64 matches found
CVE-2017-12617
CVE-2017-12617 concerns Apache Tomcat JSP upload via HTTP PUT when readonly=false and PUTs are allowed. Affected: Tomcat 7.x/8.x/9.x (various 7.0.0–7.0.81, 8.0.0.RC1–8.0.46, 8.5.0–8.5.22, 9.0.0.M1–9.0.0) with PUT enabled. Root cause: PUT request handling allowed uploading a JSP, enabling remote c...
CVE-2017-12615
CVE-2017-12615 affects Apache Tomcat 7.0.0–7.0.79 on Windows when HTTP PUTs are enabled (readonly=false), allowing an attacker to upload a JSP file that can be executed by the server. Connected documents confirm remote code execution via crafted requests and note remediation through vendor adviso...
CVE-2016-8735
CVE-2016-8735 is a remote code execution vulnerability in Apache Tomcat via JmxRemoteLifecycleListener. Affected are Tomcat releases before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12, when JMX ports are reachable. Root cause: JmxRemoteLifecycleListe...
CVE-2016-3427
CVE-2016-3427 is an unspecified vulnerability in Oracle Java SE (affecting 6u113, 7u99, 8u77) and JRockit, tied to the Java Management Extensions (JMX) component. Exploitation can affect confidentiality, integrity, and availability via JMX-related vectors; the issue is described as an unspecified...
CVE-2016-9841
CVE-2016-9841 is a vulnerability in zlib 1.2.8 related to improper pointer arithmetic in inffast.c that could have context-dependent impact. Connected advisories confirm public details and show remediation by upgrading zlib to a newer version (e.g., 1.2.11) across affected products and distributi...
CVE-2017-7525
CVE-2017-7525 is a deserialization flaw in jackson-databind enabling code execution via ObjectMapper.readValue on versions before 2.6.7.1, 2.7.9.1, or 2.8.9. Astra Linux notes extend the issue to versions before 2.8.10 and 2.9.1, and newer advisories reference mitigations/updates. Remediation vis...
CVE-2017-10355
CVE-2017-10355 is documented across multiple openJDK/OpenJDK-derived advisories (CentOS, Debian, Amazon, IBM, etc.) as a networking vulnerability in the FtpClient component of OpenJDK’s Java SE/Java SE Embedded. Technical details in connected sources specify that the FtpClient did not set default...
CVE-2017-15095
Summary of CVE-2017-15095 and related sightings : The material consistently reports a deserialization flaw in jackson-databind, affecting versions prior to 2.8.10 and 2.9.1. An unauthenticated user could trigger code execution via ObjectMapper.readValue with malicious input. The issue is describe...
CVE-2017-17485
CVE-2017-17485 affects FasterXML jackson-databind: a deserialization flaw that enables unauthenticated remote code execution via readValue when the blacklist is bypassed if Spring libraries are on the classpath. The initial description specifies impact for jackson-databind up to 2.8.10 and 2.9.x ...
CVE-2016-5018
CVE-2016-5018 affects multiple Tomcat branches (9.0.0.M1–M9, 8.5.0–8.5.4, 8.0.0.RC1–8.0.36, 7.0.0–7.0.70, 6.0.0–6.0.45). The vulnerability allows a malicious web application to bypass a configured SecurityManager via a Tomcat utility method that is accessible to web applications, enabling bypass ...
CVE-2016-10165
CVE-2016-10165 targets Little CMS (lcms2). The Type_MLU_Read function in cmstypes.c may trigger an out-of-bounds heap read when processing a crafted ICC profile, potentially allowing information disclosure or denial of service. Connected IBM advisories confirm the vulnerability details for produc...
CVE-2017-10135
CVE-2017-10135 is a timing-channel vulnerability in the PKCS#8 implementation of the JCE component of OpenJDK/OpenJDK-derived JREs. Public sources in the dataset describe it as a covert timing channel flaw that could enable a remote attacker to glean information about the private key via timing a...
CVE-2017-10102
CVE-2017-10102 is a remotely exploitable issue in Oracle Java SE and Java SE Embedded (RMI subcomponent) affecting Java SE 6u151, 7u141, 8u131 and Java SE Embedded 8u131. A remote attacker could compromise the target via API data handling over network access, potentially taking over the Java runt...
CVE-2017-10115
CVE-2017-10115 is a covert timing-channel vulnerability in the DSA implementation of the JCE in OpenJDK/OpenJRE/JRockit, affecting Java SE 6u151, 7u141, 8u131 and related packages (e.g., OpenJDK 7 on Debian/Ubuntu, RHEL/CentOS, Arch Linux advisories). A remote attacker could potentially exploit t...
CVE-2017-10345
CVE-2017-10345 affects Oracle Java SE/Embedded/JRockit serialization. The vulnerability allows an unauthenticated attacker with network access to compromise the target, potentially causing a partial denial of service; exploitation is difficult and may require human interaction. Affected versions ...
CVE-2017-10087
CVE-2017-10087 is a vulnerability in Oracle Java SE/Java SE Embedded Libraries affecting Java SE 6u151, 7u141, and 8u131, and Java SE Embedded 8u131. The issue is an access-control bypass in the Libraries component that could allow a network-facilitated, unauthenticated attacker to take control o...
CVE-2017-10295
CVE-2017-10295 affects OpenJDK (Java SE/Java SE Embedded) Networking: HttpURLConnection/HttpsURLConnection failed to detect newline characters in URLs, enabling potential HTTP header injection via attacker-provided URLs. Public notices in connected docs show affected package openjdk-7/openjdk-8 w...
CVE-2017-10356
CVE-2017-10356 affects OpenJDK/OpenJDK Security component. The root cause is weak password-based encryption keys used to protect private keys stored in keystores, enabling an unauthenticated attacker with sufficient access to compromise protected data. Affected: Java SE components (OpenJDK/OpenJD...
CVE-2017-10281
CVE-2017-10281 affects Oracle/OpenJDK components (Java SE, Java SE Embedded, JRockit) with the Serialization subcomponent. The vulnerability is exploitable remotely via network protocols and can be triggered by sandboxed Web Start/Applet use or by supplying data to APIs, potentially causing parti...
CVE-2017-10350
CVE-2017-10350 is an OpenJDK/Oracle Java SE vulnerability in the JAX-WS subcomponent that could allow an unauthenticated network attacker to cause a partial denial of service in Java SE/Java SE Embedded deployments (clients loading untrusted code in sandbox). Affected versions per initial descrip...
CVE-2017-10116
CVE-2017-10116 affects Oracle Java SE / Java SE Embedded / JRockit (OpenJDK-related vulnerabilities also reflected in various advisories). The vulnerability arises in the Security component’s LDAPCertStore where LDAP referrals to arbitrary URLs could be used by an unauthenticated network attacker...
CVE-2017-10388
CVE-2017-10388 affects the OpenJDK Kerberos client: the sname field from the plain-text KDC reply was used instead of the encrypted part, enabling a potential MITM impersonation of Kerberos services for Java applications acting as Kerberos clients. This vulnerability is documented across multiple...
CVE-2017-10348
CVE-2017-10348 affects OpenJDK/OpenJDK-derived Java SE/Embedded libraries. The vulnerability, exploitable over the network by unauthenticated attackers, can lead to a partial denial of service on Java SE and Java SE Embedded. Public details in the provided materials indicate affected versions var...
CVE-2017-10090
CVE-2017-10090 affects Oracle/OpenJDK libraries (Java SE and Java SE Embedded). The connected documents confirm affected components and versions (Java SE: 7u141, 8u131; Java SE Embedded: 8u131) and describe the root cause as gaps in the Libraries/RMI-related areas that can bypass sandbox restrict...
CVE-2017-10346
CVE-2017-10346 is an OpenJDK/Java SE vulnerability affecting multiple OpenJDK components (Hotspot, OpenJDK sandboxes) across affected Java versions (OpenJDK6/7/8/9 in various advisories). The public records in connected documents indicate the issue includes bypassing Java sandbox restrictions via...
CVE-2017-10067
CVE-2017-10067 affects Java SE Security in OpenJDK (targets: Java 6u151, 7u141, 8u131). The vulnerability allows a network-accessing, unauthenticated attacker to take control of the Java runtime via multiple protocols; exploitation requires user interaction. Impact aligns with the CVSS 3.0 base s...
CVE-2017-10243
CVE-2017-10243 affects Oracle Java SE, Java SE Embedded, and JRockit (JAX-WS subcomponent). Affected: Java SE 6u151, 7u141, 8u131; Java SE Embedded 8u131; JRockit R28.3.14. Exploitation: unauthenticated attacker with network access via multiple protocols can read a subset of data and cause a part...
CVE-2017-10081
CVE-2017-10081 is a Sandbox/Access-Restriction bypass in the Hotspot component of OpenJDK. Affected Java runtimes include Java SE 6u151, 7u141, and 8u131 (Java SE Embedded 8u131). Several connected advisories note this as part of a broader OpenJDK set of issues (RMI, JAXP, ImageIO, Libraries, AWT...
CVE-2017-10109
CVE-2017-10109 concerns a serialization flaw in Oracle/OpenJDK Java SE components (Java SE, Java SE Embedded, JRockit). The vulnerability, tied to the Serialization subcomponent, can allow an unauthenticated, network-scoped attacker to trigger a denial of service (partial DoS) by loading untruste...
CVE-2017-10349
CVE-2017-10349 affects the OpenJDK/JAXP component (Java SE and Java SE Embedded) where the vulnerability stems from unbounded memory growth during object creation from serialized data, enabling unauthenticated network access to cause a partial denial of service. Multiple connected advisories (IBM...
CVE-2017-10107
CVE-2017-10107 affects OpenJDK/OpenJDK-based packages (RMI) with vulnerable components in Java SE/Java SE Embedded. The connected security data confirms multiple OpenJDK subcomponents are vulnerable, including RMI-related sandbox bypass issues, and lists affected versions such as Java 6u151, 7u14...
CVE-2017-10101
CVE-2017-10101 is a concrete OpenJDK/OpenJDK JAXP vulnerability. Affected: Java SE (6u151, 7u141, 8u131) and Java SE Embedded (8u131). Issue: untrusted code loaded in sandboxed deployments can bypass protections and lead to full takeover of Java SE/Embedded via JAXP. Exploitation is network-based...
CVE-2017-10285
CVE-2017-10285 is confirmed to affect Oracle/OpenJDK Java SE and Java SE Embedded, specifically the RMI (Remote Method Invocation) component. The vulnerability allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE/Embedded, with exploitation described...
CVE-2017-10347
CVE-2017-10347 is a serialization-related vulnerability in Oracle Java SE/JRockit that affects Java SE 6u161, 7u151, 8u144 and 9, and Java SE Embedded 8u144. The issue allows an unauthenticated, networked attacker to cause a partial denial of service in vulnerable deployments that load untrusted ...
CVE-2017-10096
CVE-2017-10096 – OpenJDK/JAXP vulnerability (CWE-style) shows a flaw in the Java SE/Java SE Embedded stack, specifically the JAXP component. Affected are Oracle Java SE versions 6u151, 7u141, 8u131 and Java SE Embedded 8u131. The vulnerability can allow an unauthenticated attacker with network ac...
CVE-2017-10108
CVE-2017-10108 affects Oracle Java SE, Java SE Embedded, and JRockit (Serialization). Affected versions include Java SE 6u151, 7u141, 8u131; Java SE Embedded 8u131; JRockit R28.3.14. The vulnerability allows unauthenticated remote exploitation via multiple protocols, potentially causing a partial...
CVE-2017-10053
CVE-2017-10053 is an OpenJDK/OpenJDK 2D JPEGImageReader vulnerability. The issue affects Java SE components (Java SE, Java SE Embedded, JRockit) with affected versions including Java 6u151, 7u141, 8u131 (and 8u131 for Java SE Embedded; JRockit R28.3.14). The vulnerability could allow an unauthent...
