Lucene search
+L
OracleMysql Enterprise Monitor

58 matches found

CVE
CVE
added 2020/02/24 9:19 p.m.4252 views

CVE-2020-1938

CVE-2020-1938 (Tomcat AJP vulnerability) : The issue affects Apache Tomcat where the AJP Connector, enabled by default in several legacy releases, could be reached through untrusted networks. An attacker could exploit the configured AJP path to read arbitrary files in the web application and pote...

9.8CVSS9.9AI score0.9927EPSS
In wildWeb
CVE
CVE
added 2022/04/01 10:17 p.m.2503 views

CVE-2022-22965

CVE-2022-22965 (Spring4Shell) affects Spring Framework’s Spring MVC and Spring WebFlux when data binding is enabled in apps running on JDK 9+, with exploitation requiring Tomcat as WAR deployment. The issue is not exploited in Spring Boot executable jars. Vulnerable configurations are associated ...

9.8CVSS8.7AI score0.99677EPSS
In wildWeb
CVE
CVE
added 2021/02/16 4:55 p.m.2013 views

CVE-2021-23841

CVE-2021-23841 is described in connected advisories as a NULL pointer dereference in OpenSSL’s X509_issuer_and_serial_hash() when parsing the issuer field. This can crash a process if certificates from untrusted sources are processed and the issuer parsing fails, enabling a potential denial of se...

5.9CVSS7AI score0.07471EPSS
CVE
CVE
added 2018/08/22 1:0 p.m.1789 views

CVE-2018-11776

The CVE-2018-11776 issue affects Apache Struts 2.x versions 2.3–2.3.34 and 2.5–2.5.16. The underlying condition is when alwaysSelectFullNamespace is true and a result or url tag lacks a namespace/value, and the upper namespace/action configuration also has no or a wildcard namespace, allowing rem...

9.3CVSS8.4AI score0.99993EPSS
In wild
CVE
CVE
added 2017/10/03 3:0 p.m.1609 views

CVE-2017-12617

CVE-2017-12617 concerns Apache Tomcat JSP upload via HTTP PUT when readonly=false and PUTs are allowed. Affected: Tomcat 7.x/8.x/9.x (various 7.0.0–7.0.81, 8.0.0.RC1–8.0.46, 8.5.0–8.5.22, 9.0.0.M1–9.0.0) with PUT enabled. Root cause: PUT request handling allowed uploading a JSP, enabling remote c...

8.1CVSS7.5AI score0.99988EPSS
In wild
CVE
CVE
added 2022/04/01 12:0 a.m.1538 views

CVE-2022-22963

CVE-2022-22963 affects Spring Cloud Function: in versions 3.1.6, 3.2.2 and older unsupported releases, routing-expression using SpEL can be crafted by a user to trigger remote code execution and access local resources. The root cause is unsafe evaluation of SpEL within the HTTP request routing he...

9.8CVSS9.5AI score0.99939EPSS
In wildWeb
CVE
CVE
added 2020/05/20 6:26 p.m.1525 views

CVE-2020-9484

CVE-2020-9484 is a deserialization flaw in Apache Tomcat that, under a specific FileStore PersistenceManager configuration and a crafted request, can trigger remote code execution. Affected are Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61, and 7.0.0 to 7.0.107 when the...

7CVSS7.5AI score0.56636EPSS
CVE
CVE
added 2020/02/24 9:11 p.m.1475 views

CVE-2020-1935

CVE-2020-1935 affects Apache Tomcat across multiple branches: 9.0.0.M1–9.0.30, 8.5.0–8.5.50, and 7.0.0–7.0.99. It stems from HTTP header parsing that can mishandle end-of-line and Transfer-Encoding, enabling HTTP Request Smuggling when Tomcat sits behind certain reverse proxies. Impact is informa...

5.8CVSS7.4AI score0.09386EPSS
CVE
CVE
added 2021/12/14 12:0 a.m.1461 views

CVE-2021-4104

CVE-2021-4104 affects JMSAppender in Log4j 1.2 when it is explicitly configured to use JMSAppender. A deserialization of untrusted data can occur if an attacker can write Log4j configuration and supply TopicBindingName and TopicConnectionFactoryBindingName, causing JMSAppender to perform JNDI req...

7.5CVSS9.4AI score0.81147EPSS
In wildWeb
CVE
CVE
added 2020/12/11 1:11 a.m.1430 views

CVE-2020-17530

CVE-2020-17530 describes a vulnerability in Apache Struts 2 where forced OGNL evaluation on raw user input in tag attributes can cause remote code execution. Affected products range from Struts 2.0.0 up to 2.5.25. The description states that evaluating untrusted input via the %{...} syntax enable...

