461 matches found
jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariDataSource gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...
Open-Xchange: Unchecked URL in attachment datasource
Implementation of com.openexchange.url.mail.attachment datasource does no validation of url parameter. Any URL supported by Java's URLConnection can be read. Attached is an exploit which reads /etc/hostname file from sandbox server. Impact Any URL supported by Java's URLConnection can be read...
ATTACKdatamap - A Datasource Assessment On An Event Level To Show Potential Coverage Or The MITRE ATT&CK Framework
A datasource assessment on an event level to show potential coverage of the "MITRE ATT&CK" framework. This tool is developed by me and has no affiliation with "MITRE" nor with its great "ATT&CK" team, it is developed with the intention to ease the mapping of data sources to assess one's potential...
jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource
A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariDataSource gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...
DEBIAN-CVE-2019-16335
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540...
UBUNTU-CVE-2019-16335
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540...
Security Bulletin: Information Disclosure in WebSphere Application Server (CVE-2018-1621)
Summary There is a potential Information disclosure vulnerability in WebSphere Application Server. Vulnerability Details CVEID: CVE-2018-1621 DESCRIPTION: IBM WebSphere Application Server could allow a local attacker to obtain clear text password in a trace file caused by improper handling of som...
CVE-2018-1621
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local attacker to obtain clear text password in a trace file caused by improper handling of some datasource custom properties. IBM X-Force ID: 144346...
CVE-2018-1621
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local attacker to obtain clear text password in a trace file caused by improper handling of some datasource custom properties. IBM X-Force ID: 144346...
Design/Logic Flaw
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local attacker to obtain clear text password in a trace file caused by improper handling of some datasource custom properties. IBM X-Force ID: 144346...
Mozilla: Vulnerabilities found through code inspection (MFSA 2015-66)
The YCbCrImageDataDeserializer::ToDataSourceSurface function in the YCbCr implementation in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and Thunderbird before 38.1 reads data from uninitialized memory locations, which has unspecified impact and attack vectors...
SAP Crystal Reports Datasource Stack Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Crystal Reports. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling...
Microsoft Internet Explorer 4/5/6 XML Datasource Applet File Disclosure Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/5490/info A problem in Microsoft Internet Explorer could lead to the disclosure of sensitive information. Due to the design of the datasource applet, it may be possible for a user to view the contents of local files via a...
PT-2014-3530 · Red Hat · Rhevm-Reports
Name of the Vulnerable Software and Affected Versions: Red Hat Enterprise Virtualization Manager reports rhevm-reports versions prior to 3.3.3-1 Description: The issue allows local users to obtain sensitive information by reading a configuration file due to world-readable permissions. The file in...
ovirt-engine-reports: js-jboss7-ds.xml is world-readable
The Red Hat Enterprise Virtualization Manager reports rhevm-reports package before 3.3.3-1 uses world-readable permissions on the datasource configuration file js-jboss7-ds.xml, which allows local users to obtain sensitive information by reading the file...
CVE-2012-3428
The IronJacamar container before 1.0.12.Final for JBoss Application Server, when allow-multiple-users is enabled in conjunction with a security domain, does not use the credentials supplied in a getConnection function call, which allows remote attackers to obtain access to an arbitrary datasource...
Design/Logic Flaw
The IronJacamar container before 1.0.12.Final for JBoss Application Server, when allow-multiple-users is enabled in conjunction with a security domain, does not use the credentials supplied in a getConnection function call, which allows remote attackers to obtain access to an arbitrary datasource...
JBoss: Datasource connection manager returns valid connection for wrong credentials when using security-domains
The IronJacamar container before 1.0.12.Final for JBoss Application Server, when allow-multiple-users is enabled in conjunction with a security domain, does not use the credentials supplied in a getConnection function call, which allows remote attackers to obtain access to an arbitrary datasource...
JBoss: Datasource connection manager returns valid connection for wrong credentials when using security-domains
The IronJacamar container before 1.0.12.Final for JBoss Application Server, when allow-multiple-users is enabled in conjunction with a security domain, does not use the credentials supplied in a getConnection function call, which allows remote attackers to obtain access to an arbitrary datasource...
JBoss: Datasource connection manager returns valid connection for wrong credentials when using security-domains
The IronJacamar container before 1.0.12.Final for JBoss Application Server, when allow-multiple-users is enabled in conjunction with a security domain, does not use the credentials supplied in a getConnection function call, which allows remote attackers to obtain access to an arbitrary datasource...