Security Bulletin: Vulnerability In Jackson Databind library shipped with IBM Global Mailbox (CVE-2020-25649)

Summary Security vulnerability have been Identified In Jackson Databind library shipped with IBM Global Mailbox Vulnerability Details CVEID: CVE-2020-25649 DESCRIPTION: FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. ...

CVE-2020-26513

An issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The ReqIF XML data, used by the codebeamer ALM application to import projects, is parsed by insecurely configured software components, which can be abused for XML External Entity Attacks...

Xxe

An issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The ReqIF XML data, used by the codebeamer ALM application to import projects, is parsed by insecurely configured software components, which can be abused for XML External Entity Attacks...

CVE-2020-26513

An issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The ReqIF XML data, used by the codebeamer ALM application to import projects, is parsed by insecurely configured software components, which can be abused for XML External Entity Attacks...

jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity XXE attacks. The highest threat from this vulnerability is data integrity...

CVE-2020-25649

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity XXE attacks. The highest threat from this vulnerability is data integrity...

jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity XXE attacks. The highest threat from this vulnerability is data integrity...

CVE-2020-25649

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity XXE attacks. The highest threat from this vulnerability is data integrity. Mitigation There is currently no known mitigation for this flaw...

XXE in Apache Standard Taglibs

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity XXE attacks via a crafted XSLT extension in a 1 or 2 JSTL XML tag...

Tencent Ups Top Bug-Bounty Award to $15K

The Tencent Security Response Center TSRC is launching an expanded bug-bounty program, via the HackerOne white-hat platform – and the company has increased its top reward to $15,000. Tencent, a China-based global internet service provider, is opening up its existing bug-bounty program to...

CVE-2020-2138

Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

PT-2020-15355 · Jenkins · Jenkins Rundeck Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Rundeck Plugin versions 3.6.6 and earlier Description: The issue allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins...

CVE-2020-1693

A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute...

CVE-2020-2115

Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity XXE attacks...

PT-2020-15327 · Jenkins · Jenkins Fitnesse Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins FitNesse Plugin versions 1.30 and earlier Description: The issue allows a user who can control the input files for the post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the...

CVE-2020-1693

A flaw was found in Spacewalk where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on t...

Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2019-1428)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

The vulnerability of the Enterprise Resource Management System “Galaktika ERP” allows a hacker to initiate requests for resources on behalf of the server.

The vulnerability of the .res components of the Enterprise Resource Management System “Galaktika ERP” is related to the functionality of importing XML configurations. Exploiting this vulnerability allows a malicious actor to initiate requests to any resource on behalf of the server by performing...

Unsafe Deserialization

shopware/shopware is vulnerable to XML external entity attacks via unsafe deserialization. The sort parameter in the function loadPreviewAction in the ShopwareControllersBackendProductStream controller is not validated before PHP object instantiation is performed, which would allow an attacker to...

XML External Entity Reference (XXE) in jackson-databind

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity XXE attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization...