Vulnerability-Lookup

CVE-2020-11988 (GCVE-0-2020-11988)

Vulnerability from cvelistv5 – Published: 2021-02-24 17:05 – Updated: 2024-08-04 11:48

Summary

Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.

Severity ?

No CVSS data available.

CWE

Information Disclosure

Assigner

apache

References

8 references

URL	Tags
https://xmlgraphics.apache.org/security.html	x_refsource_MISC
https://lists.apache.org/thread.html/r588d05a0790…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/ra8f4d6ae402…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r2877ae10e8b…	mailing-listx_refsource_MLIST
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
https://www.oracle.com/security-alerts/cpuoct2021.html	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
n/a	Apache XmlGraphics Commons	Affected: Apache XmlGraphics Commons , < 2.6 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:48:57.553Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://xmlgraphics.apache.org/security.html"
          },
          {
            "name": "[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E"
          },
          {
            "name": "[jmeter-dev] 20210305 [GitHub] [jmeter] sseide opened a new pull request #648: update xmlgraphics-commons to 2.6 (from 2.3)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E"
          },
          {
            "name": "[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E"
          },
          {
            "name": "FEDORA-2021-aa2936e810",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/"
          },
          {
            "name": "FEDORA-2021-c07a9e79cf",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache XmlGraphics Commons",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "2.6",
              "status": "affected",
              "version": "Apache XmlGraphics Commons",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information Disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-04T12:29:48.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://xmlgraphics.apache.org/security.html"
        },
        {
          "name": "[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E"
        },
        {
          "name": "[jmeter-dev] 20210305 [GitHub] [jmeter] sseide opened a new pull request #648: update xmlgraphics-commons to 2.6 (from 2.3)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E"
        },
        {
          "name": "[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E"
        },
        {
          "name": "FEDORA-2021-aa2936e810",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/"
        },
        {
          "name": "FEDORA-2021-c07a9e79cf",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-11988",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache XmlGraphics Commons",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache XmlGraphics Commons",
                            "version_value": "2.6"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://xmlgraphics.apache.org/security.html",
              "refsource": "MISC",
              "url": "https://xmlgraphics.apache.org/security.html"
            },
            {
              "name": "[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E"
            },
            {
              "name": "[jmeter-dev] 20210305 [GitHub] [jmeter] sseide opened a new pull request #648: update xmlgraphics-commons to 2.6 (from 2.3)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b@%3Cdev.jmeter.apache.org%3E"
            },
            {
              "name": "[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E"
            },
            {
              "name": "FEDORA-2021-aa2936e810",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/"
            },
            {
              "name": "FEDORA-2021-c07a9e79cf",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2020-11988",
    "datePublished": "2021-02-24T17:05:39.000Z",
    "dateReserved": "2020-04-21T00:00:00.000Z",
    "dateUpdated": "2024-08-04T11:48:57.553Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2020-11988",
      "date": "2026-05-20",
      "epss": "0.00431",
      "percentile": "0.62754"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:xmlgraphics_commons:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.4\", \"matchCriteriaId\": \"4E4429B0-5943-4ECF-98A9-B1D961A8D9F3\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A930E247-0B43-43CB-98FF-6CE7B8189835\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.\"}, {\"lang\": \"es\", \"value\": \"Apache XmlGraphics Commons versi\\u00f3n 2.4 y anteriores son vulnerables a la falsificaci\\u00f3n de peticiones del lado del servidor, causada por una validaci\\u00f3n de entrada inadecuada por parte del XMPParser. Utilizando un argumento especialmente dise\\u00f1ado, un atacante podr\\u00eda explotar esta vulnerabilidad para hacer que el servidor subyacente realice peticiones GET arbitrarias. Los usuarios deber\\u00edan actualizar a la versi\\u00f3n 2.6 o posterior\"}]",
      "id": "CVE-2020-11988",
      "lastModified": "2024-11-21T04:59:03.657",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-02-24T18:15:11.187",
      "references": "[{\"url\": \"https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/\", \"source\": \"security@apache.org\"}, {\"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\", \"source\": \"security@apache.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\", \"source\": \"security@apache.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://xmlgraphics.apache.org/security.html\", \"source\": \"security@apache.org\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://xmlgraphics.apache.org/security.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}, {\"lang\": \"en\", \"value\": \"CWE-918\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-11988\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2021-02-24T18:15:11.187\",\"lastModified\":\"2024-11-21T04:59:03.657\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.\"},{\"lang\":\"es\",\"value\":\"Apache XmlGraphics Commons versi\u00f3n 2.4 y anteriores son vulnerables a la falsificaci\u00f3n de peticiones del lado del servidor, causada por una validaci\u00f3n de entrada inadecuada por parte del XMPParser. Utilizando un argumento especialmente dise\u00f1ado, un atacante podr\u00eda explotar esta vulnerabilidad para hacer que el servidor subyacente realice peticiones GET arbitrarias. Los usuarios deber\u00edan actualizar a la versi\u00f3n 2.6 o posterior\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:xmlgraphics_commons:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.4\",\"matchCriteriaId\":\"4E4429B0-5943-4ECF-98A9-B1D961A8D9F3\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.oracle.com//security-alerts/cpujul2021.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://xmlgraphics.apache.org/security.html\",\"source\":\"security@apache.org\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com//security-alerts/cpujul2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://xmlgraphics.apache.org/security.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}"
  }
}

CERTFR-2021-AVI-556

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Oracle Database Server. Elles permettent à un attaquant de provoquer un déni de service, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Oracle	Database Server	Oracle Database Server 12.1.0.2, 12.2.0.1, 19c
	Oracle	Database Server	Oracle Database Server versions antérieures à 21.1.0.00.04

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle cpujul2021 du 20 juillet 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Oracle Database Server 12.1.0.2, 12.2.0.1, 19c",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Server versions ant\u00e9rieures \u00e0 21.1.0.00.04",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-13956",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13956"
    },
    {
      "name": "CVE-2021-23336",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23336"
    },
    {
      "name": "CVE-2020-11988",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-11988"
    },
    {
      "name": "CVE-2021-2337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2337"
    },
    {
      "name": "CVE-2021-2438",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2438"
    },
    {
      "name": "CVE-2020-27193",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-27193"
    },
    {
      "name": "CVE-2021-2326",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2326"
    },
    {
      "name": "CVE-2021-2333",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2333"
    },
    {
      "name": "CVE-2020-10878",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-10878"
    },
    {
      "name": "CVE-2021-2351",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2351"
    },
    {
      "name": "CVE-2020-7760",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7760"
    },
    {
      "name": "CVE-2021-2330",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2330"
    },
    {
      "name": "CVE-2020-27844",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-27844"
    },
    {
      "name": "CVE-2020-26870",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-26870"
    },
    {
      "name": "CVE-2021-2460",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2460"
    },
    {
      "name": "CVE-2021-2328",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2328"
    },
    {
      "name": "CVE-2019-12415",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12415"
    },
    {
      "name": "CVE-2020-28196",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28196"
    },
    {
      "name": "CVE-2020-8908",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8908"
    },
    {
      "name": "CVE-2021-2336",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2336"
    },
    {
      "name": "CVE-2020-11987",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-11987"
    },
    {
      "name": "CVE-2021-2335",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2335"
    },
    {
      "name": "CVE-2021-2329",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2329"
    },
    {
      "name": "CVE-2020-25649",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25649"
    },
    {
      "name": "CVE-2021-2334",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2334"
    },
    {
      "name": "CVE-2019-17545",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-17545"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-556",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-07-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Database\nServer. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service,\nune atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Database Server",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle cpujul2021 du 20 juillet 2021",
      "url": "https://www.oracle.com/security-alerts/cpujul2021verbose.html#DB"
    }
  ]
}

CERTFR-2021-AVI-951

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans le noyau Linux de RedHat. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Red Hat	Red Hat Enterprise Linux Server	Red Hat Enterprise Linux Server - AUS 8.4 x86_64
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
Red Hat	Red Hat Enterprise Linux Server	Red Hat Enterprise Linux Server - TUS 8.4 x86_64
Red Hat	N/A	Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64
SolarWinds	Platform	Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le
Red Hat	N/A	Red Hat Integration Text-Only Advisories x86_64
Red Hat	Red Hat CodeReady Linux Builder	Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le
Red Hat	Red Hat CodeReady Linux Builder	Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64
Red Hat	Red Hat Enterprise Linux Server	Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.4 x86_64
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
Red Hat	Red Hat Enterprise Linux Server	Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64
Red Hat	N/A	Red Hat Openshift Application Runtimes Text-Only Advisories x86_64
Red Hat	Red Hat CodeReady Linux Builder	Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64
Red Hat	N/A	Red Hat Integration - Camel K 1 x86_64
SolarWinds	Platform	Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
Red Hat	N/A	Red Hat Fuse 1 x86_64
SolarWinds	Platform	Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.4 x86_64
Red Hat	N/A	Red Hat JBoss Data Grid Text-Only Advisories x86_64

References

Title

Publication Time

Tags

Bulletin de sécurité RedHat RHSA-2021:5130 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHBA-2021:5114 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5138 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5132 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5126 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5134 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5133 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5108 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5093 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5101 du 14 décembre 2021	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Red Hat Enterprise Linux Server - AUS 8.4 x86_64",
      "product": {
        "name": "Red Hat Enterprise Linux Server",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64",
      "product": {
        "name": "Red Hat Enterprise Linux",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux Server - TUS 8.4 x86_64",
      "product": {
        "name": "Red Hat Enterprise Linux Server",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le",
      "product": {
        "name": "Platform",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Integration Text-Only Advisories x86_64",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le",
      "product": {
        "name": "Red Hat CodeReady Linux Builder",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64",
      "product": {
        "name": "Red Hat CodeReady Linux Builder",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le",
      "product": {
        "name": "Red Hat Enterprise Linux Server",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.4 x86_64",
      "product": {
        "name": "Red Hat Enterprise Linux",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x",
      "product": {
        "name": "Red Hat Enterprise Linux",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64",
      "product": {
        "name": "Red Hat Enterprise Linux Server",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Openshift Application Runtimes Text-Only Advisories x86_64",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64",
      "product": {
        "name": "Red Hat CodeReady Linux Builder",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Integration - Camel K 1 x86_64",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64",
      "product": {
        "name": "Platform",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le",
      "product": {
        "name": "Red Hat Enterprise Linux",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Fuse 1 x86_64",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x",
      "product": {
        "name": "Platform",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64",
      "product": {
        "name": "Red Hat Enterprise Linux",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.4 x86_64",
      "product": {
        "name": "Red Hat Enterprise Linux",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat JBoss Data Grid Text-Only Advisories x86_64",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-27223",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-27223"
    },
    {
      "name": "CVE-2020-27218",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-27218"
    },
    {
      "name": "CVE-2021-21343",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21343"
    },
    {
      "name": "CVE-2021-29425",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29425"
    },
    {
      "name": "CVE-2021-21409",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
    },
    {
      "name": "CVE-2021-22118",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22118"
    },
    {
      "name": "CVE-2020-2875",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2875"
    },
    {
      "name": "CVE-2021-3536",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3536"
    },
    {
      "name": "CVE-2021-28169",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28169"
    },
    {
      "name": "CVE-2021-21348",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21348"
    },
    {
      "name": "CVE-2020-11988",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-11988"
    },
    {
      "name": "CVE-2020-35510",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-35510"
    },
    {
      "name": "CVE-2021-45606",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-45606"
    },
    {
      "name": "CVE-2020-2934",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2934"
    },
    {
      "name": "CVE-2021-21344",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21344"
    },
    {
      "name": "CVE-2020-26259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-26259"
    },
    {
      "name": "CVE-2021-3597",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3597"
    },
    {
      "name": "CVE-2021-28170",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28170"
    },
    {
      "name": "CVE-2021-21341",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21341"
    },
    {
      "name": "CVE-2020-13949",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13949"
    },
    {
      "name": "CVE-2021-4104",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104"
    },
    {
      "name": "CVE-2021-3690",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3690"
    },
    {
      "name": "CVE-2020-17521",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17521"
    },
    {
      "name": "CVE-2021-22696",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22696"
    },
    {
      "name": "CVE-2021-28163",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28163"
    },
    {
      "name": "CVE-2021-37137",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37137"
    },
    {
      "name": "CVE-2020-9488",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488"
    },
    {
      "name": "CVE-2021-21347",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21347"
    },
    {
      "name": "CVE-2021-27568",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-27568"
    },
    {
      "name": "CVE-2020-26217",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-26217"
    },
    {
      "name": "CVE-2021-37136",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37136"
    },
    {
      "name": "CVE-2021-23926",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23926"
    },
    {
      "name": "CVE-2019-10744",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-10744"
    },
    {
      "name": "CVE-2021-21295",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
    },
    {
      "name": "CVE-2021-21346",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21346"
    },
    {
      "name": "CVE-2021-30468",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-30468"
    },
    {
      "name": "CVE-2021-21351",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21351"
    },
    {
      "name": "CVE-2021-21345",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21345"
    },
    {
      "name": "CVE-2020-28491",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28491"
    },
    {
      "name": "CVE-2021-45046",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046"
    },
    {
      "name": "CVE-2021-37714",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37714"
    },
    {
      "name": "CVE-2019-12415",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12415"
    },
    {
      "name": "CVE-2021-20218",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20218"
    },
    {
      "name": "CVE-2020-27782",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-27782"
    },
    {
      "name": "CVE-2021-30129",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-30129"
    },
    {
      "name": "CVE-2020-17527",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17527"
    },
    {
      "name": "CVE-2021-21349",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21349"
    },
    {
      "name": "CVE-2021-44228",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
    },
    {
      "name": "CVE-2020-13943",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13943"
    },
    {
      "name": "CVE-2020-15522",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15522"
    },
    {
      "name": "CVE-2021-28164",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28164"
    },
    {
      "name": "CVE-2020-11987",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-11987"
    },
    {
      "name": "CVE-2021-21290",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21290"
    },
    {
      "name": "CVE-2021-21342",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21342"
    },
    {
      "name": "CVE-2021-3629",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3629"
    },
    {
      "name": "CVE-2021-21350",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21350"
    },
    {
      "name": "CVE-2021-34428",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-34428"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5101 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHBA-2021:5101"
    }
  ],
  "reference": "CERTFR-2021-AVI-951",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-12-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de\nRedHat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service et une\natteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de RedHat",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5130 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5130"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHBA-2021:5114 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHBA-2021:5114"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5138 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5138"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5132 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5132"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5126 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5126"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5134 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5134"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5133 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5133"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5108 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5108"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5093 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5093"
    }
  ]
}

CERTFR-2021-AVI-556

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Oracle	Database Server	Oracle Database Server 12.1.0.2, 12.2.0.1, 19c
	Oracle	Database Server	Oracle Database Server versions antérieures à 21.1.0.00.04

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle cpujul2021 du 20 juillet 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Oracle Database Server 12.1.0.2, 12.2.0.1, 19c",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Server versions ant\u00e9rieures \u00e0 21.1.0.00.04",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-13956",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13956"
    },
    {
      "name": "CVE-2021-23336",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23336"
    },
    {
      "name": "CVE-2020-11988",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-11988"
    },
    {
      "name": "CVE-2021-2337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2337"
    },
    {
      "name": "CVE-2021-2438",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2438"
    },
    {
      "name": "CVE-2020-27193",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-27193"
    },
    {
      "name": "CVE-2021-2326",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2326"
    },
    {
      "name": "CVE-2021-2333",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2333"
    },
    {
      "name": "CVE-2020-10878",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-10878"
    },
    {
      "name": "CVE-2021-2351",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2351"
    },
    {
      "name": "CVE-2020-7760",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7760"
    },
    {
      "name": "CVE-2021-2330",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2330"
    },
    {
      "name": "CVE-2020-27844",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-27844"
    },
    {
      "name": "CVE-2020-26870",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-26870"
    },
    {
      "name": "CVE-2021-2460",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2460"
    },
    {
      "name": "CVE-2021-2328",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2328"
    },
    {
      "name": "CVE-2019-12415",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12415"
    },
    {
      "name": "CVE-2020-28196",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28196"
    },
    {
      "name": "CVE-2020-8908",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8908"
    },
    {
      "name": "CVE-2021-2336",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2336"
    },
    {
      "name": "CVE-2020-11987",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-11987"
    },
    {
      "name": "CVE-2021-2335",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2335"
    },
    {
      "name": "CVE-2021-2329",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2329"
    },
    {
      "name": "CVE-2020-25649",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25649"
    },
    {
      "name": "CVE-2021-2334",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-2334"
    },
    {
      "name": "CVE-2019-17545",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-17545"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-556",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-07-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Database\nServer. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service,\nune atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Database Server",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle cpujul2021 du 20 juillet 2021",
      "url": "https://www.oracle.com/security-alerts/cpujul2021verbose.html#DB"
    }
  ]
}