9.8CVSS9.6AI score0.95922EPSS
In wild
CVE
CVE
added 2019/12/23 4:39 p.m.1245 views

CVE-2019-17563

Tomcat CVE-2019-17563: A race-condition in FORM authentication allowed a session-fixation window in Tomcat 9.0.0.M1–9.0.29, 8.5.0–8.5.49, and 7.0.0–7.0.98. The issue is acknowledged as a vulnerability with practical exploitation not detailed in the provided docs. Affected products: Apache Tomcat....

7.5CVSS7.7AI score0.10687EPSS
CVE
CVE
added 2021/12/18 11:55 a.m.1190 views

CVE-2021-45105

Summary of CVE-2021-45105 (Log4j2) : Affected Log4j 2.x versions 2.0-alpha1 through 2.16.0 (except 2.12.3 and 2.3.1) are vulnerable to denial of service via uncontrolled recursion triggered by self-referential lookups in Thread Context Map data. The root cause is improper handling of self-referen...

5.9CVSS7.7AI score0.99999EPSS
In wildWeb
CVE
CVE
added 2019/12/20 4:1 p.m.1158 views

CVE-2019-17571

CVE-2019-17571 affects the Apache Log4j 1.x SocketServer: it deserializes serialized log events from untrusted network input without proper whitelisting, enabling remote code execution when combined with a deserialization gadget. Affected are Log4j 1.2 up to 1.2.17; exploitation hinges on receivi...

9.8CVSS8.8AI score0.6906EPSS
CVE
CVE
added 2021/10/26 12:0 a.m.1107 views

CVE-2021-41182

CVE-2021-41182 is an XSS in the jQuery-UI Datepicker altField path (embedded in some OTRS deployments). Affected version observed as 1.12.1 copy; the issue is fixed in jQuery UI 1.13.0 by treating any altField value as a CSS selector. Debris from related CVEs (41183/41184) describe similar issues...

6.5CVSS6.4AI score0.42229EPSS
CVE
CVE
added 2017/04/06 9:0 p.m.1051 views

CVE-2016-8735

CVE-2016-8735 is a remote code execution vulnerability in Apache Tomcat via JmxRemoteLifecycleListener. Affected are Tomcat releases before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12, when JMX ports are reachable. Root cause: JmxRemoteLifecycleListe...

9.8CVSS8AI score0.90338EPSS
In wild
CVE
CVE
added 2020/07/14 3:0 p.m.976 views

CVE-2020-13935

CVE-2020-13935 affects Apache Tomcat: the WebSocket frame payload length was not properly validated, which could trigger an infinite loop and allow DoS via multiple invalid payloads. Affected: Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56, and 7.0.27 to 7.0.104. The initial d...

7.5CVSS7.5AI score0.87553EPSS
CVE
CVE
added 2021/03/01 12:0 p.m.973 views

CVE-2021-25329

The CVE-2021-25329 entry is tied to an incomplete fix for CVE-2020-9484 in Apache Tomcat. In affected releases (Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61, and 7.0.0 to 7.0.107) a configuration edge case that was deemed highly unlikely could leave the Tomcat instance vulnerab...

7CVSS7.3AI score0.09491EPSS
CVE
CVE
added 2021/03/01 12:0 p.m.932 views

CVE-2021-25122

CVE-2021-25122 affects Apache Tomcat across multiple lines: 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, and 8.5.0 to 8.5.61. The issue allows duplicating request headers and a limited amount of request body from one request to another, enabling cross-user visibility of results (information disclosur...

7.5CVSS6.9AI score0.18114EPSS
CVE
CVE
added 2019/02/27 11:0 p.m.928 views

CVE-2019-1559

OpenSSL vulnerability CVE-2019-1559 describes a padding-oracle weakness where, if an application encounters a fatal protocol error and then calls SSL_shutdown() twice (to send close_notify and to receive one), the server may respond differently to a 0-byte record with invalid padding versus inval...

5.9CVSS6.3AI score0.17139EPSS
CVE
CVE
added 2022/01/18 3:25 p.m.876 views

CVE-2022-23302

CVE-2022-23302 affects Log4j 1.x JMSSink. TheDeserialization flaw allows remote code execution when an attacker can write to the Log4j configuration or when the configuration references an LDAP service the attacker controls. JMSSink can be triggered via a TopicConnectionFactoryBindingName to caus...

8.8CVSS9.3AI score0.61785EPSS
CVE
CVE
added 2020/04/21 1:45 p.m.828 views

CVE-2020-1967

CVE-2020-1967 describes a NULL pointer dereference in OpenSSL’s SSL_check_chain() during or after a TLS 1.3 handshake, caused by incorrect handling of the signature_algorithms_cert extension. A malicious peer sending an invalid/unrecognized signature algorithm can crash the server/client, enablin...

7.5CVSS7.5AI score0.53336EPSS
CVE
CVE
added 2022/01/18 3:25 p.m.821 views

CVE-2022-23307

CVE-2022-23307 concerns a deserialization vulnerability in the Chainsaw component of Apache Log4j 1.x (Chainsaw bundled with Log4j 1.2.x). The root cause is unsafe deserialization of untrusted data via Chainsaw, allowing potential code execution. Multiple Atlassian products initially bundled Chai...

9CVSS9.2AI score0.52458EPSS
CVE
CVE
added 2020/12/03 6:30 p.m.784 views

CVE-2020-17527

CVE-2020-17527 affects multiple Apache Tomcat releases where HTTP/2 stream handling could cause information leakage by reusing an HTTP request header value from a previous stream for the next stream. Affected products/versions include Tomcat 10.0.0-M1–M9, 9.0.0-M1–9.0.39, and 8.5.0–8.5.59; the is...

7.5CVSS7.5AI score0.24622EPSS
CVE
CVE
added 2021/08/24 2:50 p.m.767 views

CVE-2021-3711

CVE-2021-3711 involves a bug in OpenSSL SM2 decryption: the buffer-size calculation during EVP_PKEY_decrypt() first call can under-allocate, enabling a later second call with a too-small buffer and causing a buffer overflow (up to 62 bytes). The issue affects OpenSSL 1.1.1 up to 1.1.1k and is fix...

9.8CVSS9.9AI score0.87816EPSS
CVE
CVE
added 2020/06/26 4:27 p.m.760 views

CVE-2020-11996

CVE-2020-11996 affects Apache Tomcat versions 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35, and 8.5.0 to 8.5.55, where a specially crafted sequence of HTTP/2 requests could trigger high CPU and make the server unresponsive. Multiple connected advisories confirm this DoS through HTTP/2 traffic. Publ...

7.5CVSS7.4AI score0.26699EPSS
In wild
CVE
CVE
added 2022/01/18 3:25 p.m.744 views

CVE-2022-23305

CVE-2022-23305 concerns Apache Log4j 1.x when configured with JDBCAppender: an SQL statement is built from a PatternLayout-converted value (notably %m), allowing an attacker to craft input to alter and potentially execute SQL. The issue is specific to Log4j 1.x if JDBCAppender is used; JDBCAppend...

9.8CVSS9.4AI score0.66537EPSS
Web
CVE
CVE
added 2021/08/24 2:50 p.m.713 views

CVE-2021-3712

The CVE-2021-3712 issue affects OpenSSL where ASN1_STRING data may not be NUL-terminated if constructed directly (or via ASN1_STRING_set0), causing read-buffer overreads when many OpenSSL print/name-constraining paths handle such ASN.1 strings. Exploitation could crash the application (DoS) or di...

7.4CVSS8AI score0.50445EPSS
CVE
CVE
added 2020/07/14 2:59 p.m.628 views

CVE-2020-13934

CVE-2020-13934 affects multiple Apache Tomcat releases (8.5.1–8.5.56, 9.0.x, 10.0.x up to M6) where an h2c direct connection didn’t release the HTTP/1.1 processor after upgrading to HTTP/2, potentially causing OutOfMemoryError and denial of service. Public advisories across vendors and distributi...

7.5CVSS7.3AI score0.64124EPSS
CVE
CVE
added 2021/07/12 2:55 p.m.612 views

CVE-2021-33037

CVE-2021-33037 affects Apache Tomcat: versions 10.0.0-M1–10.0.6, 9.0.0.M1–9.0.46, and 8.5.0–8.5.66 may mishandle the HTTP transfer-encoding header with reverse proxies, enabling request smuggling. Root cause: improper header handling allowing spoofed content encoding sequencing. Impact stated in ...

5.3CVSS6.1AI score0.75353EPSS
CVE
CVE
added 2021/10/26 12:0 a.m.610 views

CVE-2021-41183

CVE-2021-41183 concerns jQuery-UI’s Datepicker in the embedded jQuery-UI copy used by OTRS (notably in the 1.12.1 series). The vulnerability arises from accepting values for the various *Text options from untrusted sources, which could allow execution of untrusted code. The issue is fixed in jQue...

6.5CVSS6.5AI score0.07948EPSS
CVE
CVE
added 2017/04/17 9:0 p.m.608 views

CVE-2017-5645

CVE-2017-5645 affects Apache Log4j 2.x prior to 2.8.2. The vulnerability arises when using a TCP/UDP socket server to receive serialized log events from another application; a crafted binary payload can be deserialized to execute arbitrary code. The documented impact is remote code execution via ...

9.8CVSS9.5AI score0.8904EPSS
CVE
CVE
added 2021/03/25 2:25 p.m.566 views

CVE-2021-3450

CVE-2021-3450 affects OpenSSL 1.1.1h–1.1.1j where a bug in the X509_V_FLAG_X509_STRICT path overwrote a prior CA-check result, bypassing the non-CA certificates prohibition unless a programmed purpose is used. When a purpose is configured, the certificate chain is still rejected; the issue is fix...

7.4CVSS7.6AI score0.18339EPSS
CVE
CVE
added 2019/12/06 5:20 p.m.553 views

CVE-2019-1551

CVE-2019-1551 refers to an overflow bug in the x64_64 Montgomery squaring procedure used in OpenSSL during exponentiation with 512-bit moduli. OpenSSL notes no impact to EC, while DH512 attacks are only just feasible under certain conditions. Public disclosures and advisories confirm the issue an...

5.3CVSS6AI score0.14298EPSS
CVE
CVE
added 2020/02/24 9:4 p.m.549 views

CVE-2019-17569

CVE-2019-17569: In Apache Tomcat, a regression from refactoring in 9.0.28–9.0.30, 8.5.48–8.5.50, and 7.0.98–7.0.99 caused invalid Transfer-Encoding header handling, enabling HTTP Request Smuggling behind a misconfigured reverse proxy. Connected advisories show mitigations: Amazon Linux 2 ALAS2TOM...

5.8CVSS7AI score0.08872EPSS
CVE
CVE
added 2020/09/14 4:41 p.m.483 views

CVE-2019-0230

CVE-2019-0230 affects Apache Struts 2.0.0–2.5.20 and is caused by forced double OGNL evaluation on raw user input in tag attributes, potentially enabling remote code execution. Reported impact is remote code execution with high severity (CVE CVSSv3 9.8). Mitigation documented in the sources inclu...

9.8CVSS9.5AI score0.97399EPSS
In wildWeb
CVE
CVE
added 2022/01/27 12:0 a.m.447 views

CVE-2022-23181

CVE-2022-23181 is a TOCTTOU vulnerability introduced by the fix for CVE-2020-9484 in Apache Tomcat when the server persists sessions using FileStore. It is exploitable by a local attacker who can perform actions with the Tomcat process user privileges. Affected ranges (per the sources) include To...

7CVSS7.2AI score0.00692EPSS
CVE
CVE
added 2022/02/24 12:0 a.m.383 views

CVE-2022-21824

CVE-2022-21824 is a prototype pollution vulnerability in Node.js linked to console.table properties. It affects Node.js prior to patched releases and can be triggered when user-controlled data is passed as the first parameter with a plain object containing an own property such as proto . Public a...

8.2CVSS8.1AI score0.21514EPSS
CVE
CVE
added 2022/04/14 8:5 p.m.303 views

CVE-2022-22968

CVE-2022-22968 affects Spring Framework where DataBinder’s disallowedFields patterns are case sensitive in versions 5.3.0–5.3.18, 5.2.0–5.2.20, and older unsupported releases. The issue means a field is not fully protected unless every first character (and nested path) is listed in both uppercase...

5.3CVSS5.4AI score0.05666EPSS
CVE
CVE
added 2022/02/24 6:27 p.m.301 views

CVE-2021-44531

CVE-2021-44531 affects Node.js and stems from improper handling of URI SAN types in X.509 certificate hostname verification. Older Node.js releases accepted URI SANs by default and could bypass name-constrained intermediates when PKIs aren’t defined for that SAN type; URI matching could also fail...

7.4CVSS7.5AI score0.08373EPSS
CVE
CVE
added 2021/05/27 2:48 p.m.294 views

CVE-2021-22118

CVE-2021-22118 affects the Spring Framework WebFlux component. The vulnerability exists in Spring Framework versions: 5.2.x prior to 5.2.15 and 5.3.x prior to 5.3.7. An authenticated local attacker can exploit a flaw tied to (re)creating the temporary storage directory to read or modify files upl...

