CVE-2017-5641

Previous versions of Apache Flex BlazeDS 4.7.2 and earlier did not restrict which types were allowed for AMFX object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such...

Debian: Security Advisory (DSA-4037-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian DSA-4025-1 : libpam4j - security update

It was discovered that libpam4j, a Java library wrapper for the integration of PAM did not call pamacctmgmt during authentication. As such a user who has a valid password, but a deactivated or disabled account could still log in. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptiv...

jsch: ChannelSftp path traversal vulnerability

A vulnerability was discovered in JSch that allows a malicious sftp server to force a client-side relative path traversal in jsch's implementation for recursive sftp-get. An attacker could leverage this to write files outside the client's download basedir with effective permissions of the jsch sf...

[SECURITY] [DSA 4004-1] jackson-databind security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4004-1 [email protected] https://www.debian.org/security/ Sebastien Delafond October 20, 2017 https://www.debian.org/security/faq -...

Nimbus JOSE+JWT padding oracle attack information disclosure vulnerability

Nimbus JOSE+JWT is an open source Java library . Nimbus JOSE+JWT has a security vulnerability that allows attackers to submit specially crafted requests to perform padding oracle attacks and obtain sensitive information...

Oracle Enterprise Manager Grid Control Multiple Vulnerabilities (July 2017 CPU) (httpoxy)

The version of Oracle Enterprise Manager Grid Control installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An...

U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website

Summary: One of the DoD applications uses a java library which is vulnerable to expression language injection. Using only an URL I was able to inject java code. I made a simple PoC that requests a name resolution to a DNS server. Description: The application at https://███ uses Primefaces version...

CVE-2017-10668

A Padding Oracle exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 Java and OSCI Transport Library 1.6 .NET. Under an MITM condition within the OSCI infrastructure, an attacker needs to send crafted protocol messages to analyse the CBC mode padding in order to decrypt the...

CVE-2017-10670

An XML External Entity XXE issue exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 Java and OSCI Transport Library 1.6 .NET, exploitable by sending a crafted standard-conforming OSCI message from within the infrastructure...

Unspecified Vulnerability in Jasypt

Jasypt is a Jasypt team developed a Java library with encryption features , it is based on standard cryptography , able to one-way or two-way encryption of passwords , text , numbers and binary files and so on. A security vulnerability exists in versions of Jasypt prior to 1.9.2. An attacker can...

[SECURITY] [DLA 893-1] bouncycastle security update

Package : bouncycastle Version : 1.44+dfsg-3.1+deb7u2 CVE ID : CVE-2015-6644 An information disclosure vulnerability was discovered in Bouncy Castle, a Java library which consists of various cryptographic algorithms. The Galois/Counter mode GCM implementation was missing a boundary check that cou...

jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name

It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service FPS merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows...

fastjson remote code execution vulnerability technical analysis and protection solution-vulnerability warning-the black bar safety net

! 2017-year 3 December 15, fastjson official released a security Bulletin indicating fastjson in 1. 2. 24 and the prior version there is a remote code execution high-risk security vulnerabilities. An attacker can use this vulnerability to remotely execute malicious code to invade the server...

Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2017 CPU)

The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in the Enterprise Manager Base Platform component : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An...

CVE-2016-4216

XMPCore in Adobe XMP Toolkit for Java before 5.1.3 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity XXE issue...

UBUNTU-CVE-2016-4216

XMPCore in Adobe XMP Toolkit for Java before 5.1.3 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity XXE issue...

DLA-504-1 libxstream-java - security update

Bulletin has no description...

PowerFolder Server 10.4.321 - Remote Code Execution

Mogwai Security Advisory MSA-2016-01 ---------------------------------------------------------------------- Title: PowerFolder Remote Code Execution Vulnerability Product: PowerFolder Server Affected versions: 10.4.321 Linux/Windows Other version might be also affected Impact: high Remote: yes...

Oracle WebCenter Sites Apache Xalan-Java Library Security Bypass (January 2016 CPU)

The version Oracle WebCenter Sites installed on the remote host is missing a security patch from the January 2016 Critical Patch Update CPU. It is, therefore, affected by a security bypass vulnerability in the Apache Xalan-Java library due to a failure to properly restrict access to certain...