CERTFR-2021-AVI-951

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Red Hat	Red Hat Enterprise Linux Server	Red Hat Enterprise Linux Server - AUS 8.4 x86_64
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
Red Hat	Red Hat Enterprise Linux Server	Red Hat Enterprise Linux Server - TUS 8.4 x86_64
Red Hat	N/A	Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64
SolarWinds	Platform	Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le
Red Hat	N/A	Red Hat Integration Text-Only Advisories x86_64
Red Hat	Red Hat CodeReady Linux Builder	Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le
Red Hat	Red Hat CodeReady Linux Builder	Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64
Red Hat	Red Hat Enterprise Linux Server	Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.4 x86_64
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
Red Hat	Red Hat Enterprise Linux Server	Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64
Red Hat	N/A	Red Hat Openshift Application Runtimes Text-Only Advisories x86_64
Red Hat	Red Hat CodeReady Linux Builder	Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64
Red Hat	N/A	Red Hat Integration - Camel K 1 x86_64
SolarWinds	Platform	Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
Red Hat	N/A	Red Hat Fuse 1 x86_64
SolarWinds	Platform	Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
Red Hat	Red Hat Enterprise Linux	Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.4 x86_64
Red Hat	N/A	Red Hat JBoss Data Grid Text-Only Advisories x86_64

References

Title

Publication Time

Tags

Bulletin de sécurité RedHat RHSA-2021:5130 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHBA-2021:5114 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5138 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5132 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5126 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5134 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5133 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5108 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5093 du 14 décembre 2021	None	vendor-advisory
Bulletin de sécurité RedHat RHSA-2021:5101 du 14 décembre 2021	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Red Hat Enterprise Linux Server - AUS 8.4 x86_64",
      "product": {
        "name": "Red Hat Enterprise Linux Server",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64",
      "product": {
        "name": "Red Hat Enterprise Linux",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux Server - TUS 8.4 x86_64",
      "product": {
        "name": "Red Hat Enterprise Linux Server",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le",
      "product": {
        "name": "Platform",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Integration Text-Only Advisories x86_64",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le",
      "product": {
        "name": "Red Hat CodeReady Linux Builder",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64",
      "product": {
        "name": "Red Hat CodeReady Linux Builder",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le",
      "product": {
        "name": "Red Hat Enterprise Linux Server",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.4 x86_64",
      "product": {
        "name": "Red Hat Enterprise Linux",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x",
      "product": {
        "name": "Red Hat Enterprise Linux",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64",
      "product": {
        "name": "Red Hat Enterprise Linux Server",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Openshift Application Runtimes Text-Only Advisories x86_64",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64",
      "product": {
        "name": "Red Hat CodeReady Linux Builder",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Integration - Camel K 1 x86_64",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64",
      "product": {
        "name": "Platform",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le",
      "product": {
        "name": "Red Hat Enterprise Linux",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Fuse 1 x86_64",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x",
      "product": {
        "name": "Platform",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64",
      "product": {
        "name": "Red Hat Enterprise Linux",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.4 x86_64",
      "product": {
        "name": "Red Hat Enterprise Linux",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    },
    {
      "description": "Red Hat JBoss Data Grid Text-Only Advisories x86_64",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Red Hat",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-27223",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-27223"
    },
    {
      "name": "CVE-2020-27218",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-27218"
    },
    {
      "name": "CVE-2021-21343",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21343"
    },
    {
      "name": "CVE-2021-29425",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29425"
    },
    {
      "name": "CVE-2021-21409",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
    },
    {
      "name": "CVE-2021-22118",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22118"
    },
    {
      "name": "CVE-2020-2875",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2875"
    },
    {
      "name": "CVE-2021-3536",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3536"
    },
    {
      "name": "CVE-2021-28169",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28169"
    },
    {
      "name": "CVE-2021-21348",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21348"
    },
    {
      "name": "CVE-2020-11988",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-11988"
    },
    {
      "name": "CVE-2020-35510",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-35510"
    },
    {
      "name": "CVE-2021-45606",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-45606"
    },
    {
      "name": "CVE-2020-2934",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2934"
    },
    {
      "name": "CVE-2021-21344",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21344"
    },
    {
      "name": "CVE-2020-26259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-26259"
    },
    {
      "name": "CVE-2021-3597",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3597"
    },
    {
      "name": "CVE-2021-28170",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28170"
    },
    {
      "name": "CVE-2021-21341",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21341"
    },
    {
      "name": "CVE-2020-13949",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13949"
    },
    {
      "name": "CVE-2021-4104",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4104"
    },
    {
      "name": "CVE-2021-3690",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3690"
    },
    {
      "name": "CVE-2020-17521",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17521"
    },
    {
      "name": "CVE-2021-22696",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22696"
    },
    {
      "name": "CVE-2021-28163",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28163"
    },
    {
      "name": "CVE-2021-37137",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37137"
    },
    {
      "name": "CVE-2020-9488",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-9488"
    },
    {
      "name": "CVE-2021-21347",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21347"
    },
    {
      "name": "CVE-2021-27568",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-27568"
    },
    {
      "name": "CVE-2020-26217",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-26217"
    },
    {
      "name": "CVE-2021-37136",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37136"
    },
    {
      "name": "CVE-2021-23926",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23926"
    },
    {
      "name": "CVE-2019-10744",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-10744"
    },
    {
      "name": "CVE-2021-21295",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
    },
    {
      "name": "CVE-2021-21346",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21346"
    },
    {
      "name": "CVE-2021-30468",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-30468"
    },
    {
      "name": "CVE-2021-21351",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21351"
    },
    {
      "name": "CVE-2021-21345",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21345"
    },
    {
      "name": "CVE-2020-28491",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28491"
    },
    {
      "name": "CVE-2021-45046",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-45046"
    },
    {
      "name": "CVE-2021-37714",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37714"
    },
    {
      "name": "CVE-2019-12415",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12415"
    },
    {
      "name": "CVE-2021-20218",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20218"
    },
    {
      "name": "CVE-2020-27782",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-27782"
    },
    {
      "name": "CVE-2021-30129",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-30129"
    },
    {
      "name": "CVE-2020-17527",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17527"
    },
    {
      "name": "CVE-2021-21349",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21349"
    },
    {
      "name": "CVE-2021-44228",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
    },
    {
      "name": "CVE-2020-13943",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13943"
    },
    {
      "name": "CVE-2020-15522",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15522"
    },
    {
      "name": "CVE-2021-28164",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28164"
    },
    {
      "name": "CVE-2020-11987",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-11987"
    },
    {
      "name": "CVE-2021-21290",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21290"
    },
    {
      "name": "CVE-2021-21342",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21342"
    },
    {
      "name": "CVE-2021-3629",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3629"
    },
    {
      "name": "CVE-2021-21350",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21350"
    },
    {
      "name": "CVE-2021-34428",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-34428"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5101 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHBA-2021:5101"
    }
  ],
  "reference": "CERTFR-2021-AVI-951",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-12-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de\nRedHat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service et une\natteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de RedHat",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5130 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5130"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHBA-2021:5114 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHBA-2021:5114"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5138 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5138"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5132 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5132"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5126 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5126"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5134 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5134"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5133 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5133"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5108 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5108"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5093 du 14 d\u00e9cembre 2021",
      "url": "https://access.redhat.com/errata/RHSA-2021:5093"
    }
  ]
}

BDU:2022-00276

Vulnerability from fstec - Published: 10.03.2021

Title

Уязвимость программного обеспечения для преобразования XML форматов xmlgraphics-commons, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность

Description

Уязвимость программного обеспечения для преобразования XML форматов xmlgraphics-commons связана с недостаточной проверкой вводимых данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить доступ к конфиденциальным данным и нарушить их целостность

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Vendor

Сообщество свободного программного обеспечения, ООО «РусБИТех-Астра», Apache Software Foundation, АО "НППКТ"

Software Name

Debian GNU/Linux, Astra Linux Special Edition (запись в едином реестре российских программ №369), Xmlgraphics-commons, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)

Software Version

9 (Debian GNU/Linux), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 1.7 (Astra Linux Special Edition), до 2.4 (Xmlgraphics-commons), до 2.3 (ОСОН ОСнова Оnyx), до 2.4.2 (ОСОН ОСнова Оnyx)

Possible Mitigations

Для Xmlgraphics-commons: использование рекомендаций производителя: https://xmlgraphics.apache.org/security.html Для Debian: использование рекомендаций производителя: https://security-tracker.debian.org/tracker/CVE-2020-11988 Для Astra Linux: использование рекомендаций производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2021-1126SE17 Для ОСОН Основа: Обновление программного обеспечения xmlgraphics-commons до версии 2.3-1+deb10u1