7.8CVSS7.5AI score0.00396EPSS
CVE
CVE
added 2020/09/19 3:45 a.m.293 views

CVE-2020-5421

CVE-2020-5421 affects Spring Framework releases across multiple lines (5.2.x to 5.0.x, 4.3.x and older). The issue arises from improper input handling of the jsessionid path parameter, which may bypass RFD Protection and weaken security controls. Affected products reference VMware Tanzu Spring Fr...

8.7CVSS7.2AI score0.10736EPSS
CVE
CVE
added 2022/02/24 6:27 p.m.272 views

CVE-2021-44533

CVE-2021-44533 affects Node.js by improper handling of multi-value Relative Distinguished Names, potentially allowing bypass of certificate subject verification. Affected are Node.js versions < 12.22.9, < 14.18.3, < 16.13.2, and

5.3CVSS6.3AI score0.09358EPSS
CVE
CVE
added 2022/02/24 6:27 p.m.263 views

CVE-2021-44532

CVE-2021-44532 affects Node.js where SAN handling converts Subject Alternative Names to a string to validate hostnames. The vulnerability allows bypass of certificate name constraints when present in a certificate chain. Affected versions include Node.js <12.22.9, <14.18.3, <16.13.2, and

5.3CVSS6.6AI score0.10364EPSS
CVE
CVE
added 2018/05/11 8:0 p.m.251 views

CVE-2018-1258

CVE-2018-1258 affects Spring Framework 5.0.5 when used with any Spring Security version, enabling an authorization bypass for method security. An unauthorized user could access restricted methods. The connected advisory from F5 reiterates the same vulnerability description and lists affected prod...

8.8CVSS9AI score0.02396EPSS
CVE
CVE
added 2020/01/17 6:50 p.m.233 views

CVE-2020-5397

CVE-2020-5397 - Normal details Affected software: Spring Framework 5.2.x (prior to 5.2.3) where CSRF is possible via CORS preflight requests targeting Spring MVC (spring-webmvc) or Spring WebFlux (spring-webflux). Vulnerability and impact: Non-authenticated endpoints can be exploited through pref...

5.3CVSS5.5AI score0.02382EPSS
CVE
CVE
added 2018/10/18 10:0 p.m.231 views

CVE-2018-15756

CVE-2018-15756 (Spring Framework) affects Spring Web MVC/WebFlux ranges handling: the ResourceHttpRequestHandler, or returning a Resource from an annotated controller, can be abused by a crafted Range header to trigger a denial-of-service. Affected versions include Spring Framework 5.1, 5.0.x bef...

7.5CVSS7.3AI score0.09513EPSS
CVE
CVE
added 2021/02/23 6:48 p.m.192 views

CVE-2021-22112

CVE-2021-22112 involves Spring Security flaws that could enable privilege escalation when the SecurityContext is modified multiple times in a single request. Affected versions: Spring Security 5.4.x before 5.4.4, 5.3.x before 5.3.8.RELEASE, 5.2.x before 5.2.9.RELEASE (and older unsupported versio...

9CVSS8.4AI score0.03197EPSS
CVE
CVE
added 2020/11/24 11:0 p.m.191 views

CVE-2020-26237

Highlight.js vulnerability CVE-2020-26237: Prototype Pollution in versions before 9.18.2 and 10.1.2 (and older); a malicious HTML block could pollute Object.prototype during highlighting. Upstream fixes exist in 9.18.2+, 10.1.2+, and newer. Debian/OSS advisories also reference updates; remediatio...

8.7CVSS6.8AI score0.01307EPSS
CVE
CVE
added 2018/06/25 3:0 p.m.183 views

CVE-2018-11039

CVE-2018-11039 affects the Spring Framework, where the HiddenHttpMethodFilter in Spring MVC allows web apps to change the HTTP request method to any method (including TRACE). This can enable an attacker with an existing XSS vulnerability to escalate to an XST (Cross Site Tracing) attack. Affected...

5.9CVSS6.9AI score0.02781EPSS
CVE
CVE
added 2020/09/14 4:50 p.m.151 views

CVE-2019-0233

CVE-2019-0233 is an Apache Struts vulnerability (affecting Struts 2.0.0–2.5.20) where an access-permission override during file uploads can cause a Denial of Service. Exploitation requires a crafted request, and the impact is DoS during subsequent uploads. Remediation is to upgrade to a fixed Str...

7.5CVSS8.1AI score0.68761EPSS
Total number of security vulnerabilities58