Rest Data Services Security Vulnerabilities and Issues — Rest Data Services CVE List

Lucene search

OracleRest Data Services

24 matches found

CVE•added 2020/04/29 9:15 p.m.•6718 views

CVE-2020-11023

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3...

6.9CVSS7.2AI score0.21667EPSS

In wildWeb

CVE•added 2019/04/20 12:29 a.m.•2237 views

CVE-2019-11358

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

6.1CVSS6.4AI score0.06691EPSS

In wild

CVE•added 2021/10/26 3:15 p.m.•759 views

CVE-2021-41184

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS ...

6.5CVSS6.5AI score0.20769EPSS

CVE•added 2021/10/26 3:15 p.m.•631 views

CVE-2021-41182

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now trea...

6.5CVSS6.4AI score0.31714EPSS

CVE•added 2021/04/13 7:15 a.m.•559 views

CVE-2021-29425

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal),...

5.8CVSS6.7AI score0.00169EPSS

In wild

CVE•added 2021/10/26 3:15 p.m.•549 views

CVE-2021-41183

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now alway...

6.5CVSS6.5AI score0.03276EPSS

CVE•added 2021/04/01 3:15 p.m.•514 views

CVE-2021-28165

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

7.8CVSS7.3AI score0.04692EPSS

CVE•added 2020/11/28 1:15 a.m.•442 views

CVE-2020-27218

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is...

5.8CVSS5.1AI score0.00352EPSS

CVE•added 2021/06/09 2:15 a.m.•412 views

CVE-2021-28169

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2,

5.3CVSS5.2AI score0.92092EPSS

In wildWeb

CVE•added 2021/07/15 5:15 p.m.•337 views

CVE-2021-34429

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

5.3CVSS5.4AI score0.9372EPSS

CVE•added 2021/06/22 3:15 p.m.•331 views

CVE-2021-34428

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2,

3.6CVSS3.9AI score0.00557EPSS

In wild

CVE•added 2021/02/26 10:15 p.m.•330 views

CVE-2020-27223

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those qual...

5.3CVSS5.2AI score0.35717EPSS

CVE•added 2018/06/26 4:29 p.m.•276 views

CVE-2017-7657

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as...

9.8CVSS9.1AI score0.02408EPSS

CVE•added 2019/11/08 3:15 p.m.•248 views

CVE-2019-10219

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

6.5CVSS6AI score0.01852EPSS

CVE•added 2018/06/26 5:29 p.m.•194 views

CVE-2017-7658

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ...

9.8CVSS9.2AI score0.04383EPSS

CVE•added 2019/04/22 8:29 p.m.•192 views

CVE-2019-10241

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

6.1CVSS6.1AI score0.21255EPSS

CVE•added 2017/06/16 9:29 p.m.•161 views

CVE-2017-9735

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

7.5CVSS7.3AI score0.00522EPSS

CVE•added 2019/04/22 8:29 p.m.•104 views

CVE-2019-10246

In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to ...

5.3CVSS5.6AI score0.01235EPSS

CVE•added 2021/07/19 2:15 p.m.•76 views

CVE-2021-32013

SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).

5.5CVSS5.5AI score0.00212EPSS

CVE•added 2021/07/19 2:15 p.m.•71 views

CVE-2021-32012

SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).

5.5CVSS5.4AI score0.00212EPSS

CVE•added 2021/07/19 2:15 p.m.•69 views

CVE-2021-32014

SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.

5.5CVSS5.4AI score0.00212EPSS

CVE•added 2020/10/21 3:15 p.m.•34 views

CVE-2020-14745

Vulnerability in the Oracle REST Data Services product of Oracle REST Data Services (component: General). Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c; Standalone ORDS: prior to 20.2.1. Easily exploitable vulnerability allows low privileged attacker with networ...

4.3CVSS3.8AI score0.00197EPSS

CVE•added 2020/10/21 3:15 p.m.•30 views

CVE-2020-14744

6.5CVSS6.4AI score0.00573EPSS

CVE•added 2025/07/15 8:15 p.m.•9 views

CVE-2025-30756

Vulnerability in Oracle REST Data Services (component: General). The supported version that is affected is 24.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle REST Data Services. Successful attacks require human interaction from...

6.1CVSS6.3AI score0.00014EPSS