xstream code injection vulnerability

xstream is an open source Java class library , it can serialize objects into XML or deserialize XML into objects . . A code injection vulnerability exists in xstream. The vulnerability stems from a network system or product that does not properly filter special elements of externally entered data...

[SECURITY] [DSA 4452-1] jackson-databind security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4452-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 24, 2019 https://www.debian.org/security/faq -...

com.crawljax.plugins:testcasegenerator (=4.1), com.crawljax:crawljax-examples (=4.1) +25 more potentially affected by unknown CVE via org.testng:testng (>=7.0.0-beta1 <=7.0.0-beta3)

org.testng:testng MAVEN version =7.0.0-beta1, =1.0, =1.0.0, =1.0, =1.0, =5.15, =0.1.20, =0.1.20, =0.1.20, =0.1.20, =0.1.20, =0.1.20, =0.1.20, =0.1.20, =1.0.0 and more Source cves: unknown CVE Source advisory: SNYK:JAVA-ORGTESTNG-174823...

ai.agnos:reactive-sparql_2.12 (>=0.3.0 <=0.3.1), ai.databand:dbnd-agent (>=0.42.1 <=0.80.6) +5724 more potentially affected by CVE-2018-19362 via com.fasterxml.jackson.core:jackson-databind (>=2.7.0 <=2.7.9.4)

com.fasterxml.jackson.core:jackson-databind MAVEN version =2.7.0, =0.3.0, =0.42.1, =0.42.1, =0.40.2, =0.42.1, =0.2, =0.8.0, =3.3.3, =0.0.1, =0.0.2, =0.0.3 - at.ac.ait.lablink.clients:sync =0.0.1 - at.ac.ait.lablink:core =0.0.1 and more Source cves: CVE-2018-19362 Source advisory:...

ae.vigilancer.android-run-app:ae.vigilancer.android-run-app.gradle.plugin (>=1.0.1 <=1.0.2), aero.m-click:mcpdf (>=0.2.3 <=0.2.4) +6768 more potentially affected by CVE-2016-1000344 via org.bouncycastle:bcprov-jdk15on (>=1.46 <=1.55)

org.bouncycastle:bcprov-jdk15on MAVEN version =1.46, =1.0.1, =0.2.3, =0.42.1, =1.4.1, =1.4.1, =1.4.1, =1.4.1, =1.4.1, =1.4.1, =1.4.1, =1.4.1, =1.4.1, =1.4.1, =1.4.3 and more Source cves: CVE-2016-1000344 Source advisory: OSV:GHSA-2J2X-HX4G-2GF4...

Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15

The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman ECDH key exchanges, aka an "invalid curve attack."...

RHEL 7 : Virtualization (RHSA-2018:1713)

An update for unboundid-ldapsdk is now available for Red Hat Virtualization Engine 4.1. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Moderate: Red Hat Security Advisory: unboundid-ldapsdk security update

An update for unboundid-ldapsdk is now available for Red Hat Virtualization Engine 4.1. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Updated libpam4j package fixes security vulnerability

It was discovered that libpam4j, a Java library wrapper for the integration of PAM did not call pamacctmgmt during authentication. As such a user who has a valid password, but a deactivated or disabled account could still log in CVE-2017-12197...

[SECURITY] [DSA 4190-1] jackson-databind security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4190-1 [email protected] https://www.debian.org/security/ Sebastien Delafond May 03, 2018 https://www.debian.org/security/faq -...

ai.grakn:grakn-test (>=0.13.0 <=0.15.0), ai.grakn:test-integration (>=0.16.0 <=v1.1.0-226-g847ecff2d8e26f249422247d7665fe15f07b1744) +803 more potentially affected by CVE-2018-1002202 via net.lingala.zip4j:zip4j (>=1.2.3 <=1.3.2)

net.lingala.zip4j:zip4j MAVEN version =1.2.3, =0.13.0, =0.16.0, =1.5.0, =1.0.0, =1.0.1, =1.0.4, =2.5.7, =1.1.13, =1.0.7, =1.1.4, =2.1.0, =1.0.0, =3.0.2, =1.0.3, =3.3.0, =3.3.9 and more Source cves: CVE-2018-1002202 Source advisory: SNYK:JAVA-NETLINGALAZIP4J-31679...

[SECURITY] Fedora 27 Update: unboundid-ldapsdk-4.0.5-1.fc27

The UnboundID LDAP SDK for Java is a fast, powerful, user-friendly, and completely free Java library for communicating with LDAP directory servers and performing related tasks like reading and writing LDIF, encoding and decoding data using base64 and ASN.1 BER, and performing secure communicati o...

[SECURITY] Fedora 26 Update: unboundid-ldapsdk-4.0.5-1.fc26

The UnboundID LDAP SDK for Java is a fast, powerful, user-friendly, and completely free Java library for communicating with LDAP directory servers and performing related tasks like reading and writing LDIF, encoding and decoding data using base64 and ASN.1 BER, and performing secure communicati o...

[SECURITY] [DSA 4114-1] jackson-databind security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4114-1 [email protected] https://www.debian.org/security/ Sebastien Delafond February 15, 2018 https://www.debian.org/security/faq -...

CVE-2017-5641

Previous versions of Apache Flex BlazeDS 4.7.2 and earlier did not restrict which types were allowed for AMFX object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such...

Debian: Security Advisory (DSA-4037-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian DSA-4025-1 : libpam4j - security update

It was discovered that libpam4j, a Java library wrapper for the integration of PAM did not call pamacctmgmt during authentication. As such a user who has a valid password, but a deactivated or disabled account could still log in. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptiv...

jsch: ChannelSftp path traversal vulnerability

A vulnerability was discovered in JSch that allows a malicious sftp server to force a client-side relative path traversal in jsch's implementation for recursive sftp-get. An attacker could leverage this to write files outside the client's download basedir with effective permissions of the jsch sf...

[SECURITY] [DSA 4004-1] jackson-databind security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4004-1 [email protected] https://www.debian.org/security/ Sebastien Delafond October 20, 2017 https://www.debian.org/security/faq -...

Nimbus JOSE+JWT padding oracle attack information disclosure vulnerability

Nimbus JOSE+JWT is an open source Java library . Nimbus JOSE+JWT has a security vulnerability that allows attackers to submit specially crafted requests to perform padding oracle attacks and obtain sensitive information...