20 matches found
CVE-2023-44487
CVE-2023-44487 – HTTP/2 Rapid Reset DoS Root cause: HTTP/2 stream resets can cause servers to continue processing, leading to unbounded resource consumption and potential DoS when clients rapidly cancel streams. What’s affected: Various HTTP/2 implementations and deployments, including servers, p...
CVE-2023-1108
CVE-2023-1108 affects Undertow within Red Hat JBoss EAP 7.3.x (SSLConduit) where an infinite loop on close can cause DoS. Connected RHSA-2025-9583 confirms the issue and indicates a fix in the eap-7.3.z line (Patched Undertow). Remediation is to upgrade to the patched EAP 7.3.x release (eap-7.3.z...
CVE-2020-1720
CVE-2020-1720 discusses a PostgreSQL flaw in ALTER ... DEPENDS ON EXTENSION where sub-commands did not perform authorization checks. An authenticated attacker could, in certain configurations, drop objects (functions, triggers, etc.) causing database corruption. Affected versions are PostgreSQL p...
CVE-2018-19361
CVE-2018-19361 is listed in the IBM Cloudera Observability bulletin as affecting Cloudera Observability on Premises 3.5.3, with remediation in 3.6.2. Description from the bulletin notes that FasterXML jackson-databind 2.x before 2.9.8 allows polymorphic deserialization via the openjpa class, yiel...
CVE-2018-19360
CVE-2018-19360 affects FasterXML jackson-databind 2.x before 2.9.8, where failure to block the axis2-transport-jms class enables polymorphic deserialization with unspecified impact. IBM/Cloudera docs corroborate related deserialization flaws across jackson-databind versions and list remediation a...
CVE-2018-12023
The CVE-2018-12023 issue affects FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (globally or per-property) and the Oracle JDBC jar is in the classpath with an LDAP service accessible to an attacker, the service could be coerced into executing a ma...
CVE-2019-14900
CVE-2019-14900 affects Hibernate ORM prior to 5.3.18, 5.4.18, and 5.5.0.Beta1. The flaw is a SQL injection in the JPA Criteria API implementation that can permit unsanitized literals in the SELECT or GROUP BY clauses, enabling an attacker to access unauthorized information. The connected document...
CVE-2019-14892
CVE-2019-14892 — In jackson-databind, polymorphic deserialization can be exploited via JNDI gadgets (commons-configuration 1/2) to achieve remote code execution. Affected: jackson-databind versions before 2.9.10, 2.8.11.5, and 2.6.7.3. Remediation: upgrade to a fixed jackson-databind release (e.g...
CVE-2023-4853
CVE-2023-4853 affects Quarkus, where HTTP security policy sanitization fails for certain character permutations in requests. The root cause is improper sanitization, allowing bypass of the security policy and potentially granting unauthorized access to endpoints and causing denial of service. The...
CVE-2022-1415
CVE-2022-1415 corresponds to Drools core deserialization vulnerability. Affected component: KIE Drools (Drools core) where improper safeguards during data deserialization allow an authenticated attacker to craft serialized objects (gadgets) and execute arbitrary code on the server. Documented imp...
CVE-2018-19362
CVE-2018-19362: A vulnerability in Jackson Databind (FasterXML) affects 2.x prior to 2.9.8, due to failure to block the jboss-common-core class in polymorphic deserialization. The IBM doc lists an unknown impact/attack vector with a base score of 5.3 and notes the issue as an unspecified deserial...
CVE-2020-1714
Keycloak before 11.0.0 contains usages of ObjectInputStream without type checks, allowing deserialization of arbitrary Java objects in a privileged context and potentially enabling remote code execution (CVE-2020-1714). References associate this CVE with Red Hat advisories noting Keycloak as the ...
CVE-2019-14862
Knockout.js vulnerability (CVE-2019-14862). Affected: Knockout.js
CVE-2019-14863
CVE-2019-14863 affects AngularJS: all versions before 1.5.0-beta.0 are vulnerable to cross-site scripting due to unvalidated data delivered with trusted dynamic content after escaping context. The CVE is referenced in multiple sources (e.g., Ubuntu USN-7958-1, IBM Security Bulletins). Impact is c...
CVE-2018-12022
CVE-2018-12022 affects FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (globally or for a property) and the service classpath contains the Jodd‑db jar (for Jodd DB access) with an LDAP service available, an attacker can trigger remote code executio...
CVE-2020-1748
CVE-2020-1748 affects WildFly Elytron before 1.6.8.Final-redhat-00001. A flaw in the WildFlySecurityManager allows bypassing checks when using custom security managers, causing improper authorization and information exposure via unauthenticated access to secure resources. Connected advisories (GH...
CVE-2019-14886
CVE-2019-14886 affects Red Hat Red Hat Decision Manager/Process Automation Manager (business-central) shipped in rhdm-7.5.1 and rhpam-7.5.1. Root cause: passwords are stored in errai_security_context encoded with Base64 (not encrypted). Impact: potential exposure of user passwords if recovered. P...
CVE-2017-7545
CVE-2017-7545 affects jbpmmigration 6.5, where XmlUtils expands external parameter entities while parsing XML, enabling a remote attacker to read files accessible to the application server user and potentially conduct further XXE attacks. The GHSA and OSV entries corroborate XML External Entity R...
CVE-2019-14841
CVE-2019-14841 affects Red Hat Decision Manager (RHDM) . An authenticated attacker can mutate their role in the HTTP response header, enabling escalation to admin privileges in the Business Central Console . Root cause: improper handling of role assignment in header processing within RHDM. Impact...
CVE-2019-14840
The CVE-2019-14840 entry concerns Red Hat Decision Manager (RHDM). A flaw allows sensitive HTML form fields (e.g., password) to have auto-complete enabled, potentially leaking credentials. Documented impact is confidentiality loss (C:H) with no impact to integrity/availability, and CVSS v3.1 base...