Reference

https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b@%3Cdev.jmeter.apache.org%3E https://nvd.nist.gov/vuln/detail/CVE-2020-11988 https://security-tracker.debian.org/tracker/CVE-2020-11988 https://wiki.astralinux.ru/astra-linux-se17-bulletin-2021-1126SE17 https://xmlgraphics.apache.org/security.html https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.3/

CWE

CWE-20

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, Apache Software Foundation, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\"",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "9 (Debian GNU/Linux), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 1.7 (Astra Linux Special Edition), \u0434\u043e 2.4 (Xmlgraphics-commons), \u0434\u043e 2.3 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), \u0434\u043e 2.4.2 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f Xmlgraphics-commons:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://xmlgraphics.apache.org/security.html\n\n\u0414\u043b\u044f Debian:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://security-tracker.debian.org/tracker/CVE-2020-11988\n\n\u0414\u043b\u044f Astra Linux:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2021-1126SE17\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0441\u043d\u043e\u0432\u0430:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f xmlgraphics-commons \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 2.3-1+deb10u1",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "10.03.2021",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "17.10.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "17.01.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-00276",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2020-11988",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Xmlgraphics-commons, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 8 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u043f\u0440\u0435\u043e\u0431\u0440\u0430\u0437\u043e\u0432\u0430\u043d\u0438\u044f XML \u0444\u043e\u0440\u043c\u0430\u0442\u043e\u0432 xmlgraphics-commons, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c \u0438 \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u044c \u0438\u0445 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-20)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u043f\u0440\u0435\u043e\u0431\u0440\u0430\u0437\u043e\u0432\u0430\u043d\u0438\u044f XML \u0444\u043e\u0440\u043c\u0430\u0442\u043e\u0432 xmlgraphics-commons \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c \u0438 \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u044c \u0438\u0445 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E\nhttps://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E\nhttps://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b@%3Cdev.jmeter.apache.org%3E\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11988\nhttps://security-tracker.debian.org/tracker/CVE-2020-11988\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2021-1126SE17\nhttps://xmlgraphics.apache.org/security.html\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.3/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-20",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,4)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,2)"
}

CNVD-2021-14153

Vulnerability from cnvd - Published: 2021-03-03

Title

Apache XmlGraphics Commons服务器端请求伪造漏洞

Description

Apache XmlGraphics Commons是Apach开源的一个系统库。提供几个可重用的库。 Apache XmlGraphics Commons 2.4存在服务器端请求伪造漏洞，该漏洞源于XMPParser未能正确的输入验证，通过使用巧尽心思构建的参数，攻击者可以利用此漏洞使基础服务器发出任意GET请求。

Severity

中

Patch Name

Apache XmlGraphics Commons服务器端请求伪造漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新：https://xmlgraphics.apache.org/security.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-11988

Impacted products

Name
Apache Apache XmlGraphics Commons 2.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-11988",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-11988"
    }
  },
  "description": "Apache XmlGraphics Commons\u662fApach\u5f00\u6e90\u7684\u4e00\u4e2a\u7cfb\u7edf\u5e93\u3002\u63d0\u4f9b\u51e0\u4e2a\u53ef\u91cd\u7528\u7684\u5e93\u3002\n\nApache XmlGraphics Commons 2.4\u5b58\u5728\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eXMPParser\u672a\u80fd\u6b63\u786e\u7684\u8f93\u5165\u9a8c\u8bc1\uff0c\u901a\u8fc7\u4f7f\u7528\u5de7\u5c3d\u5fc3\u601d\u6784\u5efa\u7684\u53c2\u6570\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u4f7f\u57fa\u7840\u670d\u52a1\u5668\u53d1\u51fa\u4efb\u610fGET\u8bf7\u6c42\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1ahttps://xmlgraphics.apache.org/security.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-14153",
  "openTime": "2021-03-03",
  "patchDescription": "Apache XmlGraphics Commons\u662fApach\u5f00\u6e90\u7684\u4e00\u4e2a\u7cfb\u7edf\u5e93\u3002\u63d0\u4f9b\u51e0\u4e2a\u53ef\u91cd\u7528\u7684\u5e93\u3002\r\n\r\nApache XmlGraphics Commons 2.4\u5b58\u5728\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eXMPParser\u672a\u80fd\u6b63\u786e\u7684\u8f93\u5165\u9a8c\u8bc1\uff0c\u901a\u8fc7\u4f7f\u7528\u5de7\u5c3d\u5fc3\u601d\u6784\u5efa\u7684\u53c2\u6570\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u4f7f\u57fa\u7840\u670d\u52a1\u5668\u53d1\u51fa\u4efb\u610fGET\u8bf7\u6c42\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache XmlGraphics Commons\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Apache XmlGraphics Commons 2.4"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-11988",
  "serverity": "\u4e2d",
  "submitTime": "2021-02-26",
  "title": "Apache XmlGraphics Commons\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

