32 matches found
CVE-2022-22965
CVE-2022-22965 (Spring4Shell) affects Spring Framework’s Spring MVC and Spring WebFlux when data binding is enabled in apps running on JDK 9+, with exploitation requiring Tomcat as WAR deployment. The issue is not exploited in Spring Boot executable jars. Vulnerable configurations are associated ...
CVE-2020-2555
CVE-2020-2555 (WebLogic/Coherence) : A deserialization vulnerability in Oracle Coherence (Fusion Middleware) enables unauthenticated remote code execution via the T3 protocol. Affected versions include Coherence 3.7.1.x, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0. The flaw originates from ReflectionExtra...
CVE-2020-36518
CVE-2020-36518 affects jackson-databind prior to 2.13.0, enabling a Java StackOverflow and DoS via excessive nesting depth. In affected advisories, remediation is to upgrade jackson-databind to 2.13.0+ (examples show 2.13.x or newer such as 2.13.4.2 in Crowd/CWD references). Practical impact is d...
CVE-2021-40690
The CVE-2021-40690 issue affects Apache Santuario – XML Security for Java. All versions prior to 2.2.3 and 2.1.7 are vulnerable due to the "secureValidation" property not being passed when creating a KeyInfo from a KeyInfoReference element, enabling an XPath Transform abuse to extract local .xml ...
CVE-2020-25649
The CVE-2020-25649 entry concerns a flaw in FasterXML Jackson Databind where entity expansion was not properly secured, enabling XML External Entity (XXE) attacks. This is a data-integrity risk. Connected advisories consistently associate the issue with Jackson Databind and XXE, and several sourc...
CVE-2020-35728
CVE-2020-35728 affects FasterXML jackson-databind 2.x prior to 2.9.10.8, where improper interaction between serialization gadgets and typing (related to embedded Xalan/JNDIConnectionPool) is described. The IBM bulletin (CVE list) confirms this vulnerability and its description, but does not provi...
CVE-2020-36180
The connected documents confirm CVE-2020-36180 affects FasterXML jackson-databind 2.x before 2.9.10.8, due to mishandling of interaction between serialization gadgets and typing, specifically involving DriverAdapterCPDS in org.apache.commons.dbcp2.cpdsadapter (and related CPDS drivers). A public ...
CVE-2019-10219
The CVE-2019-10219 entry affects Hibernate Validator: SafeHtml validator annotation fails to sanitize HTML comments/instructions, enabling XSS in affected code paths. Affected CP4S versions are 1.7.2.0, 1.8.0.0, and 1.8.1.0. Remediation is to upgrade to Cloud Pak for Security 1.9.0.0 per IBM guid...
CVE-2020-36179
CVE-2020-36179 affects FasterXML Jackson Databind (2.x) prior to 2.9.10.8, where the interaction between serialization gadgets and typing (notably involving DriverAdapterCPDS variants) is mishandled. Several connected advisories corroborate an insecure-deserialization pattern that can be triggere...
CVE-2020-36182
CVE-2020-36182 affects FasterXML jackson-databind 2.x before 2.9.10.8, due to mishandling of serialization gadgets and typing involving DriverAdapterCPDS (org.apache.tomcat.dbcp.dbcp2.cpdsadapter). Do not speculate on exploitability beyond what is stated; some sources (e.g., Debian LTS advisory) ...
CVE-2020-36183
CVE-2020-36183 affects FasterXML jackson-databind 2.x prior to 2.9.10.8, due to mishandling of interaction between serialization gadgets and typing (JNDIConnectionPool gadget chain). Reported in IBM/X-Force and mirrored in Astra Linux bulletin; impact can be high (deserialization-based). Affected...
CVE-2020-36189
CVE-2020-36189 affects FasterXML jackson-databind 2.x before 2.9.10.8. The issue is a deserialization/serialization typing interaction with gadgets (e.g., logback, MySQL/commons proxies) that can lead to arbitrary code execution, data exfiltration or integrity/availability impacts as described in...
CVE-2020-36184
CVE-2020-36184 affects FasterXML jackson-databind 2.x before 2.9.10.8. The connected documents describe a vulnerability arising from the interaction between serialization gadgets and typing, tied to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource (and related datasource classes). T...
CVE-2020-36185
CVE-2020-36185 is a Jackson Databind v2.x vulnerability (pre-2.9.10.8) where deserialization gadgets interact with typing, linked to SharedPoolDataSource/JNDI-related classes. Affected: jackson-databind 2.x before 2.9.10.8. Impact includes potential remote code execution via gadget chains. Remedi...
CVE-2020-36181
Consolidated evidence shows CVE-2020-36181 affects FasterXML jackson-databind 2.x before 2.9.10.8. The vulnerability arises from mishandling the interaction between serialization gadgets and typing, specifically related to DriverAdapterCPDS classes (notably org.apache.tomcat.dbcp.dbcp.cpdsadapter...
CVE-2020-36188
The CVE-2020-36188 issue affects FasterXML jackson-databind 2.x prior to 2.9.10.8, caused by mis-handling serialization gadgets in combination with typing (notably involving com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource). The vulnerability is described across multiple source...
