98 matches found
jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity XXE attacks. The highest threat from this vulnerability is data integrity...
CVE-2020-25649
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity XXE attacks. The highest threat from this vulnerability is data integrity...
jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity XXE attacks. The highest threat from this vulnerability is data integrity...
CVE-2020-25649
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity XXE attacks. The highest threat from this vulnerability is data integrity. Mitigation There is currently no known mitigation for this flaw...
Tencent Ups Top Bug-Bounty Award to $15K
The Tencent Security Response Center TSRC is launching an expanded bug-bounty program, via the HackerOne white-hat platform – and the company has increased its top reward to $15,000. Tencent, a China-based global internet service provider, is opening up its existing bug-bounty program to...
CVE-2020-2138
Jenkins Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...
PT-2020-15355 · Jenkins · Jenkins Rundeck Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Rundeck Plugin versions 3.6.6 and earlier Description: The issue allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins...
CVE-2020-2115
Jenkins NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity XXE attacks...
PT-2020-15327 · Jenkins · Jenkins Fitnesse Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins FitNesse Plugin versions 1.30 and earlier Description: The issue allows a user who can control the input files for the post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the...
Unsafe Deserialization
shopware/shopware is vulnerable to XML external entity attacks via unsafe deserialization. The sort parameter in the function loadPreviewAction in the ShopwareControllersBackendProductStream controller is not validated before PHP object instantiation is performed, which would allow an attacker to...
GHSA-X2W5-5M2G-7H5M XML External Entity Reference (XXE) in jackson-databind
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity XXE attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization...
DEBIAN-CVE-2018-14720
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity XXE attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization...
CVE-2018-14720
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity XXE attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization...
CVE-2017-7545
It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML...
CVE-2017-18197
In mxGraphViewImageReader.java in mxGraph before 3.7.6, the SAXParserFactory instance in convert is missing flags to prevent XML External Entity XXE attacks, as demonstrated by /ServerView...
MGASA-2018-0048 Updated libxml2 & perl-XML-LibXML packages fix security vulnerabilities
Use-after-free error could lead to crash CVE-2016-4658. Use-after-free vulnerability in libxml2 through 2.9.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function CVE-2016-5131. libxml2 2.9.4 and earli...
Moderate: Red Hat Security Advisory: rh-java-common-lucene security update
An update for rh-java-common-lucene is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...
CVE-2017-10889
TablePress prior to version 1.8.1 allows an attacker to conduct XML External Entity XXE attacks via unspecified vectors...
BSA-2017-470
Security Advisory ID : BSA-2017-470 Component : Expand Entity References Revision : 1.0: Interim The 1 BasicParserPool, 2 StaticBasicParserPool, 3 XML Decrypter, and 4 SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote...
CVE-2017-9096
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity XXE attacks via a crafted PDF...