35 matches found
CVE-2020-11984
CVE-2020-11984 affects Apache HTTP Server mod_proxy_uwsgi. Based on the provided documents, it is a vulnerability in httpd’s uwsgi handling that can lead to information disclosure and potentially remote code execution. The vulnerability was reported for Apache HTTP Server versions around 2.4.32 t...
CVE-2020-9490
CVE-2020-9490 affects Apache HTTP Server versions 2.4.20–2.4.43. A specially crafted value for the Cache-Digest header in an HTTP/2 request could cause a crash when the server subsequently attempts to HTTP/2 PUSH a resource. Mitigation for unpatched servers is to disable HTTP/2 PUSH via H2Push of...
CVE-2020-11993
CVE-2020-11993 affects Apache HTTP Server 2.4.20–2.4.43: when trace/debug is enabled for the HTTP/2 module and certain traffic patterns, logging can be performed on the wrong connection, leading to concurrent use of memory pools. Mitigation in public advisories: set LogLevel for mod_http2 above i...
CVE-2020-1935
CVE-2020-1935 affects Apache Tomcat across multiple branches: 9.0.0.M1–9.0.30, 8.5.0–8.5.50, and 7.0.0–7.0.99. It stems from HTTP header parsing that can mishandle end-of-line and Transfer-Encoding, enabling HTTP Request Smuggling when Tomcat sits behind certain reverse proxies. Impact is informa...
CVE-2021-4104
CVE-2021-4104 affects JMSAppender in Log4j 1.2 when it is explicitly configured to use JMSAppender. A deserialization of untrusted data can occur if an attacker can write Log4j configuration and supply TopicBindingName and TopicConnectionFactoryBindingName, causing JMSAppender to perform JNDI req...
CVE-2019-17563
Tomcat CVE-2019-17563: A race-condition in FORM authentication allowed a session-fixation window in Tomcat 9.0.0.M1–9.0.29, 8.5.0–8.5.49, and 7.0.0–7.0.98. The issue is acknowledged as a vulnerability with practical exploitation not detailed in the provided docs. Affected products: Apache Tomcat....
CVE-2021-45105
Summary of CVE-2021-45105 (Log4j2) : Affected Log4j 2.x versions 2.0-alpha1 through 2.16.0 (except 2.12.3 and 2.3.1) are vulnerable to denial of service via uncontrolled recursion triggered by self-referential lookups in Thread Context Map data. The root cause is improper handling of self-referen...
CVE-2022-23302
CVE-2022-23302 affects Log4j 1.x JMSSink. TheDeserialization flaw allows remote code execution when an attacker can write to the Log4j configuration or when the configuration references an LDAP service the attacker controls. JMSSink can be triggered via a TopicConnectionFactoryBindingName to caus...
CVE-2019-7317
CVE-2019-7317 is a use-after-free involving png_image_free in libpng. A connected document ties this to the FLTK package, affecting versions less than 1.3.8-1, and states that upgrading to a later FLTK version resolves the issue. If applying this advisory, upgrade FLTK to 1.3.8-1 or newer for rem...
CVE-2022-23307
CVE-2022-23307 concerns a deserialization vulnerability in the Chainsaw component of Apache Log4j 1.x (Chainsaw bundled with Log4j 1.2.x). The root cause is unsafe deserialization of untrusted data via Chainsaw, allowing potential code execution. Multiple Atlassian products initially bundled Chai...
CVE-2022-23305
CVE-2022-23305 concerns Apache Log4j 1.x when configured with JDBCAppender: an SQL statement is built from a PatternLayout-converted value (notably %m), allowing an attacker to craft input to alter and potentially execute SQL. The issue is specific to Log4j 1.x if JDBCAppender is used; JDBCAppend...
CVE-2019-2729
CVE-2019-2729 affects Oracle WebLogic Server (Web Services component) with unauthenticated remote code execution via deserialization. Affected versions are 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0. The vulnerability stems from improper deserialization (WebLogic Web Services / XMLDecoder context) an...
CVE-2020-15358
CVE-2020-15358 (SQLite) affects the SQLite library, specifically the query engine path in select.c where the query-flattener optimization mishandles constant propagation for multiSelectOrderBy. The root cause is a mishandling of transitive properties during constant propagation, leading to a heap...
CVE-2019-13990
CVE-2019-13990 affects Terracotta Quartz Scheduler within Atlassian Jira Service Management Data Center/Server and related Oracle Fusion Middleware deployments, via XXE in the Terracotta Quartz Scheduler component when parsing a job description. The root cause is an XML External Entity condition ...
CVE-2020-27218
CVE-2020-27218 affects Eclipse Jetty 9.4.x (9.4.0.RC0–9.4.34.v20201102), 10.x (10.0.0.alpha0–beta2), and 11.x (11.0.0.alpha0–beta2). When GZIP request body inflation is enabled and requests from different clients are multiplexed on one connection, an attacker who can send a body that is received ...
CVE-2020-11655
SQLite through 3.31.1 is vulnerable to denial of service via a malformed window-function query caused by improper AggInfo initialization (CVE-2020-11655). Affected is the sqlite3 library used across distributions and apps; exploitation leads to segmentation faults. Remediation in the connected ad...
CVE-2020-11656
CVE-2020-11656 affects SQLite up to version 3.31.1, where the ALTER TABLE implementation has a use-after-free, demonstrated by an ORDER BY clause that belongs to a compound SELECT statement. Affected products/contexts in the linked documents consistently reference SQLite 3.31.1 or earlier. Some s...
CVE-2020-9327
The CVE-2020-9327 entry concerns SQLite 3.31.1. A NULL pointer dereference can be triggered by isAuxiliaryVtabOperator due to generated column optimizations, potentially causing a segmentation fault. The connected Astra Linux security bulletin confirms the same SQLite 3.31.1 issue but provides no...
CVE-2020-13871
SQLite 3.32.2 is affected by a use-after-free in resetAccumulator (select.c) due to a late parse tree rewrite for window functions. Impact could include a crash or arbitrary code execution. Remediation: upgrade to SQLite 3.32.3 or later (fix upstream).
CVE-2019-12415
CVE-2019-12415 affects Apache POI up to version 4.1.0. The vulnerability arises when using the tool XSSFExportToXml to convert user-supplied Excel documents, allowing an attacker to read local filesystem or internal network resources via XML External Entity (XXE) processing. The Connected documen...
CVE-2019-10219
The CVE-2019-10219 entry affects Hibernate Validator: SafeHtml validator annotation fails to sanitize HTML comments/instructions, enabling XSS in affected code paths. Affected CP4S versions are 1.7.2.0, 1.8.0.0, and 1.8.1.0. Remediation is to upgrade to Cloud Pak for Security 1.9.0.0 per IBM guid...
CVE-2020-5421
CVE-2020-5421 affects Spring Framework releases across multiple lines (5.2.x to 5.0.x, 4.3.x and older). The issue arises from improper input handling of the jsessionid path parameter, which may bypass RFD Protection and weaken security controls. Affected products reference VMware Tanzu Spring Fr...
CVE-2021-2351
CVE-2021-2351 affects Oracle Database Server’s Advanced Networking Option, with affected versions 12.1.0.2, 12.2.0.1, and 19c. The vulnerability allows unauthenticated network access via Oracle Net to compromise the Advanced Networking Option, with access requiring user interaction (UI_R) and ris...
CVE-2019-12402
CVE-2019-12402 affects Apache Commons Compress 1.15–1.18, where the internal file-name encoding can loop infinitely and cause DoS when processing crafted archives. Connected docs show multiple vendors referencing this CVE in product advisories (e.g., Atlassian Confluence with dependency notes; IB...
CVE-2019-5427
CVE-2019-5427 affects c3p0, where versions older than 0.9.5.4 are vulnerable to a billion laughs (XML entity expansion) attack when loading XML configuration due to missing protections against recursive entity expansion. Public sources in connected documents confirm the issue exists in c3p0
CVE-2021-27807
CVE-2021-27807 affects Apache PDFBox 2.0.22 and earlier 2.0.x. The issue arises when loading a crafted PDF, triggering an infinite loop and causing denial of service. Connected IBM advisories confirm the same description and map remediation to upgrading to fixed PDFBox versions via product-specif...
CVE-2021-27906
CVE-2021-27906 affects Apache PDFBox; a crafted PDF can trigger an OutOfMemoryError when loading, impacting PDFBox 2.0.22 and earlier 2.0.x. The connected IBM/QRadar security bulletin confirms the same CVE ID and notes remediation: upgrade to IBM Cognos-related 2.0.6.12, then apply FixPack 2.0.6....
CVE-2018-14550
CVE-2018-14550 corresponds to a stack-based buffer overflow in libpng 1.6.35’s PNM decoding path, specifically in get_token() within pnm2png.c of pnm2png. The issue is triggered during third-party PNM decoding and is documented across multiple advisories (EulerOS, Gentoo GLSA, GN/NET, etc.). The ...
CVE-2021-1996
CVE-2021-1996 affects Oracle WebLogic Server (Oracle Fusion Middleware, Web Services component). Affected versions include 10.3.6.0.0 and 12.1.3.0.0. The issue allows a high-privilege attacker with network access via HTTP to compromise the server, with human interaction required and potential una...
CVE-2021-1993
CVE-2021-1993 affects Oracle Database Server’s Java VM component. Affected versions: 12.1.0.2, 12.2.0.1, 18c, 19c. An attacker with Create Session via Oracle Net and low privileges, requiring user interaction, can impact data integrity by compromising Java VM. CVSSv3.1 base score 4.8 (I), vector ...
CVE-2021-1999
CVE-2021-1999 affects Oracle ZFS Storage Appliance Kit (Oracle Systems) in the RAS subsystems with version 8.8. The vulnerability allows a high-privilege attacker who has local logon to compromise the kit, requiring user interaction. Attacks can lead to unauthorized creation, deletion, or modific...
CVE-2021-2445
CVE-2021-2445 affects Oracle Hyperion’s Hyperion Infrastructure Technology, specifically the Lifecycle Management component, with affected version 11.2.5.0. The vulnerability description indicates high-privilege access via network (HTTP) with required user interaction, enabling unauthorized creat...
CVE-2021-2347
CVE-2021-2347 affects Oracle Hyperion’s Hyperion Infrastructure Technology, specifically the Lifecycle Management component in the 11.2.5.0 release. The Red Hat and NVD entries mirror this: a vulnerability that can be exploited by a high-privilege attacker over HTTP with network access, requiring...
CVE-2020-14854
CVE-2020-14854 affects Oracle Hyperion Infrastructure Technology UI and Visualization (affected 11.1.2.4). Vulnerability allows a high-privileged attacker with network access via HTTP to compromise data with user interaction required; impact to confidentiality and integrity is indicated (CVE CVSS...
CVE-2026-35244
Oracle Hyperion Infrastructure Technology (Oracle Hyperion), component Lifecycle Management, is affected in version 11.2.24.0.000. The vulnerability allows a highly privileged attacker who can access over HTTP to cause unauthorized creation, deletion or modification of critical data or all access...