5 matches found
CVE-2021-4104
CVE-2021-4104 affects JMSAppender in Log4j 1.2 when it is explicitly configured to use JMSAppender. A deserialization of untrusted data can occur if an attacker can write Log4j configuration and supply TopicBindingName and TopicConnectionFactoryBindingName, causing JMSAppender to perform JNDI req...
CVE-2021-20218
The CVE refers to fabric8 kubernetes-client vulnerability affecting version 4.2.0 and later, where a malicious pod/container can abuse the client’s copy command to extract files outside the working path, impacting integrity and availability. Fixed in kubernetes-client releases 4.13.2, 5.0.2, 4.11...
CVE-2021-3642
CVE-2021-3642 describes a timing-attack vulnerability in Wildfly Elytron’s ScramServer, affecting versions prior to 1.10.14.Final, 1.15.5.Final, and 1.16.1.Final. The highest impact is confidentiality; no exploitation details are provided in the documents. Connected advisories (e.g., Red Hat RHSA...
CVE-2020-10714
CVE-2020-10714 concerns WildFly Elytron prior to 1.11.3.Final. A flaw in FORM authentication with a session ID in the URL enables a session fixation attack, affecting confidentiality, integrity, and availability. The impact is stated in the sources as high (CVSS 3.1) with network access and user ...
CVE-2023-1932
CVE-2023-1932 involves a vulnerability in Hibernate Validator’s SafeHtmlValidator.isValid method. The flaw can be bypassed by omitting a tag ending in a less-than character, allowing browsers to render invalid HTML and potentially enabling HTML injection or Cross-Site Scripting (XSS). The entry s...