Lucene search
K
OracleRest Data Services

34 matches found

CVE
CVE
added 2020/04/29 12:0 a.m.7237 views

CVE-2020-11023

The connected Astra Linux bulletin confirms CVE-2020-11023: in jQuery versions >= 1.0.3 and < 3.5.0, passing HTML containing elements from untrusted sources to DOM manipulation methods (e.g., .html(), .append()) may lead to untrusted code execution. Patch released in jQuery 3.5.0. Remediat...

6.9CVSS7.2AI score0.8383EPSS
In wild
CVE
CVE
added 2019/04/19 12:0 a.m.3081 views

CVE-2019-11358

CVE-2019-11358 is a prototype pollution vulnerability in jQuery (before 3.4.0) where mishandling of extend(true, {}, ...) can extend Object.prototype if an unsanitized source object has an enumerable proto property. The Core issue is triggered when a polluted prototype is introduced via nested ob...

6.1CVSS6.4AI score0.87218EPSS
In wild
CVE
CVE
added 2021/10/26 12:0 a.m.1088 views

CVE-2021-41182

CVE-2021-41182 is an XSS in the jQuery-UI Datepicker altField path (embedded in some OTRS deployments). Affected version observed as 1.12.1 copy; the issue is fixed in jQuery UI 1.13.0 by treating any altField value as a CSS selector. Debris from related CVEs (41183/41184) describe similar issues...

6.5CVSS6.4AI score0.42229EPSS
CVE
CVE
added 2021/10/26 12:0 a.m.912 views

CVE-2021-41184

CVE-2021-41184 describes an XSS in jQuery-UI before 1.13.0 where untrusted input passed to the of option of the .position() utility could lead to code execution. The connected documents confirm the issue affects jQuery-UI embedded in other software (e.g., OTRS/IU contexts) and state the fix is to...

6.5CVSS6.5AI score0.44515EPSS
Web
CVE
CVE
added 2021/04/13 6:50 a.m.634 views

CVE-2021-29425

CVE-2021-29425 affects Apache Commons IO up to version 2.6, specifically FileNameUtils.normalize. With inputs such as "//../foo" or "\..\foo", normalization can yield a value that does not escape to higher directories, potentially enabling access to the parent directory if the resulting path is u...

5.8CVSS6.7AI score0.10608EPSS
In wild
CVE
CVE
added 2021/10/26 12:0 a.m.609 views

CVE-2021-41183

CVE-2021-41183 concerns jQuery-UI’s Datepicker in the embedded jQuery-UI copy used by OTRS (notably in the 1.12.1 series). The vulnerability arises from accepting values for the various *Text options from untrusted sources, which could allow execution of untrusted code. The issue is fixed in jQue...

6.5CVSS6.5AI score0.07948EPSS
CVE
CVE
added 2021/04/01 2:20 p.m.561 views

CVE-2021-28165

The CVE-2021-28165 issue affects Eclipse Jetty versions 7.2.2–9.4.38, 10.0.0.alpha0–10.0.1, and 11.0.0.alpha0–11.0.1, where handling a large invalid TLS frame can cause CPU usage to reach 100%, leading to resource exhaustion. The underlying cause is described as abnormal processing after receivin...

7.8CVSS7.3AI score0.53861EPSS
CVE
CVE
added 2021/06/09 1:55 a.m.525 views

CVE-2021-28169

CVE-2021-28169 affects Eclipse Jetty shipped with multiple versions (<= 9.4.40, <= 10.0.2,

5.3CVSS5.2AI score0.7848EPSS
In wildWeb
CVE
CVE
added 2020/11/28 12:0 a.m.520 views

CVE-2020-27218

CVE-2020-27218 affects Eclipse Jetty 9.4.x (9.4.0.RC0–9.4.34.v20201102), 10.x (10.0.0.alpha0–beta2), and 11.x (11.0.0.alpha0–beta2). When GZIP request body inflation is enabled and requests from different clients are multiplexed on one connection, an attacker who can send a body that is received ...

5.8CVSS5.1AI score0.08113EPSS
CVE
CVE
added 2021/02/26 9:55 p.m.400 views

CVE-2020-27223

CVE-2020-27223 affects Eclipse Jetty 9.4.6.v20170531–9.4.36.v20210114, 10.0.0, and 11.0.0, where handling requests with multiple Accept headers and many quality (q) values can cause high CPU usage and a DoS. Public sources consistently describe CPU exhaustion as the impact. Remediation is to upgr...

5.3CVSS5.2AI score0.7795EPSS
CVE
CVE
added 2021/07/15 5:0 p.m.397 views

CVE-2021-34429

CVE-2021-34429 affects Eclipse Jetty: 9.4.37–9.4.42, 10.0.1–10.0.5, and 11.0.1–11.0.5. A vulnerability allows crafting certain encoded URIs to access WEB-INF content and bypass some security constraints, constituting a variation of CVE-2021-28164. Public references in connected docs describe this...

5.3CVSS5.4AI score0.99298EPSS
CVE
CVE
added 2021/06/22 2:45 p.m.388 views

CVE-2021-34428

CVE-2021-34428 affects Eclipse Jetty up to 9.4.40, 10.0.2, and 11.0.2. The root cause is an exception in SessionListener#sessionDestroyed() that prevents the session ID from being invalidated in the session ID manager, which in clustered deployments can leave a user session active on a shared mac...

3.6CVSS3.9AI score0.00963EPSS
In wild
CVE
CVE
added 2018/06/26 4:0 p.m.316 views

CVE-2017-7657

CVE-2017-7657 affects Eclipse Jetty: transfer-encoding chunk size parsing could overflow an integer, causing large chunks to be treated as smaller ones and enabling a fake pipelined request that bypasses intermediary authorization. Affected versions include Jetty 9.2.x and older, 9.3.x (all confi...

9.8CVSS9.1AI score0.16154EPSS
CVE
CVE
added 2019/11/08 2:46 p.m.296 views

CVE-2019-10219

The CVE-2019-10219 entry affects Hibernate Validator: SafeHtml validator annotation fails to sanitize HTML comments/instructions, enabling XSS in affected code paths. Affected CP4S versions are 1.7.2.0, 1.8.0.0, and 1.8.1.0. Remediation is to upgrade to Cloud Pak for Security 1.9.0.0 per IBM guid...

6.5CVSS6AI score0.02167EPSS
CVE
CVE
added 2019/04/22 8:14 p.m.229 views

CVE-2019-10241

CVE-2019-10241 affects Eclipse Jetty prior to specific release lines: 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older. The vulnerability is an XSS due to improper validation of user-supplied input by DefaultServlet and ResourceHandler when a remote client uses a specially crafted URL to ...

6.1CVSS6.1AI score0.09591EPSS
CVE
CVE
added 2018/06/26 5:0 p.m.226 views

CVE-2017-7658

In CVE-2017-7658, Eclipse Jetty had a flaw in how it handles HTTP requests when multiple Content-Length headers are present or when a Content-Length header accompanies a chunked encoding header. This could allow a forged or pipelined request to bypass intermediary authorization if the shorter len...

9.8CVSS9.2AI score0.20985EPSS
CVE
CVE
added 2026/05/28 8:17 p.m.212 views

CVE-2026-46840

CVE-2026-46840 affects Oracle REST Data Services (Backend-as-a-Service). Affected versions are 24.2.0–26.1.0. An unauthenticated attacker with network access via HTTPS can compromise ORDS, with potential takeover and full impact on related products. CVSS 3.1 base score is 10.0 (C/I/A = High). The...

10CVSS5.8AI score0.00725EPSS
CVE
CVE
added 2017/06/16 9:0 p.m.181 views

CVE-2017-9735

CVE-2017-9735 affects Jetty (Jetty 9.x family) via a timing-channel flaw in util/security/Password.java, enabling a remote attacker to infer sensitive information by measuring response times to incorrect password attempts. The issue can lead to unauthorized access and is described with a CVSS bas...

7.5CVSS7.3AI score0.05795EPSS
CVE
CVE
added 2019/04/22 8:14 p.m.129 views

CVE-2019-10246

CVE-2019-10246 is described in connected IBM security bulletins as an Eclipse Jetty vulnerability where a server configured to Listing directory contents could expose the fully-qualified Base Resource directory name to remote clients, potentially revealing sensitive information. IBM Cognos Analyt...

5.3CVSS5.6AI score0.04016EPSS
CVE
CVE
added 2021/07/19 1:20 p.m.104 views

CVE-2021-32013

Affected software: SheetJS and SheetJS Pro up to version 0.16.9. Issue: memory consumption denial of service when reading a crafted .xlsx file via xlsx.js (issue 2 of 2). Impact: DoS due to parsing/memory handling. Remediation: upgrade to SheetJS/xlsx 0.17.0 or higher. Public references in connec...

5.5CVSS5.5AI score0.0088EPSS
CVE
CVE
added 2021/07/19 1:20 p.m.101 views

CVE-2021-32014

SheetJS Pro up to version 0.16.9 is affected: reading a crafted .xlsx with xlsx.js can cause a denial of service via CPU consumption. The issue is documented across multiple sources (NVD, Red Hat, npm advisory, OSV) and is mitigated by upgrading to 0.17.0 or later. Affected product: SheetJS (and ...

5.5CVSS5.4AI score0.0088EPSS
CVE
CVE
added 2021/07/19 1:20 p.m.94 views

CVE-2021-32012

CVE-2021-32012 affects SheetJS and SheetJS Pro up to version 0.16.9. A crafted .xlsx document read by xlsx.js can cause a denial of service via memory consumption (issue 1 of 2). Exploitation details are described in the connected documents; the attack targets the XSLX reader logic. Mitigation: u...

5.5CVSS5.4AI score0.0088EPSS
CVE
CVE
added 2026/05/28 8:17 p.m.51 views

CVE-2026-46839

CVE-2026-46839 affects Oracle REST Data Services (ORDS) Core. Affected versions are 24.2.0–26.1.0. The vulnerability allows a low-privileged attacker with network access via HTTPS to compromise ORDS and can lead to takeover, with CVSS v3.1 base score 9.9 (CRITICAL) and impact to Confidentiality, ...

