The vulnerability of the JNDI component of the Java SE software platform and the Oracle GraalVM Enterprise Edition virtual machine allows attackers to access, modify, add, or delete data.

The vulnerability of the JNDI component of the Java SE software platform and the Oracle GraalVM Enterprise Edition virtual machine exists due to insufficient validation of input data. Exploiting this vulnerability can allow an attacker, operating remotely, to gain access to modify, add, or delete...

Apache Flume 安全漏洞

Apache Flume is a distributed, reliable and available service from the Apache Foundation. A remote code execution vulnerability exists in Apache Flume, which stems from the configuration of a JMS source with a JNDI LDAP data source URI, and could be exploited by an attacker to cause a remote code...

OpenJDK: URI parsing inconsistencies (JNDI, 8278972)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JNDI. Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable...

OpenJDK: URI parsing inconsistencies (JNDI, 8278972)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JNDI. Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable...

OpenJDK: URI parsing inconsistencies (JNDI, 8278972)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JNDI. Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable...

log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)

A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map MDC input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution RCE in a limited number of environments...

log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink

A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests...

The vulnerability of the JMSSink class implementation in the Log4j logging library allows a perpetrator to execute arbitrary code.

The vulnerability of the JMSSink class implementation in the Log4j Java logging library is related to deficiencies in the data deserialization mechanism. Exploiting this vulnerability allows an attacker, operating remotely, to execute arbitrary code by sending specially crafted JNDI requests...

log4j-core: remote code execution via JDBC Appender

Apache Log4j2 versions 2.0-beta7 through 2.17.0 excluding security fix releases 2.3.2 and 2.12.4 are vulnerable to a remote code execution RCE attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a dat...

The vulnerability of the JMSAppender class implementation in the Log4j logging library allows a perpetrator to execute arbitrary code.

The vulnerability of the JMSAppender class in the Log4j logging library relates to the restoration of unreliable data in memory. Exploiting this vulnerability allows an attacker to execute arbitrary code by sending specially crafted JNDI requests remotely...

log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value

A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint...

log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value

A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint...

tomcat: JNDI realm authentication weakness

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65...

OESA-2021-1299 tomcat security update

The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open developmen...

DEBIAN-CVE-2021-30640

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65...

PT-2021-3584

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.0 through 8.5.65 Apache Tomcat versions 9.0.0.M1 through 9.0.45 Apache Tomcat versions 10.0.0-M1 through 10.0.5 Description A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using...

PT-2021-3161 · Fasterxml +2 · Jackson-Databind +2

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions 2.x before 2.9.10.8 FasterXML jackson-databind versions 2.6.7.5 and earlier Description: The issue is related to the interaction between serialization gadgets and typing, specifically with the...

Exploit for Out-of-bounds Write in Php

It is an exploit module for CVE-2019-11043. The target product/service is Apache Log4j, and the vulnerability class/vector is RCE Remote Code Execution. The probable entry point is the JNDI exploit, which is a known vulnerability in Log4j. Notable dependencies/tooling include the Apache Log4j...

OpenJDK: Credentials sent over unencrypted LDAP connection (JNDI, 8237990)

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: JNDI. Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple...

OpenJDK: Credentials sent over unencrypted LDAP connection (JNDI, 8237990)

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: JNDI. Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple...