-03-03T15:22:00", "cpe": ["cpe:/a:netapp:cloud_secure_agent:-", "cpe:/a:oracle:retail_order_broker:19.0", "cpe:/a:oracle:google_guava_mapviewer:19c", "cpe:/a:oracle:apache_batik_mapviewer:18c", "cpe:/a:oracle:enterprise_manager_ops_center:12.4.0.0", "cpe:/a:oracle:communications_ip_service_activator:7.4.0", "cpe:/a:oracle:enterprise_manager_base_platform:13.2.1.0", "cpe:/a:oracle:flexcube_investor_servicing:12.1.0", "cpe:/a:oracle:retail_xstore_point_of_service:19.0", "cpe:/a:oracle:apache_batik_mapviewer:12.2.0.1", "cpe:/a:oracle:primavera_unifier:16.2", "cpe:/a:oracle:webcenter_sites:12.2.1.3.0", "cpe:/a:oracle:banking_enterprise_product_manufacturing:2.8.0", "cpe:/a:apache:tomee:7.1.3", "cpe:/a:oracle:google_guava_mapviewer:12.2.0.1", "cpe:/a:oracle:retail_xstore_point_of_service:15.0", "cpe:/a:oracle:flexcube_private_banking:12.1.0", "cpe:/a:oracle:primavera_unifier:17.12", "cpe:/a:oracle:webcenter_sites:12.2.1.4.0", "cpe:/a:oracle:retail_point-of-service:14.1", "cpe:/a:oracle:banking_payments:14.4.0", "cpe:/a:oracle:flexcube_investor_servicing:12.4.0", "cpe:/a:oracle:retail_order_broker:15.0", "cpe:/a:oracle:banking_enterprise_originations:2.7.0", "cpe:/a:oracle:retail_returns_management:14.1", "cpe:/a:oracle:retail_central_office:14.1", "cpe:/a:oracle:hyperion_infrastructure_technology:11.1.2.4", "cpe:/a:oracle:primavera_unifier:16.1", "cpe:/a:oracle:retail_integration_bus:16.0", "cpe:/a:oracle:primavera_unifier:18.8", "cpe:/a:oracle:apache_batik_mapviewer:19c", "cpe:/a:oracle:terracotta_quartz_scheduler_mapviewer:18c", "cpe:/a:oracle:retail_xstore_point_of_service:17.0", "cpe:/a:oracle:customer_management_and_segmentation_foundation:18.0", "cpe:/a:oracle:flexcube_investor_servicing:12.3.0", "cpe:/a:oracle:retail_xstore_point_of_service:16.0", "cpe:/a:oracle:banking_enterprise_originations:2.8.0", "cpe:/a:oracle:retail_order_broker:16.0", "cpe:/a:oracle:documaker:12.6.4", "cpe:/a:oracle:flexcube_investor_servicing:14.1.0", "cpe:/a:oracle:flexcube_investor_servicing:14.4.0", "cpe:/a:netapp:active_iq_unified_manager:-", "cpe:/a:oracle:jd_edwards_enterpriseone_orchestrator:9.2.5.3", "cpe:/a:oracle:flexcube_private_banking:12.0.0", "cpe:/a:oracle:fusion_middleware_mapviewer:12.2.1.3.0", "cpe:/a:oracle:banking_enterprise_product_manufacturing:2.7.0", "cpe:/a:oracle:retail_order_broker:18.0", "cpe:/a:oracle:terracotta_quartz_scheduler_mapviewer:19c", "cpe:/a:oracle:google_guava_mapviewer:18c", "cpe:/a:oracle:communications_session_route_manager:8.2.2", "cpe:/a:oracle:retail_xstore_point_of_service:18.0", "cpe:/a:oracle:terracotta_quartz_scheduler_mapviewer:12.2.0.1", "cpe:/a:oracle:communications_ip_service_activator:7.3.0", "cpe:/a:oracle:retail_back_office:14.1", "cpe:/a:oracle:retail_integration_bus:15.0"], "id": "CVE-2019-13990", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13990", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomee:7.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:google_guava_mapviewer:19c:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:14.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:12.2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:19.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:apache_batik_mapviewer:18c:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:18c:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_payments:14.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:19c:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:google_guava_mapviewer:18c:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_enterprise_originations:2.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:14.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "cpe:2.3:a:oracle:apache_batik_mapviewer:19c:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:apache_batik_mapviewer:12.2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:google_guava_mapviewer:12.2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_enterprise_originations:2.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T15:02:14", "description": "angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping \"<option>\" elements in \"<select>\" ones changes parsing behavior, leading to possibly unsanitizing code.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-06-08T14:15:00", "type": "cve", "title": "CVE-2020-7676", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2020-10-09T16:15:00", "cpe": [], "id": "CVE-2020-7676", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7676", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2023-06-06T15:06:44", "description": "A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-04-27T14:15:00", "type": "cve", "title": "CVE-2020-9489", "cwe": ["CWE-835"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9489"], "modified": "2022-10-07T00:08:00", "cpe": ["cpe:/a:oracle:flexcube_private_banking:12.1.0", "cpe:/a:oracle:webcenter_portal:12.2.1.3.0", "cpe:/a:oracle:flexcube_private_banking:12.0.0", "cpe:/a:oracle:webcenter_portal:12.2.1.4.0", "cpe:/o:oracle:communications_messaging_server:8.1", "cpe:/a:oracle:primavera_unifier:16.1", "cpe:/a:oracle:primavera_unifier:17.12", "cpe:/a:oracle:primavera_unifier:16.2", "cpe:/a:apache:tika:1.24", "cpe:/a:oracle:primavera_unifier:18.8", "cpe:/a:oracle:primavera_unifier:19.12"], "id": "CVE-2020-9489", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9489", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tika:1.24:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:23:51", "description": "A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-02T12:15:00", "type": "cve", "title": "CVE-2020-14326", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14326"], "modified": "2022-07-15T17:38:00", "cpe": ["cpe:/a:netapp:oncommand_insight:-", "cpe:/a:redhat:integration_camel_k:-"], "id": "CVE-2020-14326", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14326", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T14:24:41", "description": "A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-11-08T15:15:00", "type": "cve", "title": "CVE-2019-10219", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10219"], "modified": "2022-09-12T13:51:00", "cpe": ["cpe:/a:oracle:agile_plm:9.3.6", "cpe:/a:oracle:managed_file_transfer:12.2.1.4.0", "cpe:/a:oracle:business_activity_monitoring:12.2.1.4.0", "cpe:/a:oracle:java_se:17.1", "cpe:/a:oracle:banking_enterprise_default_management:2.7.1", "cpe:/a:oracle:thesaurus_management_system:5.3.1", "cpe:/a:oracle:financial_services_behavior_detection_platform:8.0.7", "cpe:/a:oracle:healthcare_foundation:8.1.1", "cpe:/a:redhat:jboss_enterprise_application_platform:7.2", "cpe:/a:oracle:banking_apis:20.1", "cpe:/a:oracle:communications_network_integrity:7.3.5", "cpe:/a:oracle:communications_billing_and_revenue_management:12.0.0.4", "cpe:/a:oracle:insurance_policy_administration:11.3.1", "cpe:/a:oracle:hospitality_suite8:8.13.0", "cpe:/a:oracle:financial_services_enterprise_case_management:8.0.11", "cpe:/a:oracle:financial_services_behavior_detection_platform:8.0.8", "cpe:/a:oracle:communications_cloud_native_core_binding_support_function:1.10.0", "cpe:/a:oracle:application_testing_suite:13.3.0.1", "cpe:/a:oracle:database_server:12.1.0.2", "cpe:/a:oracle:retail_price_management:14.1.3", "cpe:/a:oracle:communications_calendar_server:8.0.0.5.0", "cpe:/a:oracle:communications_cloud_native_core_policy:1.14.0", "cpe:/a:oracle:hyperion_financial_management:11.1.2.4", "cpe:/a:oracle:goldengate_application_adapters:19.1.0.0.0", "cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.24.0", "cpe:/a:redhat:single_sign-on:-", "cpe:/a:oracle:communications_data_model:12.1.0.1.0", "cpe:/a:oracle:communications_unified_inventory_management:7.4.2", "cpe:/a:oracle:communications_webrtc_session_controller:7.2.0", "cpe:/a:oracle:insurance_rules_palette:11.0.2", "cpe:/a:oracle:insurance_policy_administration_j2ee:11.3.0", "cpe:/a:oracle:sd-wan_aware:8.2", "cpe:/a:oracle:utilities_framework:4.4.0.0.0", "cpe:/a:oracle:airlines_data_model:12.2.0.1.0", "cpe:/a:oracle:retail_analytics:16.0.2", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57", "cpe:/a:oracle:application_express:21.1.4", "cpe:/a:oracle:webcenter_portal:12.2.1.3.0", "cpe:/a:oracle:retail_eftlink:17.0.2", "cpe:/a:oracle:primavera_analytics:20.12.12.0", "cpe:/a:oracle:weblogic_server:12.2.1.4.0", "cpe:/a:oracle:argus_safety:8.2.3", "cpe:/a:oracle:banking_enterprise_default_management:2.10.0", "cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:21.12.0.0", "cpe:/a:oracle:health_sciences_inform_crf_submit:6.2.1", "cpe:/a:oracle:bi_publisher:12.2.1.4.0", "cpe:/a:oracle:java_se:8u311", "cpe:/a:oracle:primavera_gateway:21.12.0", "cpe:/a:oracle:primavera_portfolio_management:19.0.1.2", "cpe:/a:oracle:communications_data_model:12.1.2.0.0", "cpe:/a:oracle:retail_eftlink:20.0.1", "cpe:/a:oracle:retail_customer_insights:16.0.2", "cpe:/a:oracle:enterprise_session_border_controller:8.4", "cpe:/a:oracle:agile_engineering_data_management:6.2.1.0", "cpe:/a:oracle:communications_offline_mediation_controller:12.0.0.3", "cpe:/a:oracle:banking_apis:18.3", "cpe:/a:redhat:hibernate_validator:6.1.0", "cpe:/a:oracle:communications_interactive_session_recorder:6.3", "cpe:/a:oracle:communications_design_studio:7.4.1", "cpe:/a:oracle:communications_webrtc_session_controller:7.2.1", "cpe:/a:oracle:e-business_suite:12.2.11", "cpe:/a:oracle:primavera_analytics:18.8.3.3", "cpe:/a:oracle:retail_financial_integration:16.0.3", "cpe:/a:oracle:thesaurus_management_system:5.2.3", "cpe:/a:oracle:banking_digital_experience:21.1", "cpe:/a:oracle:retail_service_backbone:19.0.1", "cpe:/o:netapp:element:-", "cpe:/a:oracle:financial_services_model_management_and_governance:8.1.1", "cpe:/a:oracle:argus_analytics:8.21", "cpe:/a:oracle:primavera_unifier:21.12", "cpe:/a:oracle:communications_convergent_charging_controller:6.0.1.0.0", "cpe:/a:oracle:retail_extract_transform_and_load:13.2.8", "cpe:/a:oracle:instantis_enterprisetrack:17.3", "cpe:/a:oracle:insurance_policy_administration_j2ee:11.0.2", "cpe:/a:oracle:healthcare_foundation:8.0.2", "cpe:/a:oracle:flexcube_investor_servicing:12.3.0", "cpe:/a:oracle:argus_analytics:8.2.1", "cpe:/a:oracle:communications_data_model:11.3.2.1.0", "cpe:/a:oracle:peoplesoft_enterprise_people_tools:8.58", "cpe:/a:oracle:retail_predictive_application_server:15.0.3", "cpe:/a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.5.0", "cpe:/a:oracle:essbase:11.1.2.4.47", "cpe:/a:oracle:policy_automation:12.2.24", "cpe:/a:oracle:communications_calendar_server:8.0.0.6.0", "cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.1.1", "cpe:/a:oracle:enterprise_manager_base_platform:13.4.0.0", "cpe:/a:redhat:jboss_enterprise_application_platform:-", "cpe:/a:oracle:enterprise_manager_ops_center:12.4.0.0", "cpe:/a:oracle:flexcube_investor_servicing:12.1.0", "cpe:/a:oracle:insurance_policy_administration:11.3.0", "cpe:/a:oracle:managed_file_transfer:12.2.1.3.0", "cpe:/a:oracle:communications_unified_inventory_management:7.4.1", "cpe:/a:oracle:communications_session_border_controller:8.4", "cpe:/a:oracle:retail_financial_integration:14.1.3.2", "cpe:/a:oracle:webcenter_portal:12.2.1.4.0", "cpe:/a:oracle:retail_central_office:14.1", "cpe:/a:oracle:hospitality_suite8:8.12.0", "cpe:/a:oracle:mysql_server:5.7.36", "cpe:/a:oracle:utilities_framework:4.2.0.3.0", "cpe:/a:oracle:spatial_studio:21.2.1", "cpe:/o:oracle:fujitsu_m12-1_firmware:-", "cpe:/a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.15.0", "cpe:/a:oracle:financial_services_foreign_account_tax_compliance_act_management:8.0.8", "cpe:/a:oracle:retail_integration_bus:19.0.1", "cpe:/a:oracle:retail_price_management:15.0.3", "cpe:/a:oracle:bi_publisher:5.5.0.0.0", "cpe:/a:oracle:enterprise_session_border_controller:9.0", "cpe:/a:oracle:clinical:5.2.2", "cpe:/a:oracle:argus_safety:8.2.1", "cpe:/a:oracle:communications_converged_application_server_-_service_controller:6.2", "cpe:/a:oracle:insurance_rules_palette:10.2.4", "cpe:/a:oracle:utilities_testing_accelerator:6.0.0.2.2", "cpe:/a:oracle:sd-wan_edge:9.1", "cpe:/a:oracle:communications_cloud_native_core_network_repository_function:1.14.0", "cpe:/a:oracle:enterprise_manager_base_platform:13.5.0.0", "cpe:/a:oracle:retail_integration_bus:19.0.0", "cpe:/a:oracle:retail_price_management:14.1", "cpe:/a:oracle:banking_digital_experience:17.2", "cpe:/a:oracle:clinical:5.2.1", "cpe:/a:oracle:database_server:21c", "cpe:/a:oracle:access_manager:11.1.2.3.0", "cpe:/a:oracle:access_manager:12.2.1.4.0", "cpe:/a:oracle:retail_allocation:14.1.3.2", "cpe:/a:redhat:jboss_data_grid:-", "cpe:/a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.9.0", "cpe:/o:oracle:solaris:11", "cpe:/a:oracle:access_manager:12.2.1.3.0", "cpe:/a:oracle:graalvm:20.3.4", "cpe:/a:oracle:retail_service_backbone:14.1.3.0", "cpe:/a:oracle:insurance_data_gateway:11.0.2", "cpe:/a:oracle:commerce_platform:11.3.2", "cpe:/a:oracle:weblogic_server:12.1.3.0.0", "cpe:/a:oracle:retail_service_backbone:16.0.3", "cpe:/a:oracle:financial_services_enterprise_case_management:8.0.8", "cpe:/a:oracle:communications_pricing_design_center:12.0.0.3.0", "cpe:/o:oracle:fujitsu_m12-2_firmware:-", "cpe:/a:oracle:retail_xstore_point_of_service:20.0.1", "cpe:/a:oracle:retail_predictive_application_server:15.0.3.115", "cpe:/a:oracle:communications_session_border_controller:9.0", "cpe:/a:oracle:utilities_testing_accelerator:6.0.0.3.1", "cpe:/a:oracle:healthcare_foundation:8.1.0", "cpe:/a:oracle:bi_publisher:12.2.1.3.0", "cpe:/a:oracle:retail_invoice_matching:16.0.3", "cpe:/a:oracle:hyperion_infrastructure_technology:11.2.7.0", "cpe:/a:oracle:primavera_gateway:19.12.12", "cpe:/a:oracle:primavera_data_warehouse:19.12.11.1", "cpe:/a:oracle:retail_price_management:15.0", "cpe:/a:oracle:banking_enterprise_default_management:2.7.0", "cpe:/a:oracle:documaker:12.6.4", "cpe:/a:oracle:retail_order_broker:16.0", "cpe:/a:oracle:commerce_guided_search:11.3.2", "cpe:/a:oracle:banking_platform:2.4.1", "cpe:/a:oracle:fusion_middleware:12.2.1.3.0", "cpe:/a:oracle:communications_design_studio:7.3.5", "cpe:/a:oracle:communications_pricing_design_center:12.0.0.4.0", "cpe:/a:oracle:communications_unified_inventory_management:7.3.0", "cpe:/a:oracle:retail_price_management:13.2", "cpe:/a:oracle:insurance_rules_palette:10.2.0", "cpe:/a:oracle:fusion_middleware_mapviewer:12.2.1.4.0", "cpe:/a:oracle:communications_metasolv_solution:6.3.1", "cpe:/a:oracle:utilities_framework:4.4.0.2.0", "cpe:/a:netapp:management_services_for_element_software_and_netapp_hci:-", "cpe:/a:oracle:retail_eftlink:18.0.1", "cpe:/a:oracle:banking_apis:21.1", "cpe:/a:oracle:hyperion_financial_management:11.2.6.0", "cpe:/a:oracle:insurance_policy_administration:11.1.0", "cpe:/a:oracle:application_performance_management:13.5.1.0", "cpe:/a:oracle:application_performance_management:13.4.1.0", "cpe:/a:oracle:big_data_spatial_and_graph:23.1", "cpe:/a:oracle:weblogic_server:12.2.1.3.0", "cpe:/a:oracle:retail_assortment_planning:16.0.3", "cpe:/a:oracle:business_process_management_suite:12.2.1.4.0", "cpe:/a:netapp:active_iq_unified_manager:-", "cpe:/a:oracle:flexcube_private_banking:12.0.0", "cpe:/a:oracle:communications_operations_monitor:3.4", "cpe:/a:oracle:enterprise_data_quality:12.2.1.4.0", "cpe:/a:oracle:hospitality_opera_5_property_services:5.6", "cpe:/a:oracle:retail_service_backbone:19.0.0", "cpe:/a:oracle:airlines_data_model:12.1.1.0.0", "cpe:/a:oracle:rest_data_services:21.2.4", "cpe:/a:oracle:retail_predictive_application_server:16.0.3.240", "cpe:/a:oracle:primavera_p6_professional_project_management:17.12.20.0", "cpe:/a:oracle:business_process_management_suite:12.2.1.3.0", "cpe:/a:oracle:primavera_p6_professional_project_management:18.8.24.0", "cpe:/a:oracle:mysql_connectors:8.0.27", "cpe:/a:oracle:instantis_enterprisetrack:17.2", "cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:20.12.12.0", "cpe:/a:oracle:insurance_rules_palette:11.3.1", "cpe:/a:oracle:communications_service_broker:6.2", "cpe:/a:oracle:zfs_storage_application_integration_engineering_software:1.3.3", "cpe:/a:oracle:insurance_policy_administration:11.0.2", "cpe:/a:oracle:hospitality_suite8:8.10.2", "cpe:/a:oracle:hospitality_suite8:8.11.0", "cpe:/a:oracle:communications_operations_monitor:4.4", "cpe:/a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0", "cpe:/a:redhat:openshift_application_runtimes:-", "cpe:/a:netapp:snapcenter_plug-in:-", "cpe:/a:oracle:communications_design_studio:7.4.0", "cpe:/a:oracle:retail_price_management:16.0.3", "cpe:/a:oracle:banking_digital_experience:19.2", "cpe:/a:oracle:insurance_data_gateway:11.3.1", "cpe:/a:oracle:primavera_portfolio_management:20.0.0.0", "cpe:/a:oracle:retail_customer_management_and_segmentation_foundation:19.0", "cpe:/a:oracle:retail_order_broker:18.0", "cpe:/a:oracle:communications_data_model:11.3.2.3.0", "cpe:/a:oracle:argus_insight:8.2.1", "cpe:/a:oracle:secure_backup:18.1.0.1.0", "cpe:/a:oracle:fusion_middleware:12.2.1.4.0", "cpe:/a:oracle:healthcare_translational_research:4.1.0", "cpe:/a:oracle:jdk:11.0.13", "cpe:/a:oracle:essbase_administration_services:11.1.2.4.47", "cpe:/a:oracle:communications_application_session_controller:3.9.0", "cpe:/a:oracle:business_intelligence:12.2.1.4.0", "cpe:/a:oracle:banking_enterprise_default_management:2.12.0", "cpe:/a:oracle:retail_order_management_system:19.5", "cpe:/a:oracle:hospitality_reporting_and_analytics:9.1.0", "cpe:/a:oracle:database_server:12.1.0.1", "cpe:/a:oracle:retail_predictive_application_server:14.1.3.46", "cpe:/a:oracle:communications_interactive_session_recorder:6.4", "cpe:/a:oracle:retail_integration_bus:15.0.3.1", "cpe:/a:oracle:primavera_data_warehouse:18.8.3.3", "cpe:/a:oracle:flexcube_investor_servicing:14.4.0", "cpe:/a:oracle:agile_plm:9.3.3", "cpe:/a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0", "cpe:/a:oracle:rapid_planning:12.2.11", "cpe:/a:oracle:utilities_framework:4.2.0.2.0", "cpe:/a:oracle:retail_service_backbone:15.0.3.1", "cpe:/a:oracle:utilities_framework:4.4.0.3.0", "cpe:/a:oracle:business_intelligence:5.9.0.0.0", "cpe:/a:oracle:retail_allocation:15.0.3.1", "cpe:/a:oracle:database_server:19c", "cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.0.0-17.12.20.0", "cpe:/a:oracle:communications_contacts_server:8.0.0.3.0", "cpe:/a:oracle:primavera_p6_professional_project_management:19.12.17.0", "cpe:/a:oracle:hyperion_ilearning:6.2", "cpe:/a:oracle:retail_xstore_point_of_service:17.0.4", "cpe:/a:oracle:graalvm:21.3.0", "cpe:/a:oracle:argus_analytics:8.2.3", "cpe:/a:oracle:communications_eagle_application_processor:16.4", "cpe:/a:oracle:retail_allocation:16.0.3", "cpe:/a:oracle:health_sciences_information_manager:3.0.2", "cpe:/a:oracle:flexcube_private_banking:12.1.0", "cpe:/a:oracle:retail_integration_bus:16.0.3", "cpe:/a:oracle:retail_financial_integration:15.0.3.1", "cpe:/a:oracle:communications_cloud_native_core_console:1.7.0", "cpe:/a:oracle:enterprise_data_quality:12.2.1.3.0", "cpe:/a:oracle:communications_instant_messaging_server:10.0.1.5.0", "cpe:/a:oracle:banking_digital_experience:18.3", "cpe:/a:oracle:retail_xstore_point_of_service:18.0.3", "cpe:/a:oracle:banking_apis:18.1", "cpe:/a:oracle:retail_service_backbone:14.1.3.2", "cpe:/a:oracle:sd-wan_edge:9.0", "cpe:/a:oracle:financial_services_foreign_account_tax_compliance_act_management:8.0.11", "cpe:/a:oracle:banking_apis:19.2", "cpe:/a:oracle:thesaurus_management_system:5.3.0", "cpe:/a:oracle:insurance_policy_administration_j2ee:10.2.4", "cpe:/a:oracle:communications_session_border_controller:8.3", "cpe:/a:oracle:peoplesoft_enterprise_people_tools:8.57", "cpe:/a:oracle:communications_operations_monitor:5.0", "cpe:/a:oracle:retail_invoice_matching:15.0.3", "cpe:/a:oracle:communications_unified_inventory_management:7.3.4", "cpe:/a:oracle:retail_merchandising_system:19.0.1", "cpe:/a:oracle:primavera_data_warehouse:20.12.12.0", "cpe:/a:oracle:communications_unified_inventory_management:7.3.5", "cpe:/a:oracle:communications_network_charging_and_control:12.0.4.0.0", "cpe:/a:oracle:communications_convergence:3.0.2.2.0", "cpe:/a:oracle:communications_network_charging_and_control:6.0.1.0.0", "cpe:/a:oracle:communications_cloud_native_core_binding_support_function:1.9.0", "cpe:/a:oracle:insurance_policy_administration:11.2.7", "cpe:/a:oracle:communications_operations_monitor:4.2", "cpe:/a:oracle:healthcare_foundation:7.3.0.2", "cpe:/a:redhat:jboss_enterprise_application_platform:7.3", "cpe:/a:oracle:communications_design_studio:7.4.2", "cpe:/a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7", "cpe:/a:oracle:argus_insight:8.2.3", "cpe:/a:oracle:communications_session_border_controller:8.2", "cpe:/a:oracle:retail_fiscal_management:14.2", "cpe:/a:oracle:primavera_unifier:18.8", "cpe:/a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.6.0", "cpe:/a:oracle:communications_design_studio:7.3.4", "cpe:/a:oracle:banking_digital_experience:18.1", "cpe:/a:oracle:banking_platform:2.7.0", "cpe:/a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.18.0", "cpe:/a:oracle:utilities_framework:4.3.0.6.0", "cpe:/a:oracle:demantra_demand_management:12.2.11", "cpe:/a:oracle:instantis_enterprisetrack:17.1", "cpe:/a:oracle:financial_services_foreign_account_tax_compliance_act_management:8.0.7", "cpe:/a:oracle:retail_back_office:14.1", "cpe:/a:oracle:insurance_data_gateway:11.1.0", "cpe:/a:oracle:retail_integration_bus:13.0", "cpe:/a:oracle:financial_services_behavior_detection_platform:8.0.11", "cpe:/a:oracle:flexcube_investor_servicing:14.5.0", "cpe:/a:oracle:hospitality_suite8:8.14.0", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58", "cpe:/a:oracle:healthcare_data_repository:8.1.0", "cpe:/a:oracle:real_user_experience_insight:13.4.1.0", "cpe:/a:oracle:banking_loans_servicing:2.12.0", "cpe:/a:oracle:communications_unified_inventory_management:7.5.0", "cpe:/a:oracle:primavera_unifier:19.12", "cpe:/a:oracle:peoplesoft_enterprise_people_tools:8.59", "cpe:/a:oracle:financial_services_analytical_applications_infrastructure:7.3.3", "cpe:/a:oracle:primavera_unifier:17.12", "cpe:/a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0", "cpe:/a:oracle:primavera_analytics:19.12.11.1", "cpe:/a:oracle:communications_unified_inventory_management:7.4.0", "cpe:/a:oracle:retail_eftlink:19.0.1", "cpe:/a:oracle:communications_cloud_native_core_automated_test_suite:1.8.0", "cpe:/a:oracle:healthcare_data_repository:8.1.1", "cpe:/a:oracle:hyperion_ilearning:6.3", "cpe:/a:oracle:data_integrator:12.2.1.3.0", "cpe:/a:oracle:communications_data_model:11.3.2.2.0", "cpe:/a:oracle:argus_analytics:8.2.2", "cpe:/a:oracle:banking_enterprise_default_management:2.6.2", "cpe:/a:oracle:retail_predictive_application_server:16.0.3", "cpe:/a:oracle:real_user_experience_insight:13.5.1.0", "cpe:/a:oracle:weblogic_server:14.1.1.0.0", "cpe:/a:oracle:insurance_insbridge_rating_and_underwriting:5.2.0", "cpe:/a:oracle:primavera_p6_professional_project_management:20.12.9.0", "cpe:/a:oracle:zfs_storage_appliance_kit:8.8", "cpe:/a:oracle:retail_integration_bus:14.1.3.2", "cpe:/a:oracle:communications_billing_and_revenue_management:12.0.0.3", "cpe:/a:oracle:banking_deposits_and_lines_of_credit_servicing:2.12.0", "cpe:/a:oracle:peoplesoft_enterprise_cs_sa_integration_pack:9.2", "cpe:/a:oracle:health_sciences_information_manager:3.0.3", "cpe:/a:oracle:communications_messaging_server:8.1", "cpe:/a:oracle:utilities_testing_accelerator:6.0.0.1.1", "cpe:/a:oracle:banking_apis:18.2", "cpe:/a:oracle:financial_services_enterprise_case_management:8.0.7", "cpe:/a:oracle:primavera_gateway:20.12.7", "cpe:/a:oracle:primavera_gateway:18.8.13", "cpe:/a:oracle:banking_platform:2.7.1", "cpe:/a:oracle:banking_enterprise_default_managment:2.4.0", "cpe:/a:oracle:real-time_decision_server:3.2.0.0", "cpe:/a:oracle:retail_predictive_application_server:14.1.3", "cpe:/a:oracle:insurance_rules_palette:11.3.0", "cpe:/a:oracle:agile_product_lifecycle_analytics:3.6.1", "cpe:/a:oracle:banking_platform:2.6.2", "cpe:/a:oracle:retail_financial_integration:19.0.1", "cpe:/a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0", "cpe:/a:oracle:bi_publisher:11.1.1.9.0", "cpe:/a:oracle:java_se:7u321", "cpe:/a:oracle:banking_digital_experience:19.1", "cpe:/a:oracle:retail_price_management:16.0", "cpe:/a:oracle:retail_integration_bus:14.1.3.0", "cpe:/a:oracle:argus_safety:8.2.2", "cpe:/a:oracle:primavera_gateway:17.12.11", "cpe:/a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8", "cpe:/o:oracle:solaris:10", "cpe:/a:oracle:business_intelligence:5.5.0.0.0", "cpe:/a:oracle:communications_services_gatekeeper:7.0", "cpe:/a:oracle:insurance_data_gateway:11.2.7", "cpe:/a:oracle:communications_network_integrity:7.3.6", "cpe:/a:oracle:communications_operations_monitor:4.3", "cpe:/a:oracle:retail_allocation:19.0.1", "cpe:/a:redhat:fuse:1.0", "cpe:/a:oracle:argus_insight:8.2.2", "cpe:/a:oracle:http_server:12.2.1.3.0", "cpe:/a:oracle:banking_apis:19.1", "cpe:/a:oracle:primavera_unifier:20.12", "cpe:/o:oracle:fujitsu_m10-4s_firmware:-", "cpe:/a:oracle:banking_digital_experience:20.1", "cpe:/a:oracle:health_sciences_clinical_development_analytics:4.0.1", "cpe:/a:oracle:primavera_portfolio_management:18.0.3.0", "cpe:/a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3", "cpe:/a:oracle:insurance_policy_administration_j2ee:10.2.0", "cpe:/a:oracle:healthcare_data_repository:7.0.2", "cpe:/a:oracle:retail_eftlink:16.0.3", "cpe:/a:oracle:insurance_insbridge_rating_and_underwriting:5.6.0", "cpe:/a:oracle:business_intelligence:12.2.1.3.0", "cpe:/a:oracle:retail_point-of-sale:14.1", "cpe:/a:oracle:insurance_data_gateway:11.3.0", "cpe:/o:oracle:fujitsu_m10-4_firmware:-", "cpe:/a:oracle:peoplesoft_enterprise_cs_sa_integration_pack:9.0", "cpe:/a:oracle:flexcube_investor_servicing:12.0.4", "cpe:/a:oracle:enterprise_communications_broker:3.3", "cpe:/a:oracle:retail_xstore_point_of_service:19.0.2", "cpe:/a:oracle:communications_diameter_signaling_route:8.5.1.0", "cpe:/a:oracle:flexcube_investor_servicing:12.4.0", "cpe:/a:oracle:retail_size_profile_optimization:16.0.3", "cpe:/a:oracle:data_integrator:12.2.1.4.0", "cpe:/o:oracle:fujitsu_m10-1_firmware:-", "cpe:/a:oracle:retail_returns_management:14.1", "cpe:/a:oracle:policy_automation:10.4.7", "cpe:/a:oracle:retail_price_management:14.0.4", "cpe:/a:oracle:http_server:12.2.1.4.0", "cpe:/a:oracle:retail_order_broker:19.1", "cpe:/a:oracle:primavera_portfolio_management:20.0.0.1", "cpe:/a:oracle:banking_party_management:2.7.0", "cpe:/o:oracle:communications_messaging_server:8.1", "cpe:/a:oracle:communications_convergent_charging_controller:12.0.4.0.0", "cpe:/a:oracle:agile_product_lifecycle_management_integration_pack:3.6", "cpe:/o:oracle:fujitsu_m12-2s_firmware:-"], "id": "CVE-2019-10219", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10219", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:retail_eftlink:17.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_diameter_signaling_route:8.5.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_translational_research:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:11.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:14.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_invoice_matching:16.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:21.12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_foreign_account_tax_compliance_act_management:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha2:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_apis:18.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_management_system:19.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:fujitsu_m12-1_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_enterprise_default_managment:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_suite8:8.11.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:11.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:argus_insight:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha1:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_operations_monitor:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:argus_analytics:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_insights:16.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_data_gateway:11.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:fujitsu_m12-2s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql_server:5.7.36:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_p6_professional_project_management:17.12.20.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration:11.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_eftlink:18.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_foreign_account_tax_compliance_act_management:8.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_portfolio_management:18.0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:argus_insight:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_cs_sa_integration_pack:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_foreign_account_tax_compliance_act_management:8.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_data_repository:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_gateway:18.8.13:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:argus_analytics:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_eftlink:19.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_analytics:19.12.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:argus_safety:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:database_server:12.1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_design_studio:7.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_gateway:17.12.11:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:zfs_storage_application_integration_engineering_software:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:argus_safety:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_data_model:12.1.0.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "cpe:2.3:a:oracle:rapid_planning:12.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_data_model:12.1.2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:documaker:12.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_people_tools:8.57:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:fujitsu_m10-4_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_suite8:8.13.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.46:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_data_gateway:11.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:16.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:argus_insight:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_data_model:11.3.2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:7.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_foundation:8.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12.0.0-17.12.20.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_people_tools:8.58:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:argus_analytics:8.21:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:access_manager:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha4:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_communications_broker:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_invoice_matching:15.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:real-time_decision_server:3.2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_data_model:11.3.2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_suite8:8.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_allocation:19.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:health_sciences_clinical_development_analytics:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_analytics:20.12.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:snapcenter_plug-in:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:oracle:communications_convergent_charging_controller:6.0.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_service_broker:6.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:clinical:5.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_portfolio_management:20.0.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:essbase_administration_services:11.1.2.4.47:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql_connectors:8.0.27:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha5:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hyperion_financial_management:11.1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_network_integrity:7.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:argus_analytics:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_p6_professional_project_management:20.12.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:secure_backup:18.1.0.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:thesaurus_management_system:5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_data_warehouse:20.12.12.0:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:fujitsu_m10-1_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:policy_automation:12.2.24:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:14.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_portfolio_management:19.0.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_p6_professional_project_management:18.8.24.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_people_tools:8.59:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_data_gateway:11.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_portfolio_management:20.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_analytics:16.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:access_manager:11.1.2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:13.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_fiscal_management:14.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_allocation:15.0.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_contacts_server:8.0.0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:java_se:17.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.2.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:database_server:21c:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:health_sciences_information_manager:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:15.