Improper Access Control

Oracle Java SE is vulnerable to improper access control vulnerability. This is because the I18n component of OpenJDK could use an untrusted search path when loading resource bundle classes. A local attacker could possibly use this flaw to execute arbitrary code as another local user by making the...

Unauthenticated Access

Java SE, Java SE Embedded are vulnerable to unauthenticated access. The Networking component of OpenJDK fails to properly parse user info from the URL. A remote attacker could cause the Java application to incorrectly parse an attacker supplied URL and interpret it differently from other...

Improper Access Control

It was discovered that the Security component did not prevent the instantiation of security services with a non-public constructor. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information...

Improper Access Control

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the ParserPool and Decrypter classes in the OpenSAML Java implementation resolved external entities, permitting XML External Entity XXE attacks. A remote...

Arbitrary Code Execution

OpenJDK 7 is vulnerable to arbitrary code execution. It allows an untrusted Java application or applet to use a flaw to bypass Java sandbox restrictions...

Denial Of Service (DoS)

openjdk is vulnerable to denial of service. Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed...

CVE-2019-0275

SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server J2EE-APPS, versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting XSS vulnerability...

Kibana ESA-2018-06

X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross- site scripting XSS vulnerability. Users with manageml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructi...

Unauthorized Time Zone Modification

IBM Java Runtime Environment shipped as part of Red Hat Network Satellite Server has a vulnerability which affects the time zone information of the application. The vulnerability is possible because java.util.TimeZone fails to prevent the untrusted Java application or applet to change the time zo...

Elasticsearch ESA-2015-06

Elasticsearch versions prior to 1.6.1 are vulnerable to an attack that can result in remote code execution. C Tenable Network Security, Inc. include"compat.inc"; if description scriptid119499; scriptversion"1.2"; scriptcvsdate"Date: 2019/11/01"; scriptcveid"CVE-2015-5377";...

Logstash ESA-2014-02

Logstash 1.4.1 and prior, when configured to use the Zabbix or Nagios outputs, allows an attacker with access to send crafted events to Logstash inputs to cause Logstash to execute OS commands. C Tenable Network Security, Inc. include"compat.inc"; if description scriptid119461; scriptversion"1.2"...

CVE-2018-11775

TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default...

Default credentials

TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default...

CVE-2018-11775

TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default...

CVE-2018-11775

TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default...

CVE-2018-11775

CVE-2018-11775 affects the Apache ActiveMQ Client, where TLS hostname verification was missing prior to version 5.15.6, enabling potential MITM between a Java application and the ActiveMQ server. The issue is stated as now being enabled by default and is addressed by upgrading the ActiveMQ client...

CVE-2018-11775

TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default...

Elasticsearch ESA-2017-18

An error was found in the X-Pack Security privilege enforcement. If a user has either delete or index permissions on an index in a cluster, they may be able to issue both delete and index requests against that index. C Tenable Network Security, Inc. include"compat.inc"; if description...

USN-3644-1: OpenJDK 8 vulnerabilities

It was discovered that the Security component of OpenJDK did not correctly perform merging of multiple sections for the same file listed in JAR archive file manifests. An attacker could possibly use this to modify attributes in a manifest without invalidating the signature. CVE-2018-2790 Francesc...

Authentication flaw

NetIQ iManager before 3.0.3 delivered a SSL private key in a Java application JAR file for authentication to Sentinel, allowing attackers to extract and establish their own connections to the Sentinel appliance...