9 matches found
CVE-2022-23302
CVE-2022-23302 affects Log4j 1.x JMSSink. TheDeserialization flaw allows remote code execution when an attacker can write to the Log4j configuration or when the configuration references an LDAP service the attacker controls. JMSSink can be triggered via a TopicConnectionFactoryBindingName to caus...
CVE-2022-23307
CVE-2022-23307 concerns a deserialization vulnerability in the Chainsaw component of Apache Log4j 1.x (Chainsaw bundled with Log4j 1.2.x). The root cause is unsafe deserialization of untrusted data via Chainsaw, allowing potential code execution. Multiple Atlassian products initially bundled Chai...
CVE-2022-23305
CVE-2022-23305 concerns Apache Log4j 1.x when configured with JDBCAppender: an SQL statement is built from a PatternLayout-converted value (notably %m), allowing an attacker to craft input to alter and potentially execute SQL. The issue is specific to Log4j 1.x if JDBCAppender is used; JDBCAppend...
CVE-2021-37714
CVE-2021-37714 affects jsoup (Java HTML parser) versions prior to 1.14.2. When parsing untrusted HTML/XML, the parser may loop, slow down, or throw exceptions, enabling a denial-of-service condition. A fix is available in jsoup 1.14.2. Workarounds include rate-limiting parsing input, capping inpu...
CVE-2021-42340
The CVE-2021-42340 issue is a memory leak in Apache Tomcat caused by the upgrade HTTP metric collector not releasing WebSocket resources after close. Affected versions include Tomcat 8.5.60–8.5.71, 9.0.40–9.0.53, 10.0.0-M1–10.0.11, and 10.1.0-M1–10.1.0-M5. Over time, this leak can lead to OutOfMe...
CVE-2021-23926
CVE-2021-23926 involves Apache XMLBeans up to 2.6.0, where XML parsers did not set necessary protections against malicious XML input, enabling an XML External Entity (XXE) attack and related.entity expansion concerns. The main impact cited is a potential denial of service or information disclosur...
CVE-2021-42575
The IBM Jazz Reporting Service is affected by CVE-2021-42575 (OWASP Java HTML Sanitizer before 20211018.1 fails to properly enforce policies for SELECT, STYLE, and OPTION). Affected versions: 7.1, 7.0.3, 7.0.2. Remediation via IBM: apply the relevant iFix from Fix Central (7.1: iFix005; 7.0.3: iF...
CVE-2021-30129
CVE-2021-30129 affects Apache Mina SSHD's sshd-core; a crafted request can trigger an OutOfMemory DoS in the SFTP and port forwarding features. Remediation: upgrade to Apache Mina SSHD 2.7.0 (fix documented in the IBM PEM advisory referencing this CVE). If applying via IBM PEM, follow their patch...
CVE-2021-35043
CVE-2021-35043 affects OWASP AntiSamy prior to 1.6.4. The issue is a cross-site scripting (XSS) flaw in the HTML output serializer where HTML attributes can be exploited, demonstrated by a javascript: URL substituted via : for the colon character. The vulnerability is documented in OSV (GHS...