CVE-2020-36186
CVE-2020-36186 affects FasterXML jackson-databind 2.x up to before 2.9.10.8, where serialization gadgets and typing handling interact incorrectly in the presence of PerUserPoolDataSource (org.apache.tomcat.dbcp.dbcp.datasources). This deserialization-related flaw can impact confidentiality, integ...
CVE-2020-36187
CVE-2020-36187 affects FasterXML jackson-databind 2.x before 2.9.10.8. The root cause is a mishandling of the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. The connected Astra Linux bulletin mirrors this description....
CVE-2021-2351
CVE-2021-2351 affects Oracle Database Server’s Advanced Networking Option, with affected versions 12.1.0.2, 12.2.0.1, and 19c. The vulnerability allows unauthenticated network access via Oracle Net to compromise the Advanced Networking Option, with access requiring user interaction (UI_R) and ris...
CVE-2022-21387
CVE-2022-21387 : A vulnerability in Oracle Commerce Platform (Dynamo Application Framework) affects versions 11.3.0, 11.3.1, and 11.3.2. An unauthenticated, network-accessible attacker over HTTP can read a subset of data from the Oracle Commerce Platform. CVSSv3.1 base score is 5.3 (Confidentiali...
CVE-2021-2463
The CVE-2021-2463 entry concerns Oracle Commerce Platform (Dynamo Application Framework) with affected versions 11.0.0, 11.1.0, 11.2.0 and 11.3.0–11.3.2. The vulnerability is exploitable remotely over HTTP by an unauthenticated attacker and can lead to takeover of the Oracle Commerce Platform, pe...
CVE-2022-21559
CVE-2022-21559 affects Oracle Commerce Platform (Dynamo Application Framework) with affected versions 11.3.0, 11.3.1 and 11.3.2. The vulnerability enables a low-privilege user who can log on to the infrastructure where Oracle Commerce Platform runs to potentially compromise the platform, leading ...
CVE-2024-21100
CVE-2024-21100 affects Oracle Commerce Platform (Platform component) in Oracle Commerce, specifically versions 11.3.0–11.3.2. The root cause is insufficient input validation that allows an unauthenticated attacker with network access via HTTP to compromise the platform, potentially enabling unaut...
CVE-2025-21576
CVE-2025-21576 affects Oracle Commerce Platform (Dynamo Personalization Server) for Oracle Commerce versions 11.3.0–11.3.2. The vulnerability enables a low-privileged, network-accessible attacker (via HTTP) to compromise the platform, with user interaction required, potentially leading to unautho...
CVE-2015-2607
CVE-2015-2607 affects Oracle Commerce Guided Search / Oracle Commerce Experience Manager within Oracle Commerce Platform (versions 3.0.2, 3.1.1, 3.1.2, 11.0, 11.1). The vulnerability is an authentication bypass in Oracle Endeca Tools and Frameworks session generation: if an auth parameter is prov...
CVE-2015-2653
The CVE-2015-2653 entry applies to Oracle Commerce Guided Search / Oracle Commerce Experience Manager within Oracle Commerce Platform. Affected products include Oracle Commerce Platform versions 3.1.1, 3.1.2, 11.0, and 11.1, specifically via the Content Acquisition System (CAS) interface. The con...
CVE-2020-14532
The CVE-2020-14532 affects Oracle Commerce Platform (Dynamo Application Framework) with vulnerable versions 11.1, 11.2 and prior to 11.3.1. The vulnerability enables an unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Platform, requiring human interaction from a...
CVE-2019-2659
CVE-2019-2659 concerns Oracle Commerce Platform (Dynamo Application Framework) with affected version 11.2.0.3. The Red Hat/NVD descriptions indicate unauthenticated network access over HTTP and a requirement for user interaction, allowing unauthorized read and read/write actions on Oracle Commerc...
CVE-2020-14533
CVE-2020-14533 affects Oracle Commerce Platform (Dynamo Application Framework). Affected versions include 11.1, 11.2 and prior to 11.3.1. The flaw allows a high-privilege attacker with network access via HTTP to compromise the platform, with attack steps requiring human interaction. Potential out...
CVE-2015-0510
Oracle Commerce Platform (9.4, 10.0, 10.2) is affected by a vulnerability in the Dynamo Application Framework – HTML Admin User Interface. The issue, described in connected CNVD data, allows a remote attacker to update, insert, or delete data, compromising data integrity. The root cause details a...
CVE-2017-3296
CVE-2017-3296 affects Oracle Commerce Platform (Dynamo Application Framework) with affected versions 10.0.3.5, 10.2.0.5, and 11.2.0.2. The vulnerability allows an unauthenticated attacker, with network access via HTTP, to compromise the platform and read a subset of data; exploitation requires hu...
CVE-2019-2712
CVE-2019-2712 affects Oracle Commerce Platform (Dynamo Application Framework) with affected versions 11.2.0.3 and 11.3.1. Multiple sources describe a vulnerability that allows an unauthenticated attacker, with network access over HTTP, to compromise the Oracle Commerce Platform. The exploit requi...