CVE-2017-10357
CVE-2017-10357 is a Java SE/OpenJDK vulnerability affecting the Serialization component in Oracle Java SE and Java SE Embedded. The Initial document lists affected versions as Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. The Connected documents corroborate multiple OpenJDK/OpenJDK...
CVE-2017-10089
CVE-2017-10089 affects Oracle Java SE ImageIO in OpenJDK/OpenJDK-derived disclosures: 6u151, 7u141, 8u131 are vulnerable. The issue allows a network-based, unauthenticated attacker to take control of the Java SE runtime, with UI interaction required, potentially impacting additional products. Aff...
CVE-2017-10110
CVE-2017-10110 affects the Java SE AWT component in Oracle Java SE and is reported in multiple advisories referencing OpenJDK/OpenJDK-derived packages. Affected versions noted across sources include Java SE 6u151, 7u141 and 8u131 (and related OpenJDK/OpenJDK7 packaging in Debian/CentOS/Arch Linux...
CVE-2017-10274
CVE-2017-10274 affects Oracle Java SE Smart Card IO. According to connected IBM advisories, the flaw can be exploited by an unauthenticated attacker over multiple protocols to compromise confidentiality and integrity (C/H, I/H) with high impact, though no availability impact is stated. Affected J...
CVE-2017-10074
CVE-2017-10074 affects OpenJDK/OpenJDK Hotspot in Java SE and Java SE Embedded. Affected: Java SE 6u151, 7u141, 8u131; Java SE Embedded 8u131. Root cause per advisories: Hotspot range-checking overflow in OpenJDK leading to possible arbitrary-code execution under a sandbox-compiled Java applet/ru...
CVE-2018-5968
CVE-2018-5968 concerns FasterXML jackson-databind deserialization. The entry notes unauthenticated remote code execution via two gadgets that bypass a blacklist, stemming from an incomplete fix for CVE-2017-7525 and CVE-2017-17485. Connected sources specify affected jackson-databind versions and ...
CVE-2016-6797
CVE-2016-6797 stems from Apache Tomcat’s ResourceLinkFactory not restricting web app access to global JNDI resources, allowing a web application to access any global JNDI resource regardless of explicit ResourceLink. Affects Tomcat 6.x/7.x/8.x/9.x releases listed in the entry (various 6.0–9.0 lin...
CVE-2017-10193
CVE-2017-10193 affects the Java SE and Java SE Embedded components (OpenJDK) with affected Java SE versions 6u151, 7u141, 8u131 and Java SE Embedded 8u131. The vulnerability enables a network-accessible attacker to compromise Java SE/Embedded when running untrusted code in sandboxed client deploy...
CVE-2017-10198
CVE-2017-10198 affects Oracle Java SE, Java SE Embedded, and JRockit. Vulnerability in the Security component (and related areas) allows unauthenticated network-based access to compromise affected Java runtimes (Java SE 6u151, 7u141, 8u131; Embedded 8u131; JRockit R28.3.14). Exploitation is possi...
CVE-2017-10309
CVE-2017-10309 involves the Deployment subcomponent of Oracle Java SE. Public details in the provided documents indicate an XML External Entity/Information Disclosure style vulnerability affecting Java 8u144 and Java 9 deployments, with network-accessible exploitation requiring user interaction. ...
CVE-2016-0762
CVE-2016-0762 affects Apache Tomcat realms across multiple branches (Tomcat 9.0.x, 8.5.x, 8.0.x, 7.0.x, 6.0.x). The root cause: Realm implementations did not process the supplied password when the username did not exist, enabling a timing attack to determine valid usernames. The default LockOutRe...
CVE-2017-10078
CVE-2017-10078 affects Oracle Java SE 8u131 (Scripting) and can be exploited over network with multiple protocols, enabling high-impact confidentiality and integrity violations and data access. The vulnerability can be triggered by sandboxed Web Start/Applet use or via APIs without sandboxing. Th...
CVE-2016-6794
CVE-2016-6794 affects Apache Tomcat across multiple branches (7.x, 8.x, 9.x) and versions, where the system property replacement feature for configuration files can bypass a configured SecurityManager to read restricted system properties. Connected advisories show concrete impact and suggested fi...