Lucene search
+L
OracleWebcenter Portal

100 matches found

CVE
CVE
added 2020/03/07 12:2 a.m.1482 views

CVE-2020-9281

CVE-2020-9281 is an XSS in CKEditor’s HTML Data Processor that allows remote script execution via a crafted protected comment (CKEditor syntax cke_protected). Affected are CKEditor 4.0–before 4.14. IBM DOORS/DOORS Web Access bullets include this CVE and note remediation: upgrade to CKEditor 4.17....

6.1CVSS5.4AI score0.04327EPSS
CVE
CVE
added 2020/01/15 4:34 p.m.1345 views

CVE-2020-2555

CVE-2020-2555 (WebLogic/Coherence) : A deserialization vulnerability in Oracle Coherence (Fusion Middleware) enables unauthenticated remote code execution via the T3 protocol. Affected versions include Coherence 3.7.1.x, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0. The flaw originates from ReflectionExtra...

9.8CVSS9.1AI score0.97116EPSS
In wild
CVE
CVE
added 2021/12/18 11:55 a.m.1190 views

CVE-2021-45105

Summary of CVE-2021-45105 (Log4j2) : Affected Log4j 2.x versions 2.0-alpha1 through 2.16.0 (except 2.12.3 and 2.3.1) are vulnerable to denial of service via uncontrolled recursion triggered by self-referential lookups in Thread Context Map data. The root cause is improper handling of self-referen...

5.9CVSS7.7AI score0.99999EPSS
In wildWeb
CVE
CVE
added 2021/08/23 12:0 a.m.853 views

CVE-2021-39144

CVE-2021-39144 refers to a remote code execution vulnerability in XStream, a Java library for XML serialization. When processed input streams are manipulated, an attacker with sufficient rights could execute arbitrary commands on the host. Public descriptions consistently note that XStream now us...

8.5CVSS9AI score0.98124EPSS
In wildWeb
CVE
CVE
added 2021/04/13 6:50 a.m.636 views

CVE-2021-29425

CVE-2021-29425 affects Apache Commons IO up to version 2.6, specifically FileNameUtils.normalize. With inputs such as "//../foo" or "\..\foo", normalization can yield a value that does not escape to higher directories, potentially enabling access to the parent directory if the resulting path is u...

5.8CVSS6.7AI score0.10608EPSS
In wild
CVE
CVE
added 2020/12/03 4:16 p.m.616 views

CVE-2020-25649

The CVE-2020-25649 entry concerns a flaw in FasterXML Jackson Databind where entity expansion was not properly secured, enabling XML External Entity (XXE) attacks. This is a data-integrity risk. Connected advisories consistently associate the issue with Jackson Databind and XXE, and several sourc...

7.5CVSS7.3AI score0.17611EPSS
CVE
CVE
added 2021/08/18 3:10 p.m.543 views

CVE-2021-37714

CVE-2021-37714 affects jsoup (Java HTML parser) versions prior to 1.14.2. When parsing untrusted HTML/XML, the parser may loop, slow down, or throw exceptions, enabling a denial-of-service condition. A fix is available in jsoup 1.14.2. Workarounds include rate-limiting parsing input, capping inpu...

7.5CVSS7.3AI score0.06873EPSS
CVE
CVE
added 2020/05/01 6:55 p.m.507 views

CVE-2020-10683

CVE-2020-10683 is described in IBM Bulletin sources as an XXE vulnerability in the dom4j library, allowing a remote authenticated attacker to obtain sensitive information through XML processing. The issue stems from dom4j handling External DTDs/Entities by default, and multiple IBM entries map th...

9.8CVSS9.2AI score0.07269EPSS
CVE
CVE
added 2020/03/31 4:37 a.m.504 views

CVE-2020-11113

CVE-2020-11113 is a deserialization vulnerability in FasterXML jackson-databind (2.x before 2.9.10.4) tied to typing gadget interactions (notably related to org.apache.openjpa.ee.WASRegistryManagedRuntime). The connected documents corroborate an exploit path via unsafe deserialization leading to ...

8.8CVSS8.3AI score0.06278EPSS
CVE
CVE
added 2018/02/06 3:0 p.m.500 views

CVE-2017-7525

CVE-2017-7525 is a deserialization flaw in jackson-databind enabling code execution via ObjectMapper.readValue on versions before 2.6.7.1, 2.7.9.1, or 2.8.9. Astra Linux notes extend the issue to versions before 2.8.10 and 2.9.1, and newer advisories reference mitigations/updates. Remediation vis...

9.8CVSS9.2AI score0.37925EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.497 views

CVE-2021-21341

CVE-2021-21341 affects the XStream Java library (unmarshalling) prior to 1.4.16. The vulnerability enables a remote attacker to cause a denial-of-service by consuming 100% CPU time via manipulated input streams. Impact is described as CPU denial of service; no user impact if the recommended Secur...

7.5CVSS8.5AI score0.77801EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.495 views

CVE-2021-21342

CVE-2021-21342 affects the Java library XStream (prior to 1.4.16). During unmarshalling, the processed input stream can include type information used to recreate objects, enabling an attacker to inject/replace objects and trigger a server-side forgery. The documented fix is to upgrade to at least...

9.1CVSS7.3AI score0.4999EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.488 views

CVE-2021-21343

CVE-2021-21343 affects XStream (Java) prior to 1.4.16. The vulnerability arises during unmarshalling when the processed input stream carries type information, enabling an attacker to create new instances based on that data and potentially replace or inject objects, including causing local file de...

7.5CVSS7.1AI score0.46666EPSS
CVE
CVE
added 2021/05/28 9:0 p.m.487 views

CVE-2021-29505

CVE-2021-29505 affects XStream (Java XML serialization) in versions before 1.4.17. The public docs indicate the fix is in 1.4.17; multiple advisories (Debian, Fedora, Amazon Linux, Astra Linux) reference this CVE in the context of libxstream-java. Atlassian Jira Server/Data Center reports indicat...

8.8CVSS8.2AI score0.77735EPSS
CVE
CVE
added 2021/10/19 12:0 a.m.485 views

CVE-2021-37136

CVE-2021-37136 : The Bzip2 decompression decoder can set no limit on the decompressed output size, affecting all Bzip2Decoder users. This under- or over-allocates memory during decompression and can trigger an OutOfMemoryError, enabling DoS. Connected IBM/ASTRA entries reiterate the same descript...

7.5CVSS7.4AI score0.05651EPSS
CVE
CVE
added 2021/11/17 12:0 a.m.484 views

CVE-2021-41164

CKEditor4 contains an Advanced Content Filter (ACF) vulnerability (CVE-2021-41164) that allows injection of malformed HTML bypassing sanitization, enabling JavaScript execution. Affected: CKEditor4

8.2CVSS6.2AI score0.01257EPSS
CVE
CVE
added 2019/01/02 6:0 p.m.468 views

CVE-2018-14721

CVE-2018-14721 affects FasterXML jackson-databind 2.x up to 2.9.6 (before 2.9.7). The flaw allows remote attackers to perform SSRF by failing to block axis2-jaxws class during polymorphic deserialization, enabling server-side requests under network access. The vulnerability is tied to the misuse ...

10CVSS9.4AI score0.10458EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.456 views

CVE-2021-21344

Summary: CVE-2021-21344 affects the XStream Java XML serialization library. In versions before 1.4.16, a remote attacker can load and execute arbitrary code by manipulating the processed input stream. The risk is mitigated if the security framework whitelist is properly configured; otherwise the ...

9.8CVSS8AI score0.7598EPSS
CVE
CVE
added 2019/01/02 6:0 p.m.449 views

CVE-2018-19361

CVE-2018-19361 is listed in the IBM Cloudera Observability bulletin as affecting Cloudera Observability on Premises 3.5.3, with remediation in 3.6.2. Description from the bulletin notes that FasterXML jackson-databind 2.x before 2.9.8 allows polymorphic deserialization via the openjpa class, yiel...

9.8CVSS8.8AI score0.10599EPSS
CVE
CVE
added 2021/03/22 11:45 p.m.448 views

CVE-2021-21351

CVE-2021-21351 is an XStream deserialization vulnerability. Connected IBM advisories confirm the issue affects IBM Data Risk Manager (IDRM) and IBM Engineering/Test Management products via bundled XStream versions, with exploitation through unmarshalling to achieve arbitrary code execution. Remed...

