Lucene search

K
OracleInsurance Policy Administration

31 matches found

CVE
CVE
added 2021/04/13 7:15 a.m.587 views

CVE-2021-29425

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal),...

5.8CVSS6.7AI score0.00319EPSS
In wild
CVE
CVE
added 2020/12/03 5:15 p.m.575 views

CVE-2020-25649

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

7.5CVSS7.3AI score0.00011EPSS
CVE
CVE
added 2021/07/14 7:15 a.m.555 views

CVE-2021-36374

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives a...

5.5CVSS6.2AI score0.00153EPSS
CVE
CVE
added 2017/04/17 9:59 p.m.542 views

CVE-2017-5645

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

9.8CVSS9.5AI score0.94013EPSS
CVE
CVE
added 2021/07/13 8:15 a.m.384 views

CVE-2021-36090

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

7.5CVSS7.5AI score0.00279EPSS
CVE
CVE
added 2020/12/07 8:15 p.m.335 views

CVE-2020-17521

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the e...

5.5CVSS5.4AI score0.00357EPSS
CVE
CVE
added 2021/07/13 8:15 a.m.303 views

CVE-2021-35515

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

7.5CVSS7.2AI score0.00107EPSS
CVE
CVE
added 2019/10/15 2:15 p.m.302 views

CVE-2019-17195

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.

9.8CVSS9.2AI score0.11339EPSS
CVE
CVE
added 2021/07/13 8:15 a.m.299 views

CVE-2021-35517

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

7.5CVSS7.5AI score0.0028EPSS
CVE
CVE
added 2020/12/27 5:15 a.m.281 views

CVE-2020-35728

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

8.1CVSS7.7AI score0.39669EPSS
CVE
CVE
added 2021/01/07 12:15 a.m.278 views

CVE-2020-36180

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

8.8CVSS7.7AI score0.02715EPSS
CVE
CVE
added 2021/07/13 8:15 a.m.277 views

CVE-2021-35516

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

7.5CVSS7.3AI score0.00277EPSS
CVE
CVE
added 2021/01/07 12:15 a.m.276 views

CVE-2020-36183

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

8.1CVSS7.7AI score0.02715EPSS
CVE
CVE
added 2021/01/06 11:15 p.m.275 views

CVE-2020-36189

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

8.1CVSS7.7AI score0.03371EPSS
CVE
CVE
added 2021/02/24 6:15 p.m.273 views

CVE-2020-11987

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

8.2CVSS7.8AI score0.00268EPSS
CVE
CVE
added 2021/01/07 12:15 a.m.270 views

CVE-2020-36179

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

8.8CVSS7.7AI score0.61296EPSS
CVE
CVE
added 2021/01/07 12:15 a.m.269 views

CVE-2020-36182

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

8.8CVSS7.7AI score0.0251EPSS
CVE
CVE
added 2021/01/06 11:15 p.m.269 views

CVE-2020-36184

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

8.8CVSS7.7AI score0.05946EPSS
CVE
CVE
added 2021/01/06 11:15 p.m.268 views

CVE-2020-36185

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

8.1CVSS7.7AI score0.02317EPSS
CVE
CVE
added 2021/01/06 11:15 p.m.268 views

CVE-2020-36188

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

8.1CVSS7.7AI score0.08163EPSS
CVE
CVE
added 2020/09/19 4:15 a.m.268 views

CVE-2020-5421

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

8.7CVSS7.2AI score0.63828EPSS
CVE
CVE
added 2021/05/27 3:15 p.m.264 views

CVE-2021-22118

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFl...

7.8CVSS7.5AI score0.00253EPSS
CVE
CVE
added 2019/11/08 3:15 p.m.262 views

CVE-2019-10219

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

6.5CVSS6AI score0.01674EPSS
CVE
CVE
added 2021/01/06 11:15 p.m.261 views

CVE-2020-36181

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

8.8CVSS7.7AI score0.07387EPSS
CVE
CVE
added 2021/07/14 7:15 a.m.258 views

CVE-2021-36373

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

5.5CVSS6.1AI score0.00126EPSS
CVE
CVE
added 2021/01/06 11:15 p.m.257 views

CVE-2020-36186

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

8.1CVSS7.7AI score0.02615EPSS
CVE
CVE
added 2021/01/06 11:15 p.m.255 views

CVE-2020-36187

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

8.1CVSS7.7AI score0.02413EPSS
CVE
CVE
added 2018/05/11 8:29 p.m.226 views

CVE-2018-1258

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

8.8CVSS9AI score0.0016EPSS
CVE
CVE
added 2021/07/21 3:15 p.m.212 views

CVE-2021-2351

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. S...

8.3CVSS8.5AI score0.03544EPSS
CVE
CVE
added 2021/02/23 7:15 p.m.168 views

CVE-2021-22112

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). Howev...

9CVSS8.4AI score0.00979EPSS
CVE
CVE
added 2021/07/19 3:15 p.m.117 views

CVE-2021-35043

OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with &#00058 as the replacement for the : character.

6.1CVSS5.9AI score0.00331EPSS