Lucene search
+L
OracleCommunications Policy Management

50 matches found

CVE
CVE
added 2022/04/01 10:17 p.m.2502 views

CVE-2022-22965

CVE-2022-22965 (Spring4Shell) affects Spring Framework’s Spring MVC and Spring WebFlux when data binding is enabled in apps running on JDK 9+, with exploitation requiring Tomcat as WAR deployment. The issue is not exploited in Spring Boot executable jars. Vulnerable configurations are associated ...

9.8CVSS8.7AI score0.99677EPSS
In wildWeb
CVE
CVE
added 2018/08/22 1:0 p.m.1789 views

CVE-2018-11776

The CVE-2018-11776 issue affects Apache Struts 2.x versions 2.3–2.3.34 and 2.5–2.5.16. The underlying condition is when alwaysSelectFullNamespace is true and a result or url tag lacks a namespace/value, and the upper namespace/action configuration also has no or a wildcard namespace, allowing rem...

9.3CVSS8.4AI score0.99993EPSS
In wild
CVE
CVE
added 2020/12/11 1:11 a.m.1430 views

CVE-2020-17530

CVE-2020-17530 describes a vulnerability in Apache Struts 2 where forced OGNL evaluation on raw user input in tag attributes can cause remote code execution. Affected products range from Struts 2.0.0 up to 2.5.25. The description states that evaluating untrusted input via the %{...} syntax enable...

9.8CVSS9.6AI score0.95922EPSS
In wild
CVE
CVE
added 2015/04/01 12:0 a.m.950 views

CVE-2015-2808

CVE-2015-2808 concerns RC4 usage in TLS/SSL within OpenJDK/OpenJDK components. The Invariance Weakness (Bar Mitzvah) means RC4 key material can leak partial plaintext from the first bytes of a TLS/SSL stream, enabling plaintext-recovery under certain traffic patterns. Public advisories for OpenJD...

5CVSS4.8AI score0.73851EPSS
CVE
CVE
added 2021/12/08 12:0 a.m.669 views

CVE-2021-43527

CVE-2021-43527 describes a heap overflow in NSS when handling DER-encoded DSA or RSA-PSS signatures. The vulnerability affects NSS versions prior to 3.73 (and 3.68.1 ESR for some configurations) and can impact applications using NSS for signatures in CMS, S/MIME, PKCS#7, or PKCS#12, as well as th...

9.8CVSS9.6AI score0.17563EPSS
CVE
CVE
added 2021/04/13 6:50 a.m.637 views

CVE-2021-29425

CVE-2021-29425 affects Apache Commons IO up to version 2.6, specifically FileNameUtils.normalize. With inputs such as "//../foo" or "\..\foo", normalization can yield a value that does not escape to higher directories, potentially enabling access to the parent directory if the resulting path is u...

5.8CVSS6.7AI score0.10608EPSS
In wild
CVE
CVE
added 2021/07/12 2:55 p.m.612 views

CVE-2021-33037

CVE-2021-33037 affects Apache Tomcat: versions 10.0.0-M1–10.0.6, 9.0.0.M1–9.0.46, and 8.5.0–8.5.66 may mishandle the HTTP transfer-encoding header with reverse proxies, enabling request smuggling. Root cause: improper header handling allowing spoofed content encoding sequencing. Impact stated in ...

5.3CVSS6.1AI score0.75353EPSS
CVE
CVE
added 2015/01/28 7:0 p.m.603 views

CVE-2015-0235

CVE-2015-0235 (GHOST) is a heap-based buffer overflow in glibc’s __nss_hostname_digits_dots() used by gethostbyname/gethostbyname2. Affected glibc versions include 2.2 up to 2.17; patched in glibc-2.18 and later. Exploitation could allow remote or context-dependent arbitrary code execution depend...

10CVSS7.7AI score0.94859EPSS
In wild
CVE
CVE
added 2020/01/16 11:55 p.m.578 views

CVE-2020-5398

CVE-2020-5398 (Spring Framework) affects Spring Framework versions: 5.0.x before 5.0.16, 5.1.x before 5.1.13, and 5.2.x before 5.2.3. The vulnerability is a reflected file download (RFD) attack triggered when an application sets a Content-Disposition header whose filename is derived from user inp...

8CVSS7.3AI score0.88077EPSS
Web
CVE
CVE
added 2021/03/22 11:40 p.m.495 views

CVE-2021-21342

CVE-2021-21342 affects the Java library XStream (prior to 1.4.16). During unmarshalling, the processed input stream can include type information used to recreate objects, enabling an attacker to inject/replace objects and trigger a server-side forgery. The documented fix is to upgrade to at least...

9.1CVSS7.3AI score0.4999EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.488 views

CVE-2021-21343

CVE-2021-21343 affects XStream (Java) prior to 1.4.16. The vulnerability arises during unmarshalling when the processed input stream carries type information, enabling an attacker to create new instances based on that data and potentially replace or inject objects, including causing local file de...

7.5CVSS7.1AI score0.46666EPSS
CVE
CVE
added 2020/09/14 4:41 p.m.482 views

CVE-2019-0230

CVE-2019-0230 affects Apache Struts 2.0.0–2.5.20 and is caused by forced double OGNL evaluation on raw user input in tag attributes, potentially enabling remote code execution. Reported impact is remote code execution with high severity (CVE CVSSv3 9.8). Mitigation documented in the sources inclu...

9.8CVSS9.5AI score0.97399EPSS
In wildWeb
CVE
CVE
added 2021/03/22 11:40 p.m.456 views

CVE-2021-21344

Summary: CVE-2021-21344 affects the XStream Java XML serialization library. In versions before 1.4.16, a remote attacker can load and execute arbitrary code by manipulating the processed input stream. The risk is mitigated if the security framework whitelist is properly configured; otherwise the ...

9.8CVSS8AI score0.7598EPSS
CVE
CVE
added 2021/03/22 11:45 p.m.448 views

CVE-2021-21351

CVE-2021-21351 is an XStream deserialization vulnerability. Connected IBM advisories confirm the issue affects IBM Data Risk Manager (IDRM) and IBM Engineering/Test Management products via bundled XStream versions, with exploitation through unmarshalling to achieve arbitrary code execution. Remed...

9.1CVSS8.1AI score0.82136EPSS
CVE
CVE
added 2020/11/16 9:0 p.m.446 views

CVE-2020-26217

XStream (Java) vulnerable to remote code execution via insecure XML deserialization. The issue affects versions before 1.4.14 where processing input streams can lead to arbitrary shell execution. The advisory notes that only users relying on a blocklist are affected, while those using the securit...

9.3CVSS8.2AI score0.85001EPSS
Web
CVE
CVE
added 2021/03/22 11:40 p.m.425 views

CVE-2021-21346

XStream (Java XML serialization library) has CVE-2021-21346 among a set of 2021-04x vulnerabilities. The issue affects XStream prior to 1.4.16 where processing input streams can lead to remote code execution or related impacts if exploitation occurs, with mitigations including enabling the Securi...

9.8CVSS8.3AI score0.76367EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.423 views

CVE-2021-21345

CVE-2021-21345 affects the XStream Java library. Per connected sources, vulnerable versions are those before 1.4.16, where an attacker with sufficient rights can remotely execute commands on the host by manipulating the processed input stream. The issue is mitigated by upgrading to 1.4.16 or late...

9.9CVSS7.8AI score0.72324EPSS
CVE
CVE
added 2020/03/10 5:50 p.m.415 views

CVE-2020-5258

CVE-2020-5258 affects the Dojo NPM package where the deepCopy function is vulnerable to Prototype Pollution. The root cause is injection of properties into native JavaScript prototypes, allowing an attacker to mutate a base object’s prototype. Patched versions are 1.12.8, 1.13.7, 1.14.6, 1.15.3 a...

7.7CVSS7.7AI score0.0399EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.413 views

CVE-2021-21347

CVE-2021-21347 affects XStream Java library (pre-1.4.16). The vulnerability allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream, with high severity when not using a proper security framework. Guidance across sources indicates u...

9.8CVSS8.3AI score0.14301EPSS
CVE
CVE
added 2021/03/22 11:45 p.m.411 views

CVE-2021-21349

XStream (Java) before 1.4.16 is vulnerable to an input-stream manipulation flaw (CVE-2021-21349) that may allow a remote attacker to access data from internal resources not publicly available. The issue arises from processing the input stream during deserialization. A fix is available in XStream ...

8.6CVSS7.8AI score0.46826EPSS
CVE
CVE
added 2021/03/22 11:45 p.m.401 views

CVE-2021-21350

CVE-2021-21350 affects the XStream Java library. Connected sources confirm that before version 1.4.16 XStream allowed remote code execution by manipulating the processed input stream, with guidance to enable a security whitelist and upgrade to at least 1.4.16. Debian security advisories (DSA-5004...

9.8CVSS8AI score0.15234EPSS
CVE
CVE
added 2021/03/22 11:45 p.m.394 views

CVE-2021-21348

XStream (Java) before version 1.4.16 is vulnerable to a denial of service where a remote attacker can cause a thread to consume maximum CPU time and not return. Public documents consistently describe the issue as affecting XStream’s XML deserialization, with mitigation requiring upgrading to at l...

7.8CVSS7.2AI score0.13832EPSS
CVE
CVE
added 2020/12/27 4:32 a.m.311 views

CVE-2020-35728

CVE-2020-35728 affects FasterXML jackson-databind 2.x prior to 2.9.10.8, where improper interaction between serialization gadgets and typing (related to embedded Xalan/JNDIConnectionPool) is described. The IBM bulletin (CVE list) confirms this vulnerability and its description, but does not provi...

8.1CVSS7.7AI score0.12504EPSS
CVE
CVE
added 2021/01/06 10:30 p.m.307 views

CVE-2020-36180

The connected documents confirm CVE-2020-36180 affects FasterXML jackson-databind 2.x before 2.9.10.8, due to mishandling of interaction between serialization gadgets and typing, specifically involving DriverAdapterCPDS in org.apache.commons.dbcp2.cpdsadapter (and related CPDS drivers). A public ...

8.8CVSS7.7AI score0.05041EPSS
CVE
CVE
added 2021/01/06 10:30 p.m.297 views

CVE-2020-36179

CVE-2020-36179 affects FasterXML Jackson Databind (2.x) prior to 2.9.10.8, where the interaction between serialization gadgets and typing (notably involving DriverAdapterCPDS variants) is mishandled. Several connected advisories corroborate an insecure-deserialization pattern that can be triggere...

8.8CVSS7.7AI score0.20929EPSS
CVE
CVE
added 2021/01/06 10:30 p.m.293 views

CVE-2020-36182

CVE-2020-36182 affects FasterXML jackson-databind 2.x before 2.9.10.8, due to mishandling of serialization gadgets and typing involving DriverAdapterCPDS (org.apache.tomcat.dbcp.dbcp2.cpdsadapter). Do not speculate on exploitability beyond what is stated; some sources (e.g., Debian LTS advisory) ...

8.8CVSS7.7AI score0.05018EPSS
CVE
CVE
added 2021/01/06 10:30 p.m.291 views

CVE-2020-36183

CVE-2020-36183 affects FasterXML jackson-databind 2.x prior to 2.9.10.8, due to mishandling of interaction between serialization gadgets and typing (JNDIConnectionPool gadget chain). Reported in IBM/X-Force and mirrored in Astra Linux bulletin; impact can be high (deserialization-based). Affected...

8.1CVSS7.7AI score0.0489EPSS
CVE
CVE
added 2021/01/06 10:30 p.m.290 views

CVE-2020-36184

CVE-2020-36184 affects FasterXML jackson-databind 2.x before 2.9.10.8. The connected documents describe a vulnerability arising from the interaction between serialization gadgets and typing, tied to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource (and related datasource classes). T...

8.8CVSS7.7AI score0.10379EPSS
CVE
CVE
added 2020/09/17 6:39 p.m.288 views

CVE-2020-24750

CVE-2020-24750 affects FasterXML jackson-databind 2.x prior to 2.9.10.6, where the interaction between serialization gadgets and typing is mishandled (CWE-502). This deserialization flaw could enable exploitation via untrusted data; the connected IBM/Cloudera doc confirms the CVE entry but does n...

8.1CVSS7.7AI score0.07327EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.286 views

CVE-2020-36185

CVE-2020-36185 is a Jackson Databind v2.x vulnerability (pre-2.9.10.8) where deserialization gadgets interact with typing, linked to SharedPoolDataSource/JNDI-related classes. Affected: jackson-databind 2.x before 2.9.10.8. Impact includes potential remote code execution via gadget chains. Remedi...

8.1CVSS7.7AI score0.05218EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.283 views

CVE-2020-36188

The CVE-2020-36188 issue affects FasterXML jackson-databind 2.x prior to 2.9.10.8, caused by mis-handling serialization gadgets in combination with typing (notably involving com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource). The vulnerability is described across multiple source...

8.1CVSS7.7AI score0.10911EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.281 views

CVE-2020-36181

Consolidated evidence shows CVE-2020-36181 affects FasterXML jackson-databind 2.x before 2.9.10.8. The vulnerability arises from mishandling the interaction between serialization gadgets and typing, specifically related to DriverAdapterCPDS classes (notably org.apache.tomcat.dbcp.dbcp.cpdsadapter...

8.8CVSS7.7AI score0.05018EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.281 views

CVE-2020-36186

CVE-2020-36186 affects FasterXML jackson-databind 2.x up to before 2.9.10.8, where serialization gadgets and typing handling interact incorrectly in the presence of PerUserPoolDataSource (org.apache.tomcat.dbcp.dbcp.datasources). This deserialization-related flaw can impact confidentiality, integ...

8.1CVSS7.7AI score0.05218EPSS
CVE
CVE
added 2022/02/01 12:8 p.m.275 views

CVE-2021-43859

XStream Java library (versions before 1.4.19) is vulnerable to a remote DoS via crafted input streams that can cause 100% CPU, depending on CPU type/parallelism. The fix is upgrading to XStream 1.4.19, which monitors element-adding times and throws an exception when a threshold is exceeded; a NO_...

7.5CVSS7.5AI score0.07934EPSS
CVE
CVE
added 2021/01/06 10:29 p.m.273 views

CVE-2020-36187

CVE-2020-36187 affects FasterXML jackson-databind 2.x before 2.9.10.8. The root cause is a mishandling of the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. The connected Astra Linux bulletin mirrors this description....

8.1CVSS7.7AI score0.05195EPSS
CVE
CVE
added 2021/12/17 8:5 p.m.251 views

CVE-2021-23450

CVE-2021-23450 describes a Prototype Pollution vulnerability in the Dojo package, exposed via the setObject function. Multiple connected advisories confirm Dojo is affected and note remediation by upgrading to fixed Dojo versions in vendor advisories (IBM, other vendors) and related security bull...

9.8CVSS8.7AI score0.30367EPSS
CVE
CVE
added 2018/04/06 1:0 p.m.239 views

CVE-2018-1271

The CVE-2018-1271 issue affects Spring Framework versions 5.0 before 5.0.5 and 4.3 before 4.3.15 (and older unsupported) where Spring MVC can be configured to serve static resources from the Windows file system. A malicious user can issue a crafted URL to trigger a directory traversal when resour...

5.9CVSS7.2AI score0.35681EPSS
CVE
CVE
added 2020/01/17 6:50 p.m.233 views

CVE-2020-5397

CVE-2020-5397 - Normal details Affected software: Spring Framework 5.2.x (prior to 5.2.3) where CSRF is possible via CORS preflight requests targeting Spring MVC (spring-webmvc) or Spring WebFlux (spring-webflux). Vulnerability and impact: Non-authenticated endpoints can be exploited through pref...

5.3CVSS5.5AI score0.02382EPSS
CVE
CVE
added 2020/08/25 5:4 p.m.224 views

CVE-2020-24616

The CVE-2020-24616 vulnerability affects FasterXML jackson-databind 2.x prior to 2.9.10.6, arising from the interaction between serialization gadgets and typing (related to br.com.anteros.dbcp.AnterosDBCPDataSource). Root cause is unsafe deserialization via Gadget chains in Jackson Databind. Impa...

8.1CVSS7.7AI score0.09422EPSS
CVE
CVE
added 2015/01/21 7:0 p.m.197 views

CVE-2015-0411

CVE-2015-0411 concerns an unspecified remote vulnerability in Oracle MySQL Server versions 5.5.40 and earlier and 5.6.21 and earlier, related to Server: Security: Encryption. The impact is partial confidentiality, integrity, and availability loss via remote access. Connected advisories indicate r...

