PT-2021-4780 · Xstream +7 · Xstream +7

Name of the Vulnerable Software and Affected Versions: XStream versions prior to 1.4.16 Description: The issue is related to the XStream Java library, which is used for serializing objects to XML and back again. It may allow a remote attacker to load and execute arbitrary code from a remote host ...

CVE-2020-1899

The unserialize function supported a type code, "S", which was meant to be supported only for APC serialization. This type code allowed arbitrary memory addresses to be accessed as if they were static StringData objects. This issue affected HHVM prior to v4.32.3, between versions 4.33.0 and 4.56....

Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2020 - Includes Oracle Oct 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 ,version 8, that is used by IBM Tivoli Composite Application Manager for Transactions - Robotic Response Time. These issues were disclosed as part of the IBM Java SDK updates in August 2020. CVE-2020-14792 ...

Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Java SE.

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2020-14779 DESCRIPTION: An unspecified vulnerability in Java SE related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low...

CVE-2021-21979

In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APPKEY ...

Design/Logic Flaw

In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APPKEY ...

CVE-2021-21979

In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APPKEY ...

CVE-2021-25329

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the...

CloudBees Jenkins Support Core Plugin Information Disclosure Vulnerability

Jenkins Support Core is a Jenkins open source application plugin . Provides in Jenkins to generate support information "bundle" of the basic infrastructure . An information disclosure vulnerability exists in Jenkins Support Core Plugin version 2.72 and earlier. The vulnerability stems from the...

Authentication flaw

Jenkins Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user basic authentication details only" information, which can include the session ID of the user creating the support bundle in some configurations...

OSV-2021-396 Heap-buffer-overflow in OT::OffsetTo<OT::Anchor, OT::IntType<unsigned short, 2u>, true>* hb_serialize_co

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30908 Crash type: Heap-buffer-overflow READ 2 Crash state: OT::OffsetTo, true hbserializeco OT::OffsetTo, true hbserializeco bool OT::AnchorMatrix::serializehbfilteriterthbrangeitertunsigned int,...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 1.8 used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections. Vulnerability Details CVEID: CVE-2020-14779...

OESA-2021-1014 jackson-databind security update

The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.\r\n\r\n Security Fixes:\r\n\r\n FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction...

EulerOS 2.0 SP5 : java-1.8.0-openjdk (EulerOS-SA-2021-1198)

According to the versions of the java-1.8.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Hotspot. Supported versions that are affected ar...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition and IBM® Runtime Environment Java™ used by IBM i. IBM i has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2020-14779 DESCRIPTION: An unspecified vulnerability in Java SE related to the Serialization...

CentOS 8 : pki-core:10.6 and pki-deps:10.6 (CESA-2020:1644)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:1644 advisory. - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig CVE-2019-14540 - jackson-databind: Serialization gadgets in...

CentOS 8 : java-11-openjdk (CESA-2020:0128)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:0128 advisory. - OpenJDK: Incorrect exception processing during deserialization in BeanContextSupport Serialization, 8224909 CVE-2020-2583 - OpenJDK: Improper checks ...

[SECURITY] Fedora 32 Update: PyYAML-5.4.1-1.fc32

YAML is a data serialization format designed for human readability and interaction with scripting languages. PyYAML is a YAML parser and emitter for Python. PyYAML features a complete YAML 1.1 parser, Unicode support, pickle support, capable extension API, and sensible error messages. PyYAML...

CentOS 8 : java-11-openjdk (CESA-2019:3135)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2019:3135 advisory. - OpenJDK: Missing restrictions on use of custom SocketImpl Networking, 8218573 CVE-2019-2945 - OpenJDK: Improper handling of Kerberos proxy credential...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK (October 2020) affect IBM InfoSphere Information Server

Summary There are multiple vulnerabilities in the IBM® SDK Java™ Technology Edition, Versions 7 and 8 that are used by IBM InfoSphere Information Server. These issues were disclosed as part of the IBM Java SDK updates in October 2020. Vulnerability Details CVEID: CVE-2020-14797 DESCRIPTION: An...