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_eftlink:20.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_suite8:8.14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration:11.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:database_server:19c:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_data_repository:7.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:graalvm:20.3.4:*:*:*:enterprise:*:*:*", "cpe:2.3:o:oracle:solaris:11:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:19.12.18.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha6:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_data_gateway:11.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration:11.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_allocation:16.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:fujitsu_m12-2_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:demantra_demand_management:12.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_border_controller:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_cs_sa_integration_pack:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:airlines_data_model:12.2.0.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_convergent_charging_controller:12.0.4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:essbase:11.1.2.4.47:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_foundation:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:rest_data_services:21.2.4:*:*:*:-:*:*:*", "cpe:2.3:a:oracle:hyperion_ilearning:6.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_foundation:7.3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*", "cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8.24.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_design_studio:7.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_analytics:18.8.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration:11.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:19.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hyperion_financial_management:11.2.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:enterprise_session_border_controller:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_express:21.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:14.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:health_sciences_inform_crf_submit:6.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_design_studio:7.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hyperion_ilearning:6.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_apis:18.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_apis:18.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:clinical:5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_eftlink:16.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_digital_experience:17.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:bi_publisher:11.1.1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_data_warehouse:19.12.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_loans_servicing:2.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:graalvm:21.3.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_point-of-sale:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:airlines_data_model:12.1.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_data_model:11.3.2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_performance_management:13.5.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:13.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_service_backbone:19.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:database_server:12.1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:argus_safety:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:11.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_size_profile_optimization:16.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_gateway:19.12.12:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_performance_management:13.4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3.115:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_price_management:14.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:java_se:7u321:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:fujitsu_m10-4s_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:java_se:8u311:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_p6_professional_project_management:19.12.17.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_session_border_controller:8.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_inventory_management:7.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_data_gateway:11.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:thesaurus_management_system:5.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_application_session_controller:3.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:sd-wan_aware:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3.240:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:health_sciences_information_manager:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_design_studio:7.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:access_manager:12.2.1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:netapp:element:-:*:*:*:*:vcenter_server:*:*", "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_data_warehouse:18.8.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_eagle_application_processor:16.4:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:oracle:e-business_suite:12.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*", "cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:thesaurus_management_system:5.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:spatial_studio:21.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_allocation:14.1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha3:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:20.12.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.6:*:*:*:*:e-business_suite:*:*", "cpe:2.3:a:oracle:communications_convergence:3.0.2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_gateway:20.12.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:commerce_platform:11.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:16:28", "description": "The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-07T18:15:00", "type": "cve", "title": "CVE-2020-11612", "cwe": ["CWE-770"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11612"], "modified": "2022-04-26T17:05:00", "cpe": ["cpe:/a:netapp:oncommand_workflow_automation:-", "cpe:/a:netapp:oncommand_api_services:-", "cpe:/a:netapp:oncommand_insight:-", "cpe:/o:debian:debian_linux:10.0", "cpe:/a:oracle:communications_cloud_native_core_service_communication_proxy:1.5.2", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:oracle:webcenter_portal:12.2.1.3.0", "cpe:/a:oracle:webcenter_portal:12.2.1.4.0", "cpe:/o:oracle:communications_messaging_server:8.1", "cpe:/a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3", "cpe:/a:oracle:communications_design_studio:7.4.2", "cpe:/o:fedoraproject:fedora:33"], "id": "CVE-2020-11612", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11612", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*"]}], "prion": [{"lastseen": "2023-08-16T10:17:11", "description": "In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an \"admin\" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a \"viewer\" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as \"viewer\" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a \"viewer\" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. Users should update to Apache Karaf 4.2.9 or newer.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-06-12T22:15:00", "type": "prion", "title": "CVE-2020-11980", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11980"], "modified": "2021-01-07T19:02:00", "id": "PRION:CVE-2020-11980", "href": "https://kb.prio-n.com/vulnerability/CVE-2020-11980", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T10:17:00", "description": "Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-14T17:15:00", "type": "prion", "title": "CVE-2020-11971", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11971"], "modified": "2022-05-12T15:00:00", "id": "PRION:CVE-2020-11971", "href": "https://kb.prio-n.com/vulnerability/CVE-2020-11971", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-16T10:17:20", "description": "Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-22T19:15:00", "type": "prion", "title": "CVE-2020-11989", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11989"], "modified": "2022-05-03T13:59:00", "id": "PRION:CVE-2020-11989", "href": "https://kb.prio-n.com/vulnerability/CVE-2020-11989", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T10:17:36", "description": "Server-Side Template Injection and arbitrary file disclosure on Camel templating components", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-08T16:15:00", "type": "prion", "title": "CVE-2020-11994", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11994"], "modified": "2022-04-01T15:33:00", "id": "PRION:CVE-2020-11994", "href": "https://kb.prio-n.com/vulnerability/CVE-2020-11994", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-16T10:17:02", "description": "Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-14T17:15:00", "type": "prion", "title": "CVE-2020-11973", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11973"], "modified": "2022-10-05T20:53:00", "id": "PRION:CVE-2020-11973", "href": "https://kb.prio-n.com/vulnerability/CVE-2020-11973", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T10:17:01", "description": "Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-14T17:15:00", "type": "prion", "title": "CVE-2020-11972", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11972"], "modified": "2021-03-15T22:15:00", "id": "PRION:CVE-2020-11972", "href": "https://kb.prio-n.com/vulnerability/CVE-2020-11972", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T08:56:28", "description": "A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-22T18:15:00", "type": "prion", "title": "CVE-2020-10740", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10740"], "modified": "2020-07-10T18:10:00", "id": "PRION:CVE-2020-10740", "href": "https://kb.prio-n.com/vulnerability/CVE-2020-10740", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-04-18T12:30:41", "description": "shiro-web is vulnerable to authentication bypass. An `ArrayIndexOutOfBoundsException` in `Base64#decode` causes an invalid session cookie to be parsed as valid.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-18T03:02:25", "type": "veracode", "title": "Authentication Bypass", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13933"], "modified": "2021-05-05T06:50:30", "id": "VERACODE:26346", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-26346/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-04-18T12:37:26", "description": "jboss-remoting is vulnerable to denial of service. A remote attacker is able to crash the application by holding remote connections indefinitely, causing excessive resource consumption.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-16T05:58:40", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19343"], "modified": "2022-05-03T16:28:39", "id": "VERACODE:22174", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-22174/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-04-18T12:34:08", "description": "camel-main is vulnerable to JMX rebind. The vulnerability exists due to the lack of security on JMX connector configuration.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-15T07:15:35", "type": "veracode", "title": "JMX Rebind Flaw", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11971"], "modified": "2022-05-30T02:53:35", "id": "VERACODE:25442", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25442/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-04-18T12:21:50", "description": "Apache Karaf is vulnerable to privilege escalation. A user with a `viewer` role and non-admin privilege can call `get*` in `etc/jmx.acl.cfg`. Subsequently, calling `getMBeansFromURL` can lead to SSRF and pollution of the MBean registry.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-06-15T07:39:58", "type": "veracode", "title": "Privilege Escalation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11980"], "modified": "2021-05-24T10:26:15", "id": "VERACODE:25684", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25684/summary", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T11:49:26", "description": "Apache Shiro-web is vulnerable to authentication bypass. Lack of proper handling of `servletPath` parameter in the request allows an attacker to inject malicious string via the request parameter and bypass authentication.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-23T02:26:39", "type": "veracode", "title": "Authentication Bypass", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11989"], "modified": "2022-05-03T16:30:09", "id": "VERACODE:25737", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25737/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T12:52:03", "description": "hibernate-core is vulnerable to SQL injection. The vulnerability exists in Hibernate ORM.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-18T02:03:37", "type": "veracode", "title": "SQL Injection", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14900"], "modified": "2022-04-29T19:18:08", "id": "VERACODE:26340", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-26340/summary", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-04-18T11:51:01", "description": "Apache Camel RabbitMQ uses an insecure default. The Java deserialization is enabled by default and allows an attacker to execute arbitrary code via a deserialization vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-15T05:43:05", "type": "veracode", "title": "Insecure Defaults", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11972"], "modified": "2021-03-16T00:33:40", "id": "VERACODE:25440", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25440/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T06:18:06", "description": "org.jboss.resteasy:resteasy-core is vulnerable to denial of service (DoS) attacks. A malicious user is able to cause a hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry, resulting in denial of service conditions.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-22T14:33:27", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14326"], "modified": "2022-07-15T18:30:16", "id": "VERACODE:34795", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-34795/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-04-18T12:31:48", "description": "camel-robotframework is vulnerable to server-side template injection. An attacker is able to inject and execute arbitrary code via server-side templates.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-09T05:02:14", "type": "veracode", "title": "Server-Side Template Injection", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11994"], "modified": "2021-01-20T17:49:54", "id": "VERACODE:25845", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25845/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-04-18T11:50:59", "description": "camel-netty is vulnerable to insecure deserialization. If no codec is specified, it allows objects deserialization using java serialization and deserialization by default rather than restricting only to Strings.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-15T05:27:21", "type": "veracode", "title": "Insecure Deserialization", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11973"], "modified": "2022-10-05T23:31:11", "id": "VERACODE:25439", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25439/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T13:15:29", "description": "codehaus is vulnerable to arbitrary code execution. An incomplete fix for unsafe deserialization in jackson-databind allows an attacker to inject malicious objects and execute arbitrary code.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-01T00:16:04", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10202"], "modified": "2023-02-13T01:46:18", "id": "VERACODE:21591", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-21591/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T12:48:56", "description": "Apache Tika is vulnerable to denial of service (DoS). When an attacker parses a malicious file as input, it invokes a `System.exit` in Tika's OneNote Parser, subsequently causing an infinite loops or out of memory exceptions in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-04-27T12:54:57", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9489"], "modified": "2022-10-07T06:25:49", "id": "VERACODE:25075", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25075/summary", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-04-18T12:50:22", "description": "An attacker is able to obtain the private keys from a JWK keystore file by setting the configuration parameter `rs.security.keystore.type` to `jwk`.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-01-17T06:19:11", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12423"], "modified": "2021-04-02T14:33:57", "id": "VERACODE:22317", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-22317/summary", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-04-18T11:53:06", "description": "quartz is vulnerable to XML external entity (XXE) attacks. The external DTDs and doctype declarations are not disabled by default, allowing an attacker to access system files, or perform requests on behalf of the server via a malicious XML document. The vulnerability also allows an attacker to perform entity expansion attacks which could result in an application crash.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-19T04:27:53", "type": "veracode", "title": "XML External Entity (XXE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13990"], "modified": "2022-10-28T18:23:34", "id": "VERACODE:22529", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-22529/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T12:54:47", "description": "angular is vulnerable to cross-site scripting (XSS). The vulnerability exists as the regex-based replacement, `XHTML_TAG_REGEXP`, could convert sanitized code which has `` wrapped into ``, into unsanitized code.\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-06-09T02:33:32", "type": "veracode", "title": "Cross-site Scripting (XSS)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2020-10-18T21:42:37", "id": "VERACODE:25636", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25636/summary", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-04-18T12:22:00", "description": "wildfly-naming-client is vulnerable to deserialization attacks. The application allows for unsafe deserialization due to lack of input validation and filtering in the JDNI or EJB features. An attacker will be able to inject arbitrary class objects which can lead to execution of arbitrary code.\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-03T05:41:48", "type": "veracode", "title": "Unsafe Deserialization", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10740"], "modified": "2020-07-01T20:23:30", "id": "VERACODE:25586", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25586/summary", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T11:30:03", "description": "jetty-server is vulnerable to information disclosure. An HTTP 431 error occurs when large response headers are received, causing the HTTP response headers to be released to ByteBufferPool twice. This results in a double release and memory corruption and causes confidential information to be disclosed.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-07-13T06:03:25", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17638"], "modified": "2021-01-27T23:39:09", "id": "VERACODE:25873", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25873/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T12:35:58", "description": "netty-codec is vulnerable to denial of service (DoS). The vulnerability exists as it was possible to send a large data for compression, causing large buffer allocation sizes in the client JVM\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-08T03:25:55", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11612"], "modified": "2022-04-26T19:15:07", "id": "VERACODE:22967", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-22967/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhatcve": [{"lastseen": "2023-06-06T15:07:53", "description": "In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an \"admin\" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a \"viewer\" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as \"viewer\" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a \"viewer\" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. Users should update to Apache Karaf 4.2.9 or newer.\n#### Mitigation\n\nIt&#x27;s possible to add a JMX ACL in etc configuration to limit access. \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2020-06-24T10:56:27", "type": "redhatcve", "title": "CVE-2020-11980", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11980"], "modified": "2023-04-06T07:47:15", "id": "RH:CVE-2020-11980", "href": "https://access.redhat.com/security/cve/cve-2020-11980", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-09-12T00:36:45", "description": "A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are believed to be vulnerable.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-17T08:41:43", "type": "redhatcve", "title": "CVE-2019-19343", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19343"], "modified": "2023-09-07T21:36:18", "id": "RH:CVE-2019-19343", "href": "https://access.redhat.com/security/cve/cve-2019-19343", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-09-10T02:46:19", "description": "A flaw was found in Hibernate ORM. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.\n#### Mitigation\n\nThere is no currently known mitigation for this flaw. \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-12T15:40:12", "type": "redhatcve", "title": "CVE-2019-14900", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14900"], "modified": "2023-09-09T06:14:20", "id": "RH:CVE-2019-14900", "href": "https://access.redhat.com/security/cve/cve-2019-14900", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:08:10", "description": "Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0.\n#### Mitigation\n\nThe JMX instrumentation agent is the vulnerable component in this, if not being used it can be disabled in the following ways \n\n\n* As a Java system property - \n`-Dorg.apache.camel.jmx.disabled=true` as java system property \n\n\n* Using the CamelContext method - \n\n \n \n java \n CamelContext camel = new DefaultCamelContext(); \n camel.disableJMX(); \n \n\n* If using spring altering the spring configuration - \n\n \n \n xml \n <camelContext id=\"camel\" xmlns=\"http://camel.apache.org/schema/spring\"> \n <jmxAgent id=\"agent\" disabled=\"true\"/> \n ... \n </camelContext> \n \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-18T11:25:05", "type": "redhatcve", "title": "CVE-2020-11971", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11971"], "modified": "2023-04-06T07:46:16", "id": "RH:CVE-2020-11971", "href": "https://access.redhat.com/security/cve/cve-2020-11971", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:08:10", "description": "A flaw was found in camel. Apache Camel RabbitMQ enables java deserialization, by default, without any means of disabling which can lead to arbitrary code being executed. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n#### Mitigation\n\nRed Hat JBoss Fuse 6 &amp; Red Hat Fuse 7 customers should use `camel-netty4` instead \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-18T12:25:08", "type": "redhatcve", "title": "CVE-2020-11973", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11973"], "modified": "2023-04-06T07:46:27", "id": "RH:CVE-2020-11973", "href": "https://access.redhat.com/security/cve/cve-2020-11973", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:07:50", "description": "A flaw was found in Apache Shiro in versions prior to 1.5.3. When using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-23T14:34:18", "type": "redhatcve", "title": "CVE-2020-11989", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11989"], "modified": "2023-04-06T07:48:26", "id": "RH:CVE-2020-11989", "href": "https://access.redhat.com/security/cve/cve-2020-11989", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:07:44", "description": "A flaw was found in camel. Camel's templating components are suseptable to Server-Side Template Injection and arbitrary file disclosure. The highest threat from this vulnerability is to data confidentiality.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-10T13:51:49", "type": "redhatcve", "title": "CVE-2020-11994", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11994"], "modified": "2023-04-06T07:49:04", "id": "RH:CVE-2020-11994", "href": "https://access.redhat.com/security/cve/cve-2020-11994", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:07:43", "description": "A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-13T05:21:12", "type": "redhatcve", "title": "CVE-2020-14326", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14326"], "modified": "2023-04-06T06:57:25", "id": "RH:CVE-2020-14326", "href": "https://access.redhat.com/security/cve/cve-2020-14326", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-13T14:59:25", "description": "A flaw was found in quartz through version 2.3.0. A XXE attack is possible in the Terracotta Quartz Scheduler using a job description. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-10T11:44:18", "type": "redhatcve", "title": "CVE-2019-13990", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13990"], "modified": "2023-04-06T05:55:26", "id": "RH:CVE-2019-13990", "href": "https://access.redhat.com/security/cve/cve-2019-13990", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-06T08:38:43", "description": "In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with other data. Thread1 then proceeds to write the buffer that now contains different data. This results in client1, which issued request1 seeing data from another request or response which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.). If the Jetty version cannot be upgraded, the vulnerability can be significantly reduced by configuring a responseHeaderSize significantly larger than the requestHeaderSize (12KB responseHeaderSize and 8KB requestHeaderSize).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-03T20:14:33", "type": "redhatcve", "title": "CVE-2019-17638", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17638"], "modified": "2023-08-31T15:51:44", "id": "RH:CVE-2019-17638", "href": "https://access.redhat.com/security/cve/cve-2019-17638", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:08:10", "description": "A flaw was found in camel up to versions 2.25.1 and 3.x. Apache Camel RabbitMQ enables java deserialization, by default, without any means of disabling which can lead to arbitrary code being executed. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-18T12:25:08", "type": "redhatcve", "title": "CVE-2020-11972", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11972"], "modified": "2023-04-06T07:46:25", "id": "RH:CVE-2020-11972", "href": "https://access.redhat.com/security/cve/cve-2020-11972", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T14:58:39", "description": "In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-16T21:30:07", "type": "redhatcve", "title": "CVE-2019-11777", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2023-04-06T05:24:48", "id": "RH:CVE-2019-11777", "href": "https://access.redhat.com/security/cve/cve-2019-11777", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:07:20", "description": "A flaw was found in Apache Shiro in versions prior to 1.6.0. A specially crafted HTTP request may cause an authentication bypass. The highest threat from this vulnerability is to data confidentiality.\n#### Mitigation\n\nThere is currently no known mitigation for this issue. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-18T19:45:28", "type": "redhatcve", "title": "CVE-2020-13933", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13933"], "modified": "2023-04-06T06:13:28", "id": "RH:CVE-2020-13933", "href": "https://access.redhat.com/security/cve/cve-2020-13933", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:08:21", "description": "A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-06-23T13:25:32", "type": "redhatcve", "title": "CVE-2020-9489", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9489"], "modified": "2023-04-06T07:31:33", "id": "RH:CVE-2020-9489", "href": "https://access.redhat.com/security/cve/cve-2020-9489", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-09-06T08:38:45", "description": "A flaw was found in Wildfly. A remote deserialization attack is possible in the Enterprise Application Beans (EJB) due to lack of validation/filtering capabilities in wildfly. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availablity.\n#### Mitigation\n\nThere is currently no known mitigation for this issue. \n\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-02T13:21:55", "type": "redhatcve", "title": "CVE-2020-10740", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10740"], "modified": "2023-08-31T15:57:21", "id": "RH:CVE-2020-10740", "href": "https://access.redhat.com/security/cve/cve-2020-10740", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-09-06T08:39:43", "description": "A XSS flaw was found in nodejs-angular. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping \"\\\" elements in \"\\\" ones changes parsing behavior, leading to possibly unsanitizing code.\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-06-19T20:29:14", "type": "redhatcve", "title": "CVE-2020-7676", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2023-08-31T16:03:38", "id": "RH:CVE-2020-7676", "href": "https://access.redhat.com/security/cve/cve-2020-7676", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "githubexploit": [{"lastseen": "2021-12-10T14:54:16", "description": "# cve-2020-13933\ncve-2020-13...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-09-23T01:55:46", "type": "githubexploit", "title": "Exploit for Vulnerability in Apache Shiro", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13933"], "modified": "2020-12-14T07:27:56", "id": "90D8ACE9-AE14-5976-A039-C2AB9C529504", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-08-13T02:10:56", "description": "# CVE-2020-13933 \u9776\u573a\n\n> shiro < 1.6.0 \u8eab\u4efd\u8ba4\u8bc1\u7ed5\u8fc7\u6f0f\u6d1e\n\n------\n\n## PoC\n\n[...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-09T10:20:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Apache Shiro", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13933"], "modified": "2022-08-13T00:24:02", "id": "F03542D2-479B-5B94-9D8B-B72D71D8CBCA", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:35:21", "description": "<img src=\"http://static.jboss.org/hibernate/images/hibernate_log...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-01-06T13:06:45", "type": "githubexploit", "title": "Exploit for SQL Injection in Hibernate Hibernate Orm", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14900"], "modified": "2021-01-06T13:21:13", "id": "92A898EB-09D3-5A57-B135-DD1C175B6B18", "href": "", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:39:13", "description": "JETTY\n=====\nThe Jetty project is a 100% Java HTTP Server, HTTP C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2021-02-04T05:07:42", "type": "githubexploit", "title": "Exploit for Operation on a Resource after Expiration or Release in Eclipse Jetty", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17638"], "modified": "2021-11-24T07:10:19", "id": "4D38002E-58DF-5264-9A2E-9E446EDF6721", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:59:47", "description": "Using AngularJS with the Closure Compiler\n======================...", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-12-01T09:45:48", "type": "githubexploit", "title": "Exploit for Cross-site Scripting in Angularjs Angular.Js", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2020-12-09T13:01:45", "id": "1A203CD7-3FDD-5243-94EB-06C3564EB1A3", "href": "", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "privateArea": 1}], "debiancve": [{"lastseen": "2023-06-13T18:14:09", "description": "A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are believed to be vulnerable.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-23T21:15:00", "type": "debiancve", "title": "CVE-2019-19343", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19343"], "modified": "2021-03-23T21:15:00", "id": "DEBIANCVE:CVE-2019-19343", "href": "https://security-tracker.debian.org/tracker/CVE-2019-19343", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-06T18:08:40", "description": "angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping \"<option>\" elements in \"<select>\" ones changes parsing behavior, leading to possibly unsanitizing code.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-06-08T14:15:00", "type": "debiancve", "title": "CVE-2020-7676", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2020-06-08T14:15:00", "id": "DEBIANCVE:CVE-2020-7676", "href": "https://security-tracker.debian.org/tracker/CVE-2020-7676", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:01:45", "description": "Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-08-17T21:15:00", "type": "debiancve", "title": "CVE-2020-13933", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13933"], "modified": "2020-08-17T21:15:00", "id": "DEBIANCVE:CVE-2020-13933", "href": "https://security-tracker.debian.org/tracker/CVE-2020-13933", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:01:45", "description": "Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-22T19:15:00", "type": "debiancve", "title": "CVE-2020-11989", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11989"], "modified": "2020-06-22T19:15:00", "id": "DEBIANCVE:CVE-2020-11989", "href": "https://security-tracker.debian.org/tracker/CVE-2020-11989", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T18:11:43", "description": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-06T19:15:00", "type": "debiancve", "title": "CVE-2019-14900", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14900"], "modified": "2020-07-06T19:15:00", "id": "DEBIANCVE:CVE-2019-14900", "href": "https://security-tracker.debian.org/tracker/CVE-2019-14900", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-13T18:11:50", "description": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-26T19:15:00", "type": "debiancve", "title": "CVE-2019-13990", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13990"], "modified": "2019-07-26T19:15:00", "id": "DEBIANCVE:CVE-2019-13990", "href": "https://security-tracker.debian.org/tracker/CVE-2019-13990", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:03:25", "description": "A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-04-27T14:15:00", "type": "debiancve", "title": "CVE-2020-9489", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9489"], "modified": "2020-04-27T14:15:00", "id": "DEBIANCVE:CVE-2020-9489", "href": "https://security-tracker.debian.org/tracker/CVE-2020-9489", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-06T15:01:00", "description": "A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-06-02T12:15:00", "type": "debiancve", "title": "CVE-2020-14326", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14326"], "modified": "2021-06-02T12:15:00", "id": "DEBIANCVE:CVE-2020-14326", "href": "https://security-tracker.debian.org/tracker/CVE-2020-14326", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-13T18:11:32", "description": "In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with other data. Thread1 then proceeds to write the buffer that now contains different data. This results in client1, which issued request1 seeing data from another request or response which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.). If the Jetty version cannot be upgraded, the vulnerability can be significantly reduced by configuring a responseHeaderSize significantly larger than the requestHeaderSize (12KB responseHeaderSize and 8KB requestHeaderSize).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-07-09T18:15:00", "type": "debiancve", "title": "CVE-2019-17638", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17638"], "modified": "2020-07-09T18:15:00", "id": "DEBIANCVE:CVE-2019-17638", "href": "https://security-tracker.debian.org/tracker/CVE-2019-17638", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-04-14T19:34:53", "description": "Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel users should upgrade to 3.2.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-21T19:20:30", "type": "osv", "title": "Improper Input Validation in Apache Camel", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11971"], "modified": "2023-04-14T19:34:48", "id": "OSV:GHSA-HFG5-XPVW-C9X4", "href": "https://osv.dev/vulnerability/GHSA-hfg5-xpvw-c9x4", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-11T20:35:20", "description": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2022-02-10T23:05:04", "type": "osv", "title": "SQL Injection in Hibernate ORM", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14900"], "modified": "2022-05-03T02:28:28", "id": "OSV:GHSA-8GRG-Q944-CCH5", "href": "https://osv.dev/vulnerability/GHSA-8grg-q944-cch5", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-04-11T01:22:24", "description": "Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-07T15:53:10", "type": "osv", "title": "Improper Authentication in Apache Shiro", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11989"], "modified": "2023-04-11T01:22:22", "id": "OSV:GHSA-72W9-FCJ5-3FCG", "href": "https://osv.dev/vulnerability/GHSA-72w9-fcj5-3fcg", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-28T05:50:29", "description": "In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an \"admin\" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a \"viewer\" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as \"viewer\" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a \"viewer\" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. Users should update to Apache Karaf 4.2.9 or newer.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2022-02-10T23:04:32", "type": "osv", "title": "Server-Side Request Forgery in Karaf", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11980"], "modified": "2023-03-28T05:50:23", "id": "OSV:GHSA-9JG9-6WM2-X7P5", "href": "https://osv.dev/vulnerability/GHSA-9jg9-6wm2-x7p5", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:32:54", "description": "Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Databind that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2018-12-21T17:46:54", "type": "osv", "title": "Moderate severity vulnerability that affects com.fasterxml.jackson.datatype:jackson-datatype-jsr353", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000873"], "modified": "2023-04-11T01:32:24", "id": "OSV:GHSA-H4X4-5QP2-WP46", "href": "https://osv.dev/vulnerability/GHSA-h4x4-5qp2-wp46", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-04-11T01:47:19", "description": "Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-21T19:20:47", "type": "osv", "title": "Deserialization of Untrusted Data in Apache Camel RabbitMQ", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11972"], "modified": "2023-04-11T01:47:16", "id": "OSV:GHSA-2X6R-7427-95CM", "href": "https://osv.dev/vulnerability/GHSA-2x6r-7427-95cm", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-28T05:37:03", "description": "Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-21T21:09:04", "type": "osv", "title": "Apache Camel Netty enables Java deserialization by default", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11973"], "modified": "2023-03-28T05:36:57", "id": "OSV:GHSA-H79P-32MX-FJJ9", "href": "https://osv.dev/vulnerability/GHSA-h79p-32mx-fjj9", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:38:17", "description": "Server-Side Template Injection and arbitrary file disclosure on Camel templating components", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-29T18:08:48", "type": "osv", "title": "Server side template injection in Apache Camel", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11994"], "modified": "2023-04-11T01:38:13", "id": "OSV:GHSA-9VFJ-5G7H-4P24", "href": "https://osv.dev/vulnerability/GHSA-9vfj-5g7h-4p24", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-01T19:50:04", "description": "A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-05-07T15:53:40", "type": "osv", "title": "Missing Release of Memory after Effective Lifetime in Apache Tika", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9489"], "modified": "2023-05-01T19:50:01", "id": "OSV:GHSA-4PV3-63JW-4JW2", "href": "https://osv.dev/vulnerability/GHSA-4pv3-63jw-4jw2", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-04-11T01:45:48", "description": "Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-07T15:54:23", "type": "osv", "title": "Authentication bypass in Apache Shiro", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13933"], "modified": "2023-04-11T01:45:41", "id": "OSV:GHSA-2VGM-WXR3-6W2J", "href": "https://osv.dev/vulnerability/GHSA-2vgm-wxr3-6w2j", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-22T15:20:55", "description": "A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-24T17:21:23", "type": "osv", "title": "Wildfly Unsafe Deserialization Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10740"], "modified": "2023-08-22T14:50:33", "id": "OSV:GHSA-VRMW-2XHQ-HRMP", "href": "https://osv.dev/vulnerability/GHSA-vrmw-2xhq-hrmp", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-03-28T05:45:01", "description": "In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-09-17T22:47:11", "type": "osv", "title": "Improper Handling of Exceptional Conditions and Origin Validation Error in Eclipse Paho Java client library", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11777"], "modified": "2023-03-28T05:44:58", "id": "OSV:GHSA-63QC-P2X4-9FGF", "href": "https://osv.dev/vulnerability/GHSA-63qc-p2x4-9fgf", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-04-11T01:50:33", "description": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-01T17:55:03", "type": "osv", "title": "XML external entity injection in Terracotta Quartz Scheduler", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13990"], "modified": "2023-04-11T01:50:30", "id": "OSV:GHSA-9QCF-C26R-X5RF", "href": "https://osv.dev/vulnerability/GHSA-9qcf-c26r-x5rf", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-08T21:25:25", "description": "angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping `<option>` elements in `<select>` ones changes parsing behavior, leading to possibly unsanitizing code.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-06-18T14:19:58", "type": "osv", "title": "Cross site scripting in Angular", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2023-09-08T20:50:35", "id": "OSV:GHSA-MHP6-PXH8-R675", "href": "https://osv.dev/vulnerability/GHSA-mhp6-pxh8-r675", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-03-28T05:50:40", "description": "In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-05T14:52:59", "type": "osv", "title": "Operation on a Resource after Expiration or Release in Jetty Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17638"], "modified": "2023-03-28T05:50:29", "id": "OSV:GHSA-X3RH-M7VP-35F2", "href": "https://osv.dev/vulnerability/GHSA-x3rh-m7vp-35f2", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-11T01:46:05", "description": "A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-18T17:58:59", "type": "osv", "title": "RESTEasy 4.5.5.Final in hash flooding", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14326"], "modified": "2023-04-11T01:46:02", "id": "OSV:GHSA-37G7-8VJJ-PJPJ", "href": "https://osv.dev/vulnerability/GHSA-37g7-8vjj-pjpj", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-03-28T05:39:12", "description": "A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-01-08T17:01:52", "type": "osv", "title": "The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10219"], "modified": "2023-03-28T05:39:08", "id": "OSV:GHSA-M8P2-495H-CCMH", "href": "https://osv.dev/vulnerability/GHSA-m8p2-495h-ccmh", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "freebsd": [{"lastseen": "2023-06-13T16:08:15", "description": "\n\nJenkins Security Advisory:\n\nDescription\n(Critical) SECURITY-1983 / CVE-2019-17638\nBuffer corruption in bundled Jetty\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-17T00:00:00", "type": "freebsd", "title": "jenkins -- Buffer corruption in bundled Jetty", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17638"], "modified": "2020-08-17T00:00:00", "id": "09EA1B08-1D3E-4BF2-91A1-D6573F4DA3D8", "href": "https://vuxml.freebsd.org/freebsd/09ea1b08-1d3e-4bf2-91a1-d6573f4da3d8.