Micronaut has Unbounded `bundleCache` in `ResourceBundleMessageSource` that Allows Memory Exhaustion via `Accept-Language` Header

Summary ResourceBundleMessageSource maintains two caches: messageCache bounded at 100 entries via ConcurrentLinkedHashMap and bundleCache unbounded ConcurrentHashMap. The bundleCache is keyed by Locale, baseName where the locale originates from the HTTP Accept-Language header. In applications tha...

GHSA-3RFQ-4WPF-QQW3 Micronaut has Unbounded `bundleCache` in `ResourceBundleMessageSource` that Allows Memory Exhaustion via `Accept-Language` Header

Summary ResourceBundleMessageSource maintains two caches: messageCache bounded at 100 entries via ConcurrentLinkedHashMap and bundleCache unbounded ConcurrentHashMap. The bundleCache is keyed by Locale, baseName where the locale originates from the HTTP Accept-Language header. In applications tha...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the unbounded bundleCache in ResourceBundleMessageSource. An attacker can cause memory exhaustion and degrade service availability by sending numerous HTTP requests with uniqu...

PT-2026-38293

Name of the Vulnerable Software and Affected Versions Micronaut Framework versions prior to 4.10.22 Description In applications that explicitly register a ResourceBundleMessageSource bean and serve HTML error responses, an unauthenticated attacker can cause heap memory exhaustion. This occurs...

Linux Distros Unpatched Vulnerability : CVE-2016-1000006

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - hhvm before 3.12.11 has a use-after-free in the serializememoizeparam and ResourceBundle::construct functions. CVE-2016-1000006 Note that Nessus relies on the...

Cross-site Request Forgery (CSRF)

sylius/resource-bundle is vulnerable to a Cross-Site Request Forgery. The vulnerability is due to the absence of proper validation and insufficient CSRF protection for actions such as marking order payments or product reviews in the AdminBundle and ResourceBundle. This allowing attackers to perfo...

SUSE CVE-2009-2475

Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, might allow context-dependent attackers to obtain sensitive information via vectors involving static variables that are declared without the final keyword, related to 1 LayoutQueue, 2 Cursor.predefined, 3...

Sylius Injection Vulnerability (CNVD-2020-49008)

Sylius is a Polish company Sylius set of open source e-commerce platform based on the Symfony framework . An injection vulnerability exists in Sylius ResourceBundle, which stems from the program's failure to properly handle request parameters. An attacker can exploit the vulnerability to execute...

Remote Code Execution (RCE)

sylius/resource-bundle is vulnerable to remote code execution RCE. The vulnerability exists as it does not sanitize the value of $variable in ParametersParser.php...

Remote Code Execution (RCE)

sylius/resource-bundle is vulnerable to remote code execution RCE. The vulnerability exists as the value of $variable in OptionsParser.php is not sanitized...

Prototype Pollution

Overview i18next is an internationalization framework for browser or any other javascript environment eg. node.js. Affected versions of this package are vulnerable to Prototype Pollution. This vulnerability relates to the AddResourceBundle API which uses the the deepExtend function...

Information Disclosure

sylius/resource-bundle is vulnerable to information disclosure. The vulnerability exists as ResourceBundle did not properly restrict the values of serializationgroups to be passed through the HTTP header...

Huawei EulerOS: Security Advisory for java-1.8.0-openjdk (EulerOS-SA-2018-1028)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

UBUNTU-CVE-2016-1000006

hhvm before 3.12.11 has a use-after-free in the serializememoizeparam and ResourceBundle::construct functions...

CVE-2018-2602

It was discovered that the I18n component of OpenJDK could use an untrusted search path when loading resource bundle classes. A local attacker could possibly use this flaw to execute arbitrary code as another local user by making their Java application load an attacker controlled class file...

Improper Access Control

Oracle Java SE is vulnerable to improper access control vulnerability. This is because the I18n component of OpenJDK could use an untrusted search path when loading resource bundle classes. A local attacker could possibly use this flaw to execute arbitrary code as another local user by making the...

OpenJDK: loading of classes from untrusted locations (I18n, 8182601)

It was discovered that the I18n component of OpenJDK could use an untrusted search path when loading resource bundle classes. A local attacker could possibly use this flaw to execute arbitrary code as another local user by making their Java application load an attacker controlled class file...

Important: java-1.8.0-openjdk

Issue Overview: SingleEntryRegistry incorrect setup of deserialization filter JMX, 8186998 It was discovered that the JMX component of OpenJDK failed to properly set the deserialization filter for the SingleEntryRegistry in certain cases. A remote attacker could possibly use this flaw to bypass...

Important: java-1.8.0-openjdk

Issue Overview: SingleEntryRegistry incorrect setup of deserialization filter JMX, 8186998 It was discovered that the JMX component of OpenJDK failed to properly set the deserialization filter for the SingleEntryRegistry in certain cases. A remote attacker could possibly use this flaw to bypass...

OpenJDK: insufficient permission checks when setting resource bundle on system logger (Libraries, 8041564)

Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries...