Oracle Enterprise Manager Grid Control Multiple Vulnerabilities (July 2017 CPU) (httpoxy)

The version of Oracle Enterprise Manager Grid Control installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An...

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

Summary: One of the DoD applications uses a java library which is vulnerable to expression language injection. Using only an URL I was able to inject java code. I made a simple PoC that requests a name resolution to a DNS server. Description: The application at https://███ uses Primefaces version...

CVE-2017-10670

An XML External Entity XXE issue exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 Java and OSCI Transport Library 1.6 .NET, exploitable by sending a crafted standard-conforming OSCI message from within the infrastructure...

CVE-2017-10668

A Padding Oracle exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 Java and OSCI Transport Library 1.6 .NET. Under an MITM condition within the OSCI infrastructure, an attacker needs to send crafted protocol messages to analyse the CBC mode padding in order to decrypt the...

Unspecified Vulnerability in Jasypt

Jasypt is a Jasypt team developed a Java library with encryption features , it is based on standard cryptography , able to one-way or two-way encryption of passwords , text , numbers and binary files and so on. A security vulnerability exists in versions of Jasypt prior to 1.9.2. An attacker can...

[SECURITY] [DLA 893-1] bouncycastle security update

Package : bouncycastle Version : 1.44+dfsg-3.1+deb7u2 CVE ID : CVE-2015-6644 An information disclosure vulnerability was discovered in Bouncy Castle, a Java library which consists of various cryptographic algorithms. The Galois/Counter mode GCM implementation was missing a boundary check that cou...

jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name

It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service FPS merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows...

fastjson remote code execution vulnerability technical analysis and protection solution-vulnerability warning-the black bar safety net

! 2017-year 3 December 15, fastjson official released a security Bulletin indicating fastjson in 1. 2. 24 and the prior version there is a remote code execution high-risk security vulnerabilities. An attacker can use this vulnerability to remotely execute malicious code to invade the server...

Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2017 CPU)

The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in the Enterprise Manager Base Platform component : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An...

CVE-2016-4216

XMPCore in Adobe XMP Toolkit for Java before 5.1.3 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity XXE issue...

UBUNTU-CVE-2016-4216

XMPCore in Adobe XMP Toolkit for Java before 5.1.3 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity XXE issue...

DLA-504-1 libxstream-java - security update

Bulletin has no description...

PowerFolder Server 10.4.321 - Remote Code Execution

Mogwai Security Advisory MSA-2016-01 ---------------------------------------------------------------------- Title: PowerFolder Remote Code Execution Vulnerability Product: PowerFolder Server Affected versions: 10.4.321 Linux/Windows Other version might be also affected Impact: high Remote: yes...

Oracle WebCenter Sites Apache Xalan-Java Library Security Bypass (January 2016 CPU)

The version Oracle WebCenter Sites installed on the remote host is missing a security patch from the January 2016 Critical Patch Update CPU. It is, therefore, affected by a security bypass vulnerability in the Apache Xalan-Java library due to a failure to properly restrict access to certain...

Mageia: Security Advisory (MGASA-2015-0487)

The remote host is missing an update for the SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian DSA-3417-1 : bouncycastle - security update

Tibor Jager, Jorg Schwenk, and Juraj Somorovsky, from Horst Gortz Institute for IT Security, published a paper in ESORICS 2015 where they describe an invalid curve attack in Bouncy Castle Crypto, a Java library for cryptography. An attacker is able to recover private Elliptic Curve keys from...

[SECURITY] [DSA 3417-1] bouncycastle security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3417-1 [email protected] https://www.debian.org/security/ Luciano Bello December 14, 2015 https://www.debian.org/security/faq -...

DSA-3417-1 bouncycastle - security update

Bulletin has no description...

Debian Security Advisory DSA 3417-1 (bouncycastle - security update)

Tibor Jager, Jorg Schwenk, and Juraj Somorovsky, from Horst Gortz Institute for IT Security, published a paper in ESORICS 2015 where they describe an invalid curve attack in Bouncy Castle Crypto, a Java library for cryptography. An attacker is able to recover private Elliptic Curve keys from...

[SECURITY] [DLA 361-1] bouncycastle security update

Package : bouncycastle Version : 1.44+dfsg-2+deb6u1 CVE ID : CVE-2015-7940 Debian Bug : 802671 The Bouncy Castle Java library before 1.51 does not validate that a point is within the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic...