Lucene search
+L
OracleBanking Credit Facilities Process Management

27 matches found

CVE
CVE
added 2022/04/01 12:0 a.m.1538 views

CVE-2022-22963

CVE-2022-22963 affects Spring Cloud Function: in versions 3.1.6, 3.2.2 and older unsupported releases, routing-expression using SpEL can be crafted by a user to trigger remote code execution and access local resources. The root cause is unsafe evaluation of SpEL within the HTTP request routing he...

9.8CVSS9.5AI score0.99939EPSS
In wildWeb
CVE
CVE
added 2021/02/15 12:15 p.m.598 views

CVE-2021-23337

CVE-2021-23337 (Lodash) affects Lodash versions prior to 4.17.21, vulnerable to Command Injection via the template function. Affected component: lodash.template; root cause: unsafe template evaluation. Impact per document: potential code execution with privileges of the running environment. Mitig...

7.2CVSS7.2AI score0.2241EPSS
CVE
CVE
added 2021/02/08 8:10 p.m.530 views

CVE-2021-21290

CVE-2021-21290 relates to Netty before 4.1.59.Final, where an insecure temp file in Unix-like systems could lead to local information disclosure when uploads are stored on disk via multipart decoders. The Unix temp dir is shared among users, and files created with File.createTempFile may have ins...

6.2CVSS6.2AI score0.01777EPSS
CVE
CVE
added 2021/03/30 3:5 p.m.509 views

CVE-2021-21409

The CVE concerns Netty’s HTTP/2 codec (io.netty:netty-codec-http2) where, before version 4.1.61.Final, a Content-Length check can be bypassed when a single Http2HeaderFrame with endStream set to true is used. This enables HTTP request smuggling if the request is proxied and translated to HTTP/1.1...

5.9CVSS6.5AI score0.04935EPSS
CVE
CVE
added 2021/05/28 9:0 p.m.487 views

CVE-2021-29505

CVE-2021-29505 affects XStream (Java XML serialization) in versions before 1.4.17. The public docs indicate the fix is in 1.4.17; multiple advisories (Debian, Fedora, Amazon Linux, Astra Linux) reference this CVE in the context of libxstream-java. Atlassian Jira Server/Data Center reports indicat...

8.8CVSS8.2AI score0.77735EPSS
CVE
CVE
added 2020/07/15 4:10 p.m.448 views

CVE-2020-8203

CVE-2020-8203 : Prototype pollution via lodash.zipObjectDeep in lodash versions before 4.17.20. The vulnerability allows modification of object prototypes, enabling attacker-controlled properties. IBM X-Force records this as a high-risk issue (CVSS~7.5; I/H, A/H; network driver with no user inter...

7.4CVSS6.9AI score0.05213EPSS
CVE
CVE
added 2020/11/16 9:0 p.m.447 views

CVE-2020-26217

XStream (Java) vulnerable to remote code execution via insecure XML deserialization. The issue affects versions before 1.4.14 where processing input streams can lead to arbitrary shell execution. The advisory notes that only users relying on a blocklist are affected, while those using the securit...

9.3CVSS8.2AI score0.85001EPSS
Web
CVE
CVE
added 2021/02/15 11:10 a.m.424 views

CVE-2020-28500

CVE-2020-28500 affects Lodash prior to 4.17.21, vulnerability is Regular Expression Denial of Service (ReDoS) via toNumber, trim and trimEnd. Connected IBM bulletin confirms the issue and enumerates the affected versions; the remediation is to upgrade Lodash to 4.17.21 or later. No exploitation d...

5.3CVSS6AI score0.07336EPSS
CVE
CVE
added 2020/12/18 12:52 a.m.391 views

CVE-2020-28052

CVE-2020-28052 — BC Java OpenBSDBCrypt.password check issue : In Legion of the Bouncy Castle BC Java versions 1.65 and 1.66, the OpenBSDBCrypt.checkPassword method can compare data incorrectly during password verification, causing some incorrect passwords to be treated as a match for different, p...

8.1CVSS7.7AI score0.0714EPSS
CVE
CVE
added 2020/12/27 4:32 a.m.312 views

CVE-2020-35728

CVE-2020-35728 affects FasterXML jackson-databind 2.x prior to 2.9.10.8, where improper interaction between serialization gadgets and typing (related to embedded Xalan/JNDIConnectionPool) is described. The IBM bulletin (CVE list) confirms this vulnerability and its description, but does not provi...

8.1CVSS7.7AI score0.12504EPSS
CVE
CVE
added 2021/01/06 10:30 p.m.307 views

CVE-2020-36180

The connected documents confirm CVE-2020-36180 affects FasterXML jackson-databind 2.x before 2.9.10.8, due to mishandling of interaction between serialization gadgets and typing, specifically involving DriverAdapterCPDS in org.apache.commons.dbcp2.cpdsadapter (and related CPDS drivers). A public ...

8.8CVSS7.7AI score0.05041EPSS
CVE
CVE
added 2021/01/06 10:30 p.m.299 views

CVE-2020-36179

CVE-2020-36179 affects FasterXML Jackson Databind (2.x) prior to 2.9.10.8, where the interaction between serialization gadgets and typing (notably involving DriverAdapterCPDS variants) is mishandled. Several connected advisories corroborate an insecure-deserialization pattern that can be triggere...

8.8CVSS7.7AI score0.20929EPSS
CVE
CVE
added 2021/01/06 10:30 p.m.296 views

CVE-2020-36182

CVE-2020-36182 affects FasterXML jackson-databind 2.x before 2.9.10.8, due to mishandling of serialization gadgets and typing involving DriverAdapterCPDS (org.apache.tomcat.dbcp.dbcp2.cpdsadapter). Do not speculate on exploitability beyond what is stated; some sources (e.g., Debian LTS advisory) ...

8.8CVSS7.7AI score0.05018EPSS
CVE
CVE
added 2021/01/06 10:30 p.m.291 views

CVE-2020-36183

CVE-2020-36183 affects FasterXML jackson-databind 2.x prior to 2.9.10.8, due to mishandling of interaction between serialization gadgets and typing (JNDIConnectionPool gadget chain). Reported in IBM/X-Force and mirrored in Astra Linux bulletin; impact can be high (deserialization-based). Affected...

8.1CVSS7.7AI score0.0489EPSS
CVE
CVE
added 2021/01/06 10:30 p.m.290 views

CVE-2020-36184

CVE-2020-36184 affects FasterXML jackson-databind 2.x before 2.9.10.8. The connected documents describe a vulnerability arising from the interaction between serialization gadgets and typing, tied to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource (and related datasource classes). T...

8.8CVSS7.7AI score0.10379EPSS
CVE
CVE
added 2020/09/17 6:39 p.m.288 views

CVE-2020-24750

CVE-2020-24750 affects FasterXML jackson-databind 2.x prior to 2.9.10.6, where the interaction between serialization gadgets and typing is mishandled (CWE-502). This deserialization flaw could enable exploitation via untrusted data; the connected IBM/Cloudera doc confirms the CVE entry but does n...

8.1CVSS7.7AI score0.07327EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.286 views

CVE-2020-36185

CVE-2020-36185 is a Jackson Databind v2.x vulnerability (pre-2.9.10.8) where deserialization gadgets interact with typing, linked to SharedPoolDataSource/JNDI-related classes. Affected: jackson-databind 2.x before 2.9.10.8. Impact includes potential remote code execution via gadget chains. Remedi...

8.1CVSS7.7AI score0.05218EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.283 views

CVE-2020-36186

CVE-2020-36186 affects FasterXML jackson-databind 2.x up to before 2.9.10.8, where serialization gadgets and typing handling interact incorrectly in the presence of PerUserPoolDataSource (org.apache.tomcat.dbcp.dbcp.datasources). This deserialization-related flaw can impact confidentiality, integ...

8.1CVSS7.7AI score0.05218EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.283 views

CVE-2020-36188

The CVE-2020-36188 issue affects FasterXML jackson-databind 2.x prior to 2.9.10.8, caused by mis-handling serialization gadgets in combination with typing (notably involving com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource). The vulnerability is described across multiple source...

8.1CVSS7.7AI score0.10911EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.282 views

CVE-2020-36181

Consolidated evidence shows CVE-2020-36181 affects FasterXML jackson-databind 2.x before 2.9.10.8. The vulnerability arises from mishandling the interaction between serialization gadgets and typing, specifically related to DriverAdapterCPDS classes (notably org.apache.tomcat.dbcp.dbcp.cpdsadapter...

8.8CVSS7.7AI score0.05018EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.275 views

CVE-2020-36187

CVE-2020-36187 affects FasterXML jackson-databind 2.x before 2.9.10.8. The root cause is a mishandling of the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. The connected Astra Linux bulletin mirrors this description....

8.1CVSS7.7AI score0.05195EPSS
CVE
CVE
added 2021/06/12 9:45 a.m.210 views

CVE-2021-31812

Apache PDFBox vulnerability CVE-2021-31812: a specially crafted PDF can trigger an infinite loop while loading, affecting version 2.0.23 and all prior 2.0.x. Impact is listed as High for availability (DoS via resource exhaustion). The provided documents confirm the affected product/component and ...

5.5CVSS5.6AI score0.03054EPSS
CVE
CVE
added 2021/06/12 9:45 a.m.198 views

CVE-2021-31811

CVE-2021-31811: Apache PDFBox 2.0.23 and earlier is vulnerable to an OutOfMemoryError when loading a crafted PDF. IBM/QRadar advisories confirm the issue and recommend upgrading PDFBox to v2.0.24 (via PJ46568 iFix/FIXPACK) or newer.

5.5CVSS5.6AI score0.03445EPSS
CVE
CVE
added 2021/03/19 4:5 p.m.191 views

CVE-2021-27906

CVE-2021-27906 affects Apache PDFBox; a crafted PDF can trigger an OutOfMemoryError when loading, impacting PDFBox 2.0.22 and earlier 2.0.x. The connected IBM/QRadar security bulletin confirms the same CVE ID and notes remediation: upgrade to IBM Cognos-related 2.0.6.12, then apply FixPack 2.0.6....

5.5CVSS5.6AI score0.03337EPSS
CVE
CVE
added 2020/01/14 2:28 p.m.168 views

CVE-2019-12399

CVE-2019-12399 affects Apache Kafka Connect: when Connect workers are configured with config providers and a connector uses an externalized secret variable within a substring of a configuration value, an attacker can request a cluster’s task configuration and receive the plaintext secret instead ...

7.5CVSS7.3AI score0.03915EPSS
CVE
CVE
added 2019/04/17 2:7 p.m.155 views

CVE-2019-0228

CVE-2019-0228 affects Apache PDFBox 2.0.14, enabling an XML External Entity (XXE) attack via crafted XFDF. IBM advisories fix the vulnerability by upgrading IBM Operations Analytics - Log Analysis to version 1.3.7 (PDFBox handling) and Fedora advisories show a PDFBox update to 2.0.16. The vulnera...

9.8CVSS8.9AI score0.09451EPSS
CVE
CVE
added 2020/07/31 7:40 p.m.149 views

CVE-2020-5413

CVE-2020-5413 affects Spring Integration Kryo-based (de)serialization. When Kryo is configured with default options, unregistered classes can be resolved on demand, enabling deserialization gadgets to execute malicious code during data intake. The provided connected documents confirm the issue an...

9.8CVSS9.4AI score0.04409EPSS