9.1CVSS8.1AI score0.82136EPSS
CVE
CVE
added 2021/10/19 12:0 a.m.438 views

CVE-2021-37137

CVE-2021-37137 involves Netty’s Snappy frame decoding where the SnappyFrameDecoder does not restrict the chunk length, enabling potential excessive memory usage. The issue can be triggered by crafted input that decompresses to a very large size (via network streams or files) or by sending a very ...

7.5CVSS7.4AI score0.0628EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.424 views

CVE-2021-21346

XStream (Java XML serialization library) has CVE-2021-21346 among a set of 2021-04x vulnerabilities. The issue affects XStream prior to 1.4.16 where processing input streams can lead to remote code execution or related impacts if exploitation occurs, with mitigations including enabling the Securi...

9.8CVSS8.3AI score0.76367EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.423 views

CVE-2021-21345

CVE-2021-21345 affects the XStream Java library. Per connected sources, vulnerable versions are those before 1.4.16, where an attacker with sufficient rights can remotely execute commands on the host by manipulating the processed input stream. The issue is mitigated by upgrading to 1.4.16 or late...

9.9CVSS7.8AI score0.72324EPSS
CVE
CVE
added 2020/01/03 3:35 a.m.421 views

CVE-2019-20330

CVE-2019-20330 affects FasterXML jackson-databind 2.x before 2.9.10.2, which lacks blocking for net.sf.ehcache in deserialization. This is a deserialization-side issue with high–critical impact potential; remediation is to upgrade to jackson-databind 2.9.10.2 or newer as indicated by connected IB...

9.8CVSS9.2AI score0.0864EPSS
CVE
CVE
added 2021/03/22 11:40 p.m.413 views

CVE-2021-21347

CVE-2021-21347 affects XStream Java library (pre-1.4.16). The vulnerability allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream, with high severity when not using a proper security framework. Guidance across sources indicates u...

9.8CVSS8.3AI score0.14301EPSS
CVE
CVE
added 2019/01/02 6:0 p.m.411 views

CVE-2018-14720

CVE-2018-14720 affects jackson-databind 2.x prior to 2.9.7, via unsafe polymorphic deserialization that could enable external XML entity (XXE) attacks when failure to block unspecified JDK classes occurs. The connected documents corroborate a fix in 2.9.7 (and related update notes), with multiple...

9.8CVSS9.4AI score0.07524EPSS
CVE
CVE
added 2019/01/02 6:0 p.m.411 views

CVE-2018-19360

CVE-2018-19360 affects FasterXML jackson-databind 2.x before 2.9.8, where failure to block the axis2-transport-jms class enables polymorphic deserialization with unspecified impact. IBM/Cloudera docs corroborate related deserialization flaws across jackson-databind versions and list remediation a...

9.8CVSS8.8AI score0.10599EPSS
CVE
CVE
added 2021/03/22 11:45 p.m.411 views

CVE-2021-21349

XStream (Java) before 1.4.16 is vulnerable to an input-stream manipulation flaw (CVE-2021-21349) that may allow a remote attacker to access data from internal resources not publicly available. The issue arises from processing the input stream during deserialization. A fix is available in XStream ...

8.6CVSS7.8AI score0.46826EPSS
CVE
CVE
added 2019/10/12 8:7 p.m.410 views

CVE-2019-17531

CVE-2019-17531 affects FasterXML jackson-databind 2.0.0–2.9.10; when Default Typing is enabled for an externally exposed JSON endpoint and apache-log4j-extra 1.2.x is on the classpath, an attacker capable of providing a JNDI service can trigger remote code execution. Connected documents corrobora...

9.8CVSS9.2AI score0.05373EPSS
CVE
CVE
added 2021/08/23 5:50 p.m.408 views

CVE-2021-39139

CVE-2021-39139 affects XStream, a Java XML serialization library. The vulnerability allows a remote attacker to load and execute arbitrary code by manipulating the processed input stream; exploitation depends on the affected XStream version and runtime behavior. Connected advisories confirm XStre...

