Lucene search

K
OracleCommunications Messaging Server

41 matches found

CVE
CVE
added 2021/12/14 12:15 p.m.1162 views

CVE-2021-4104

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remot...

7.5CVSS9.4AI score0.94358EPSS
In wildWeb
CVE
CVE
added 2021/12/18 12:15 p.m.1091 views

CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue wa...

5.9CVSS7.7AI score0.67558EPSS
In wildWeb
CVE
CVE
added 2022/01/18 4:15 p.m.733 views

CVE-2022-23302

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configura...

8.8CVSS9.3AI score0.72621EPSS
In wild
CVE
CVE
added 2022/01/18 4:15 p.m.643 views

CVE-2022-23307

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

9CVSS9.2AI score0.00752EPSS
CVE
CVE
added 2021/09/19 6:15 p.m.629 views

CVE-2021-40690

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any loca...

7.5CVSS7.4AI score0.0018EPSS
In wild
CVE
CVE
added 2022/01/18 4:15 p.m.612 views

CVE-2022-23305

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings int...

9.8CVSS9.4AI score0.14136EPSS
Web
CVE
CVE
added 2020/12/03 5:15 p.m.545 views

CVE-2020-25649

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

7.5CVSS7.3AI score0.00011EPSS
CVE
CVE
added 2017/04/17 9:59 p.m.535 views

CVE-2017-5645

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

9.8CVSS9.5AI score0.94013EPSS
CVE
CVE
added 2020/06/27 12:15 p.m.535 views

CVE-2020-15358

In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.

5.5CVSS6.8AI score0.00073EPSS
CVE
CVE
added 2021/08/18 3:15 p.m.481 views

CVE-2021-37714

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancell...

7.5CVSS7.3AI score0.00505EPSS
CVE
CVE
added 2021/02/08 8:15 p.m.454 views

CVE-2021-21290

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multip...

6.2CVSS6.2AI score0.00016EPSS
CVE
CVE
added 2020/04/09 3:15 a.m.451 views

CVE-2020-11655

SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.

7.5CVSS7.9AI score0.02825EPSS
CVE
CVE
added 2021/03/30 3:15 p.m.446 views

CVE-2021-21409

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-...

5.9CVSS6.5AI score0.04983EPSS
CVE
CVE
added 2020/04/09 3:15 a.m.377 views

CVE-2020-11656

In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

9.8CVSS9.1AI score0.0652EPSS
CVE
CVE
added 2021/07/13 8:15 a.m.372 views

CVE-2021-36090

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

7.5CVSS7.5AI score0.00279EPSS
CVE
CVE
added 2020/02/21 10:15 p.m.356 views

CVE-2020-9327

In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.

7.5CVSS7.8AI score0.01401EPSS
CVE
CVE
added 2020/12/18 1:15 a.m.343 views

CVE-2020-28052

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

8.1CVSS7.7AI score0.0378EPSS
CVE
CVE
added 2020/06/06 4:15 p.m.313 views

CVE-2020-13871

SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.

7.5CVSS7.4AI score0.02187EPSS
CVE
CVE
added 2021/06/16 12:15 p.m.303 views

CVE-2021-33813

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

7.5CVSS7AI score0.0006EPSS
CVE
CVE
added 2021/07/13 8:15 a.m.291 views

CVE-2021-35515

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

7.5CVSS7.2AI score0.00119EPSS
CVE
CVE
added 2021/07/13 8:15 a.m.286 views

CVE-2021-35517

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

7.5CVSS7.5AI score0.00313EPSS
CVE
CVE
added 2020/04/07 6:15 p.m.280 views

CVE-2020-11612

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

7.5CVSS7.3AI score0.01846EPSS
CVE
CVE
added 2021/01/06 11:15 p.m.266 views

CVE-2020-36189

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

8.1CVSS7.7AI score0.02635EPSS
CVE
CVE
added 2021/07/13 8:15 a.m.265 views

CVE-2021-35516

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

7.5CVSS7.3AI score0.00311EPSS
CVE
CVE
added 2020/09/17 7:15 p.m.264 views

CVE-2020-24750

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

8.1CVSS7.7AI score0.02107EPSS
CVE
CVE
added 2019/11/08 3:15 p.m.248 views

CVE-2019-10219

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

6.5CVSS6AI score0.01852EPSS
CVE
CVE
added 2021/06/16 12:15 p.m.211 views

CVE-2021-30468

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to...

7.5CVSS7.4AI score0.00399EPSS
CVE
CVE
added 2020/08/25 6:15 p.m.197 views

CVE-2020-24616

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

8.1CVSS7.7AI score0.03783EPSS
CVE
CVE
added 2021/06/12 10:15 a.m.178 views

CVE-2021-31811

In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

5.5CVSS5.6AI score0.00393EPSS
CVE
CVE
added 2021/06/12 10:15 a.m.178 views

CVE-2021-31812

In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

5.5CVSS5.6AI score0.0004EPSS
CVE
CVE
added 2021/03/19 4:15 p.m.167 views

CVE-2021-27906

A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

5.5CVSS5.6AI score0.0044EPSS
CVE
CVE
added 2021/03/19 4:15 p.m.165 views

CVE-2021-27807

A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

5.5CVSS5.6AI score0.00441EPSS
CVE
CVE
added 2021/03/31 8:15 a.m.147 views

CVE-2021-28657

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

5.5CVSS5.6AI score0.00251EPSS
CVE
CVE
added 2020/11/12 1:15 p.m.142 views

CVE-2020-13954

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnera...

6.1CVSS6.4AI score0.15538EPSS
CVE
CVE
added 2020/04/27 2:15 p.m.130 views

CVE-2020-9489

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to...

5.5CVSS6.2AI score0.0041EPSS
CVE
CVE
added 2020/03/23 2:15 p.m.128 views

CVE-2020-1950

A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23.

5.5CVSS5.5AI score0.00557EPSS
CVE
CVE
added 2019/04/17 3:29 p.m.124 views

CVE-2019-0228

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

9.8CVSS8.9AI score0.07835EPSS
CVE
CVE
added 2015/01/22 10:59 p.m.111 views

CVE-2014-7923

The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a look...

7.5CVSS9.5AI score0.02277EPSS
CVE
CVE
added 2020/03/23 2:15 p.m.103 views

CVE-2020-1951

A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23.

5.5CVSS5.5AI score0.00341EPSS
CVE
CVE
added 2015/01/22 10:59 p.m.86 views

CVE-2014-7926

The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a zero...

7.5CVSS9.5AI score0.02277EPSS
CVE
CVE
added 2016/07/21 10:15 a.m.27 views

CVE-2016-5455

Unspecified vulnerability in the Oracle Communications Messaging Server component in Oracle Communications Applications 6.3, 7.0, and 8.0 allows remote attackers to affect confidentiality via vectors related to Multiplexor.

5.3CVSS5.3AI score0.00509EPSS