64 matches found
CVE-2018-19531
HTTL aka Hyper-Text Template Language through 1.0.11 allows remote command execution because the decodeXml function uses java.beans.XMLEncoder unsafely when configured without an xml.codec= setting...
HTTL Remote Command Execution Vulnerability
HTTL also known as Hyper-Text Template Language is an open source Java template engine , it is mainly used for dynamic HTML page output . HTTL 1.0.11 and earlier versions of a security vulnerability , the vulnerability stems from the failure to configure the xml.codec , the program defaults to us...
CVE-2017-3202
The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability...
CVE-2017-3200
The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availabili...
CVE-2017-3200
The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availabili...
CVE-2017-3202 The implementation of Action Message Format (AMF3) deserializers in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes due to improper code control
The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability...
CVE-2017-3200
CVE-2017-3200 concerns GraniteDS’s AMF3 deserializers. The Java AMF3 implementation in GraniteDS 3.1.1.GA can instantiate arbitrary classes via public no-arg constructors and invoke JavaBeans setters during deserialization, enabling remote attackers to execute arbitrary code if affected classes a...
Remote Code Execution (RCE)
flex-messenger-core is vulnerable to remote code execution RCE. The AMF3 deserializers in the library allows the instantiation of arbitrary classes via parameter-less java beans constructors. This allows a malicious user to send a malicious AMF3 object to the system to execute arbitrary code...
Remote Code Execution (RCE)
amf-serializer is vulnerable to remote code execution RCE. The AMF3 deserializers in the library allows the instantiation of arbitrary classes via parameter-less java beans constructors. This allows a malicious user to send a malicious AMF3 object to the system to execute arbitrary code...
CVE-2012-4549
The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform aka JBoss EAP or JBEAP before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans EJB method invocation, which allows attackers to bypas...
Security: Invalid EJB caller role check implementation
It was found that the isCallerInRole method of the SimpleSecurityManager did not correctly check caller roles. A remote, authenticated attacker could use this flaw to circumvent the caller check in applications that use black list access control based on caller roles...
[SECURITY] Fedora 22 Update: opensaml-java-xmltooling-1.3.4-9.fc22
Java XMLTooling is a low-level library that may be used to construct librar ies that allow developers to work with XML in a Java beans manner...
WS: EJB3 role restrictions are not applied to jaxws handlers
A flaw was found in the way method-level authorization for JAX-WS Service endpoints was performed by the EJB invocation handler implementation. Any restrictions declared on EJB methods were ignored when executing the JAX-WS handlers, and only class-level restrictions were applied. A remote attack...
WS: EJB3 role restrictions are not applied to jaxws handlers
A flaw was found in the way method-level authorization for JAX-WS Service endpoints was performed by the EJB invocation handler implementation. Any restrictions declared on EJB methods were ignored when executing the JAX-WS handlers, and only class-level restrictions were applied. A remote attack...
WS: EJB3 role restrictions are not applied to jaxws handlers
A flaw was found in the way method-level authorization for JAX-WS Service endpoints was performed by the EJB invocation handler implementation. Any restrictions declared on EJB methods were ignored when executing the JAX-WS handlers, and only class-level restrictions were applied. A remote attack...
ejb-client: Session fixation due improper connection caching
Red Hat JBoss Enterprise Application Platform EAP 6.1.0 does not properly cache EJB invocations by the EJB client API, which allows remote attackers to hijack sessions by using an EJB client...
OpenJDK: java.beans.ThreadGroupContext missing restrictions (Beans, 7200507)
Unspecified vulnerability in the Java Runtime Environment JRE component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans...
OpenJDK: java.beans.ThreadGroupContext missing restrictions (Beans, 7200507)
Unspecified vulnerability in the Java Runtime Environment JRE component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans...
Design/Logic Flaw
Unspecified vulnerability in the Java Runtime Environment JRE component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans. NOTE: the previous information is from the February 20...
CVE-2013-0444
Unspecified vulnerability in the Java Runtime Environment JRE component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans. NOTE: the previous information is from the February 20...