8.8CVSS8.8AI score0.0454EPSS
CVE
CVE
added 2021/07/13 7:15 a.m.402 views

CVE-2021-36090

CVE-2021-36090 affects Apache Commons Compress zip handling: reading a specially crafted ZIP can allocate excessive memory, causing an out-of-memory DoS. Supported details from IBM/AWS advisories point to a fix in Commons Compress (upgrade to 1.21+; e.g., Amazon Linux advisories list apache-commo...

7.5CVSS7.5AI score0.12945EPSS
CVE
CVE
added 2021/03/22 11:45 p.m.401 views

CVE-2021-21350

CVE-2021-21350 affects the XStream Java library. Connected sources confirm that before version 1.4.16 XStream allowed remote code execution by manipulating the processed input stream, with guidance to enable a security whitelist and upgrade to at least 1.4.16. Debian security advisories (DSA-5004...

9.8CVSS8AI score0.15234EPSS
CVE
CVE
added 2021/03/22 11:45 p.m.394 views

CVE-2021-21348

XStream (Java) before version 1.4.16 is vulnerable to a denial of service where a remote attacker can cause a thread to consume maximum CPU time and not return. Public documents consistently describe the issue as affecting XStream’s XML deserialization, with mitigation requiring upgrading to at l...

7.8CVSS7.2AI score0.13832EPSS
CVE
CVE
added 2020/12/18 12:52 a.m.390 views

CVE-2020-28052

CVE-2020-28052 — BC Java OpenBSDBCrypt.password check issue : In Legion of the Bouncy Castle BC Java versions 1.65 and 1.66, the OpenBSDBCrypt.checkPassword method can compare data incorrectly during password verification, causing some incorrect passwords to be treated as a match for different, p...

8.1CVSS7.7AI score0.0714EPSS
CVE
CVE
added 2021/08/23 6:20 p.m.389 views

CVE-2021-39152

CVE-2021-39152 concerns the XStream Java XML serialization library. The vulnerability allows a remote attacker to request data from internal resources not publicly available by manipulating the processed input stream, impacting systems using affected XStream versions when running Java runtimes ar...

8.5CVSS8.6AI score0.11377EPSS
In wild
CVE
CVE
added 2021/08/23 5:55 p.m.384 views

CVE-2021-39151

CVE-2021-39151 is part of a family of vulnerabilities in XStream, a Java library used for XML serialization. The connected documents confirm that, in affected versions, an attacker can load and execute arbitrary code on a remote host by manipulating the processed input stream, with no user intera...

8.5CVSS8.8AI score0.04735EPSS
CVE
CVE
added 2021/08/23 6:5 p.m.367 views

CVE-2021-39141

The CVE-2021-39141 entry concerns the XStream Java library, where an attacker can load and execute arbitrary code by manipulating the processed input stream. Affected versions permit code execution from a remote host; mitigation is to upgrade to XStream 1.4.18, which replaces a reliance on blackl...

8.5CVSS8.8AI score0.16118EPSS
CVE
CVE
added 2021/08/23 6:20 p.m.363 views

CVE-2021-39150

XStream Java library (xstream) is affected by CVE-2021-39150. The flaw arises when processing the input stream, potentially allowing a remote attacker to access internal resources not publicly available. Affected description notes impact across Java runtimes from 14 to 8, and emphasizes that enab...

8.5CVSS8.6AI score0.03437EPSS
CVE
CVE
added 2021/08/23 6:15 p.m.361 views

CVE-2021-39140

CVE-2021-39140 affects the XStream Java library. Connected sources describe a vulnerability in XStream up to version 1.4.18 that may allow a remote attacker to cause 100% CPU denial-of-service by manipulating the input stream; no user interaction required. Affected platforms reference upstream be...

6.5CVSS7.3AI score0.05918EPSS
CVE
CVE
added 2021/08/23 6:5 p.m.355 views

CVE-2021-39145

The CVE-2021-39145 vulnerability affects the XStream Java library. In affected versions, a remote attacker can load and execute arbitrary code by manipulating the processed input stream. Public advisories reference XStream updates (e.g., Fedora, Debian, Amazon Linux 2) and indicate remediation th...