9.9CVSS5.8AI score0.00352EPSS
CVE
CVE
added 2025/07/15 7:27 p.m.50 views

CVE-2025-30756

The CVE-2025-30756 entry concerns Oracle REST Data Services (ORDS) version 24.2.0. Aware from the PT-2025-29607 entry, an easily exploitable issue allows an unauthenticated attacker with network access via HTTP to compromise ORDS; exploitation requires human interaction from a user other than the...

6.1CVSS6.3AI score0.00126EPSS
CVE
CVE
added 2020/10/21 2:4 p.m.49 views

CVE-2020-14745

CVE-2020-14745 affects Oracle REST Data Services (ORDS) General component. Affected versions include 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, and Standalone ORDS before 20.2.1. The issue enables a low-privileged, network-accessible attacker over HTTP to read a subset of ORDS data. No exploitation ...

4.3CVSS3.8AI score0.00948EPSS
CVE
CVE
added 2020/10/21 2:4 p.m.44 views

CVE-2020-14744

The CVE-2020-14744 issue affects Oracle REST Data Services (ORDS) General component. Affected versions are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c, with Standalone ORDS prior to 20.2.1. The vulnerability is described as easily exploitable by a low-privileged attacker who has network access via...

6.5CVSS6.4AI score0.01281EPSS
CVE
CVE
added 2026/05/28 8:17 p.m.33 views

CVE-2026-46775

Oracle REST Data Services (Core) is affected in versions 24.2.0–26.1.0. The vulnerability allows a low-privileged, unauthenticated attacker with HTTPS network access to compromise the service, potentially taking over the Oracle REST Data Services and impacting related products. CVSS 3.1 base scor...

9.9CVSS5.8AI score0.00431EPSS
CVE
CVE
added 2026/05/28 8:17 p.m.32 views

CVE-2026-35277

CVE-2026-35277 affects Oracle REST Data Services (Core). Affected versions: 24.2.0–26.1.0. The vulnerability is exploitable by a low-privileged attacker with network access via HTTPS, potentially leading to unauthorized creation, deletion or modification of data, or unauthorized access to Oracle ...

8.1CVSS5.8AI score0.00267EPSS
CVE
CVE
added 2026/05/28 8:17 p.m.31 views

CVE-2026-46830

Oracle REST Data Services (ORDS) Mongoapi component is affected. Affected versions: 24.2.0–26.1.0. The vulnerability allows an unauthenticated attacker with network access via HTTPS to read a subset of ORDS data. The CVSS v3.1 base score is 5.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:...

5.3CVSS5.8AI score0.00205EPSS
CVE
CVE
added 2026/05/28 8:17 p.m.30 views

CVE-2026-46841

Oracle REST Data Services (ORDS) is affected, specifically versions 24.2.0–26.1.0 in the General component. The vulnerability allows an unauthenticated attacker with network access over HTTPS to potentially read a subset of ORDS data. CVSS 3.1 base score is 5.3 (Confidentiality impact: Low). No e...

5.3CVSS5.8AI score0.00215EPSS
CVE
CVE
added 2026/05/28 8:17 p.m.29 views

CVE-2026-46829

The vulnerability CVE-2026-46829 affects Oracle REST Data Services (component: Mongoapi) in versions 24.2.0–26.1.0. An unauthenticated attacker with network access over HTTPS can compromise the service, potentially causing a hang or complete DoS. The CVSS v3.1 base score is 7.5 (Availability high...

7.5CVSS5.8AI score0.00273EPSS
CVE
CVE
added 2026/05/28 8:17 p.m.29 views

CVE-2026-46842

The CVE-2026-46842 entry concerns Oracle REST Data Services (ORES) Core. Affected versions are 24.2.0–26.1.0. The vulnerability is exploitable by an unauthenticated attacker over HTTPS, potentially leading to unauthorized update, insert, or delete operations on some ORES data. The CVSSv3.1 base s...

5.3CVSS5.8AI score0.00183EPSS
CVE
CVE
added 2026/05/28 8:17 p.m.28 views

CVE-2026-46843

Affected product: Oracle REST Data Services (Core). Affected versions: 24.2.0–26.1.0. Vulnerability: unauthenticated, network-accessible via HTTPS, can cause a partial denial of service (partial DOS) to Oracle REST Data Services. Impact: CVSS v3.1 Base Score 5.3 (Availability impact). Exploitabil...

5.3CVSS5.8AI score0.00258EPSS
CVE
CVE
added 2026/05/28 8:17 p.m.26 views

CVE-2026-35266

CVE-2026-35266 concerns Oracle REST Data Services (Core). Affected: ORO REST Data Services versions 24.2.0–26.1.0. The vulnerability allows a low-privilege, network-accessible attacker (via HTTPS) to compromise Oracle REST Data Services, with exploitation requiring user interaction. Impacts inclu...

7.9CVSS5.8AI score0.00115EPSS