7.5CVSS6.5AI score0.10038EPSS
CVE
CVE
added 2015/04/16 4:0 p.m.162 views

CVE-2015-0433

The CVE-2015-0433 entry concerns an unspecified vulnerability in Oracle MySQL Server (affected versions: 5.5.41 and earlier; 5.6.22 and earlier) that could allow remote authenticated users to affect availability via InnoDB : DML. Connected advisories from Debian, CentOS, Gentoo, and IBM/Tivoli sh...

4CVSS4.8AI score0.05421EPSS
CVE
CVE
added 2015/04/16 4:0 p.m.162 views

CVE-2015-2568

CVE-2015-2568 affects Oracle MySQL Server 5.5.41 and earlier and 5.6.22 and earlier. The vulnerability is described as unspecified with impact to availability, due to issues in the Server : Security : Privileges area. The provided sources indicate a remote attacker could cause a denial of service...

5CVSS5AI score0.0715EPSS
CVE
CVE
added 2020/09/14 4:50 p.m.151 views

CVE-2019-0233

CVE-2019-0233 is an Apache Struts vulnerability (affecting Struts 2.0.0–2.5.20) where an access-permission override during file uploads can cause a Denial of Service. Exploitation requires a crafted request, and the impact is DoS during subsequent uploads. Remediation is to upgrade to a fixed Str...

7.5CVSS8.1AI score0.68761EPSS
CVE
CVE
added 2015/01/21 6:0 p.m.133 views

CVE-2015-0382

CVE-2015-0382 is a remote-availability vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier, related to Server: Replication, separate from CVE-2015-0381. The connected advisories show multiple vendors/types referencing MySQL/MariaDB vulnerabilities with potential DoS or ...

4.3CVSS6.6AI score0.10066EPSS
CVE
CVE
added 2015/01/21 6:0 p.m.128 views

CVE-2015-0381

Technical details for CVE-2015-0381 are not publicly available in the provided documents. No specific affected products, versions, root cause, impact, or fixes are described here; monitor for updates.

4.3CVSS6.6AI score0.05428EPSS
CVE
CVE
added 2017/08/08 3:0 p.m.113 views

CVE-2017-3633

CVE-2017-3633 is a vulnerability in the MySQL Server Memcached subcomponent. An unauthenticated attacker with network access via Memcached can exploit it to cause a hang or crash (DoS) and potentially perform unauthorized updates/inserts/deletes on MySQL data. Affected versions are MySQL 5.6.36 a...

6.5CVSS5.6AI score0.02952EPSS
CVE
CVE
added 2015/04/16 4:0 p.m.94 views

CVE-2015-0500

CVE-2015-0500 is an unspecified vulnerability affecting Oracle MySQL Server 5.6.23 and earlier, permitting remote authenticated users to affect availability via unknown vectors. The issue is listed in multiple advisories and OpenVAS entries; affected version range is 5.6.23 and earlier. The provi...

4CVSS7.7AI score0.02445EPSS
CVE
CVE
added 2015/01/21 6:0 p.m.85 views

CVE-2015-0409

CVE-2015-0409 refers to an unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier that can be exploited by a remote authenticated user to affect availability, via unknown vectors related to the Optimizer. The connected documents confirm this CVE is included in OpenVAS/SUSE advisories...

4CVSS6.2AI score0.02428EPSS
CVE
CVE
added 2015/04/16 4:0 p.m.80 views

CVE-2015-0423

CVE-2015-0423 affects Oracle MySQL Server 5.6.22 and earlier. The vulnerability is unspecified but related to the Optimizer, allowing remote authenticated users to affect availability (baseline CVSS v2 4.0). Mitigation: upgrade to patched releases per Oracle CPU advisory (CPU APR 2015).

4CVSS7.5AI score0.02288EPSS
CVE
CVE
added 2017/10/19 5:0 p.m.60 views

CVE-2017-10159

CVE-2017-10159 affects the Oracle Communications Policy Management component of Oracle Communications Applications (subcomponent: Portal, CMP). Affected versions are 11.5 and 12.x . The vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Policy Management, ...

6.1CVSS5.6AI score0.0144EPSS