8.5CVSS8.8AI score0.04065EPSS
CVE
CVE
added 2021/08/23 6:5 p.m.354 views

CVE-2021-39146

CVE-2021-39146 is an XStream deserialization vulnerability that has been addressed in multiple IBM advisories. The issue allows remote code execution via unsafe object deserialization in XStream across products that bundle the library (e.g., Atlas eDiscovery Process Management, ITNCM, IBM Spectru...

8.5CVSS8.8AI score0.143EPSS
CVE
CVE
added 2019/10/23 7:27 p.m.345 views

CVE-2019-12415

CVE-2019-12415 affects Apache POI up to version 4.1.0. The vulnerability arises when using the tool XSSFExportToXml to convert user-supplied Excel documents, allowing an attacker to read local filesystem or internal network resources via XML External Entity (XXE) processing. The Connected documen...

5.5CVSS6.7AI score0.0099EPSS
CVE
CVE
added 2019/10/01 4:6 p.m.345 views

CVE-2019-16943

CVE-2019-16943 affects FasterXML jackson-databind (versions 2.0.0–2.9.10) via a polymorphic typing flaw that, when Default Typing is enabled for an exposed JSON endpoint and a p6spy P6DataSource is present in the classpath with an accessible RMI endpoint, can lead to remote code execution. The ro...

9.8CVSS9.3AI score0.04901EPSS
CVE
CVE
added 2021/08/23 6:5 p.m.344 views

CVE-2021-39149

CVE-2021-39149 affects the XStream Java serialization library. The vulnerability permits a remote attacker to load and execute arbitrary code by manipulating the processed input stream. The issue is tied to XStream’s input handling and the move away from blacklist-based security (1.4.18), relying...

8.5CVSS8.8AI score0.04735EPSS
CVE
CVE
added 2021/08/23 6:5 p.m.339 views

CVE-2021-39147

CVE-2021-39147 relates to XStream, a Java library for XML serialization. Publicly available documents confirm a remote code execution risk when processing input streams, with XStream 1.4.18 and related releases susceptible unless mitigations are applied. Connected sources describe the root cause ...

8.5CVSS8.8AI score0.04735EPSS
CVE
CVE
added 2021/08/23 5:55 p.m.336 views

CVE-2021-39153

CVE-2021-39153 affects XStream Java library. In affected releases, a remote attacker could load and execute arbitrary code by manipulating the processed input stream, when using XStream out of the box with certain Java runtimes (Java 14 to 8) or with JavaFX installed. The issue is tied to input-p...

8.5CVSS8.9AI score0.04457EPSS
CVE
CVE
added 2021/08/23 5:50 p.m.334 views

CVE-2021-39154

XStream (Java) vulnerability CVE-2021-39154: in affected XStream releases (e.g., 1.4.18) a remote attacker can load and execute arbitrary code by manipulating the input stream. Multiple advisories (Debian, Fedora, Amazon Linux 2 ALAS, etc.) reference the same CVE family and urge upgrading libxstr...

8.5CVSS8.8AI score0.04735EPSS
CVE
CVE
added 2020/04/07 6:0 p.m.325 views

CVE-2020-11612

Netty CVE-2020-11612 affects Netty 4.1.x before 4.1.46, where ZlibDecoders may allocate memory without bounds while decoding a ZlibEncoded stream, potentially exhausting server memory. Affected product: Netty 4.1.x (ZlibDecoders). Remediation: upgrade to Netty 4.1.46.Final or later. The documents...

7.5CVSS7.3AI score0.09438EPSS
CVE
CVE
added 2019/10/01 4:4 p.m.324 views

CVE-2019-16942

CVE-2019-16942 affects FasterXML jackson-databind 2.0.0–2.9.10. When Default Typing is enabled for an externally exposed JSON endpoint and the service includes the commons-dbcp 1.4 jar on the classpath, with an accessible RMI endpoint, the vulnerability can allow execution of a malicious payload ...

9.8CVSS9.4AI score0.05728EPSS
CVE
CVE
added 2021/08/23 6:5 p.m.319 views

CVE-2021-39148

Summary: CVE-2021-39148 affects XStream, a Java XML-serialization library. Multiple connected advisories confirm a remote code-execution risk by manipulating the processed input stream, with the attacker able to load and execute arbitrary code from a remote host. The issue is tied to how XStream ...

8.5CVSS8.8AI score0.04735EPSS
Total number of security vulnerabilities100