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-07-23T16:10:35", "description": "Eclipse Jetty is prone to a vulnerability where sensitive information about\n clients could be obtained.", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Eclipse Jetty Vulnerability - CVE-2019-17638 (Linux)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17638"], "modified": "2020-07-15T00:00:00", "id": "OPENVAS:1361412562310144238", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310144238", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:eclipse:jetty\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.144238\");\n script_version(\"2020-07-15T06:23:02+0000\");\n script_tag(name:\"last_modification\", value:\"2020-07-15 06:23:02 +0000 (Wed, 15 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 06:13:23 +0000 (Wed, 15 Jul 2020)\");\n script_tag(name:\"cvss_base\", value:\"7.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:P\");\n\n script_cve_id(\"CVE-2019-17638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"NoneAvailable\");\n\n script_name(\"Eclipse Jetty Vulnerability - CVE-2019-17638 (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_jetty_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jetty/detected\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Eclipse Jetty is prone to a vulnerability where sensitive information about\n clients could be obtained.\");\n\n script_tag(name:\"insight\", value:\"In case of too large response headers, Jetty throws an exception to produce\n an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to\n the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the\n pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer\n with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results\n in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data\n belonging to client2 (HTTP session ids, authentication credentials, etc.).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"Eclipse Jetty version 9.4.27.v20200227 to 9.4.29.v20200521.\");\n\n script_tag(name:\"solution\", value:\"No known solution is available as of 15th July, 2020.\n Information regarding this issue will be updated once solution details are available.\");\n\n script_xref(name:\"URL\", value:\"https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, version_regex: \"^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\",\n exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_in_range(version: version, test_version: \"9.4.27.20200227\", test_version2: \"9.4.29.20200521\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"None\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-23T16:10:35", "description": "Eclipse Jetty is prone to a vulnerability where sensitive information about\n clients could be obtained.", "cvss3": {}, "published": "2020-07-15T00:00:00", "type": "openvas", "title": "Eclipse Jetty Vulnerability - CVE-2019-17638 (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17638"], "modified": "2020-07-15T00:00:00", "id": "OPENVAS:1361412562310144239", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310144239", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:eclipse:jetty\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.144239\");\n script_version(\"2020-07-15T06:23:02+0000\");\n script_tag(name:\"last_modification\", value:\"2020-07-15 06:23:02 +0000 (Wed, 15 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-15 06:22:26 +0000 (Wed, 15 Jul 2020)\");\n script_tag(name:\"cvss_base\", value:\"7.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:P\");\n\n script_cve_id(\"CVE-2019-17638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"NoneAvailable\");\n\n script_name(\"Eclipse Jetty Vulnerability - CVE-2019-17638 (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_jetty_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jetty/detected\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"Eclipse Jetty is prone to a vulnerability where sensitive information about\n clients could be obtained.\");\n\n script_tag(name:\"insight\", value:\"In case of too large response headers, Jetty throws an exception to produce\n an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to\n the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the\n pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer\n with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results\n in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data\n belonging to client2 (HTTP session ids, authentication credentials, etc.).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"Eclipse Jetty version 9.4.27.v20200227 to 9.4.29.v20200521.\");\n\n script_tag(name:\"solution\", value:\"No known solution is available as of 15th July, 2020.\n Information regarding this issue will be updated once solution details are available.\");\n\n script_xref(name:\"URL\", value:\"https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, version_regex: \"^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\",\n exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_in_range(version: version, test_version: \"9.4.27.20200227\", test_version2: \"9.4.29.20200521\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"None\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mageia": [{"lastseen": "2023-06-13T15:33:08", "description": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description (CVE-2019-13990). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-14T21:20:42", "type": "mageia", "title": "Updated quartz packages fix a security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13990"], "modified": "2021-03-14T21:20:40", "id": "MGASA-2021-0133", "href": "https://advisories.mageia.org/MGASA-2021-0133.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2021-07-20T20:15:03", "description": "A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.\n\n \n**Recent assessments:** \n \n**space-r7** at July 17, 2020 2:11pm UTC reported:\n\nVersions of Wildfly below `20.0.0.Final` can load arbitrary classes through either JNDI or EJB invocation, which could potentially result in RCE. Despite that, authentication is required, making exploitation all the more difficult.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-22T00:00:00", "type": "attackerkb", "title": "CVE-2020-10740", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10740"], "modified": "2020-07-24T00:00:00", "id": "AKB:9C1D0E92-46E7-498E-99D8-8198572E25E3", "href": "https://attackerkb.com/topics/s5esTUqM3b/cve-2020-10740", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2022-02-10T00:00:00", "description": "angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping &quot;&lt;option&gt;&quot; elements in &quot;&lt;select&gt;&quot; ones changes parsing behavior, leading to possibly unsanitizing code. ([CVE-2020-7676](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7676>))\n\nImpact\n\nAn attacker may exploit this vulnerability to perform a cross-site scripting (XSS) attack.\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-07-23T19:00:00", "type": "f5", "title": "AngularJS XSS vulnerability CVE-2020-7676", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7676"], "modified": "2021-07-23T19:01:00", "id": "F5:K32412075", "href": "https://support.f5.com/csp/article/K32412075", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:16:31", "description": "A buffer overflow vulnerability exists in Jenkins Jetty. Successful exploitation of this vulnerability could allow unauthenticated attackers to obtain HTTP response headers that may include sensitive data intended for another user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "baseScore": 9.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-08-25T00:00:00", "type": "checkpoint_advisories", "title": "Jenkins Jetty Buffer Overflow (CVE-2019-17638)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17638"], "modified": "2020-08-25T00:00:00", "id": "CPAI-2019-2209", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:40:11", "description": "[](<https://thehackernews.com/images/-O7WLm1a3Tf8/XzulZqcI1TI/AAAAAAAAAqs/cxyir0h6gqA9QB5REyQrwUA7xDzXpRZkACLcBGAsYHQ/s728-e100/jenkin.jpg>)\n\nJenkins\u2014a popular open-source automation server software\u2014published an [advisory](<https://www.jenkins.io/security/advisory/2020-08-17/>) on Monday concerning a critical vulnerability in the Jetty web server that could result in memory corruption and cause confidential information to be disclosed. \n \nTracked as [CVE-2019-17638](<https://nvd.nist.gov/vuln/detail/CVE-2019-17638>), the flaw has a CVSS rating of 9.4 and impacts Eclipse Jetty versions 9.4.27.v20200227 to 9.4.29.v20200521\u2014a full-featured tool that provides a Java HTTP server and web container for use in software frameworks. \n \n\"Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat,\" read the advisory. \n \n\"The vulnerability may allow unauthenticated attackers to obtain HTTP response headers that may include sensitive data intended for another user.\" \n \nThe [flaw](<https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984>), which impacts Jetty and Jenkins Core, appears to have been introduced in Jetty version 9.4.27, which added a mechanism to handle large HTTP response headers and prevent buffer overflows. \n \n\"The issue was in the case of a buffer overflow, we released the header buffer, but did not null the field,\" Jetty's project head [Greg Wilkins](<https://github.com/eclipse/jetty.project/issues/4936>) said. \n \nTo handle this, Jetty throws an exception to produce an HTTP 431 error, which causes the HTTP response headers to be released to the buffer pool twice, in turn causing memory corruption and information disclosure. \n \nThus, due to the double release, two threads can acquire the same buffer from the pool at the same time and potentially allow one request to access a response written by the other thread, which may include session identifiers, authentication credentials, and other sensitive information. \n \nPut differently, \"while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2.\" \n \nIn one case, the memory corruption made it possible for clients to move between sessions, thereby having cross-account access, as authentication cookies from one user's response were sent to another user, thereby allowing user A to jump in user B's session. \n \nAfter the security implications were disclosed, the vulnerability was addressed in Jetty 9.4.30.v20200611 released last month. Jenkins, which bundles Jetty via a command-line interface called [Winstone](<https://github.com/jenkinsci/winstone>), has [patched the flaw](<https://www.jenkins.io/changelog-stable/>) in its utility in Jenkins 2.243 and Jenkins LTS 2.235.5 released yesterday. \n \nIt's recommended that Jenkins users update their software to the latest version to mitigate the buffer corruption flaw.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.5}, "published": "2020-08-18T09:55:00", "type": "thn", "title": "Critical Jenkins Server Vulnerability Could Leak Sensitive Information", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17638"], "modified": "2020-08-21T13:46:09", "id": "THN:6F9D6D4546C3D4DA1164354C8E552FDC", "href": "https://thehackernews.com/2020/08/jenkins-server-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}