FKIE_CVE-2020-11988

Vulnerability from fkie_nvd - Published: 2021-02-24 18:15 - Updated: 2024-11-21 04:59

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Summary

References

URL	Tags
security@apache.org	https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E
security@apache.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/
security@apache.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/
security@apache.org	https://www.oracle.com//security-alerts/cpujul2021.html	Patch, Third Party Advisory
security@apache.org	https://www.oracle.com/security-alerts/cpuoct2021.html	Patch, Third Party Advisory
security@apache.org	https://xmlgraphics.apache.org/security.html	Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com//security-alerts/cpujul2021.html	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpuoct2021.html	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://xmlgraphics.apache.org/security.html	Release Notes, Vendor Advisory

Impacted products

Vendor	Product	Version
apache	xmlgraphics_commons	*
fedoraproject	fedora	33
fedoraproject	fedora	34

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:xmlgraphics_commons:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E4429B0-5943-4ECF-98A9-B1D961A8D9F3",
              "versionEndIncluding": "2.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
              "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
              "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later."
    },
    {
      "lang": "es",
      "value": "Apache XmlGraphics Commons versi\u00f3n 2.4 y anteriores son vulnerables a la falsificaci\u00f3n de peticiones del lado del servidor, causada por una validaci\u00f3n de entrada inadecuada por parte del XMPParser. Utilizando un argumento especialmente dise\u00f1ado, un atacante podr\u00eda explotar esta vulnerabilidad para hacer que el servidor subyacente realice peticiones GET arbitrarias. Los usuarios deber\u00edan actualizar a la versi\u00f3n 2.6 o posterior"
    }
  ],
  "id": "CVE-2020-11988",
  "lastModified": "2024-11-21T04:59:03.657",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-02-24T18:15:11.187",
  "references": [
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://xmlgraphics.apache.org/security.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://xmlgraphics.apache.org/security.html"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        },
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-FMJ2-7WX8-QJ4V

Vulnerability from github – Published: 2022-02-09 00:45 – Updated: 2022-01-06 19:58

Summary

Server-side request forgery (SSRF) in Apache XmlGraphics Commons

Details

Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Severity ?

8.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.xmlgraphics:xmlgraphics-commons"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11988"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-31T20:37:35Z",
    "nvd_published_at": "2021-02-24T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.",
  "id": "GHSA-fmj2-7wx8-qj4v",
  "modified": "2022-01-06T19:58:58Z",
  "published": "2022-02-09T00:45:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/xmlgraphics-commons"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/XGC-122"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b@%3Cdev.jmeter.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "type": "WEB",
      "url": "https://xmlgraphics.apache.org/security.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Server-side request forgery (SSRF) in Apache XmlGraphics Commons"
}

GSD-2020-11988

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2020-11988

Aliases

CVE-2020-11988

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-11988",
    "description": "Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.",
    "id": "GSD-2020-11988",
    "references": [
      "https://www.suse.com/security/cve/CVE-2020-11988.html",
      "https://access.redhat.com/errata/RHSA-2021:5134",
      "https://access.redhat.com/errata/RHSA-2021:2476",
      "https://access.redhat.com/errata/RHSA-2021:2475",
      "https://advisories.mageia.org/CVE-2020-11988.html",
      "https://security.archlinux.org/CVE-2020-11988"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-11988"
      ],
      "details": "Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.",
      "id": "GSD-2020-11988",
      "modified": "2023-12-13T01:22:07.888469Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2020-11988",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache XmlGraphics Commons",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "Apache XmlGraphics Commons",
                          "version_value": "2.6"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Information Disclosure"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://xmlgraphics.apache.org/security.html",
            "refsource": "MISC",
            "url": "https://xmlgraphics.apache.org/security.html"
          },
          {
            "name": "[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E"
          },
          {
            "name": "[jmeter-dev] 20210305 [GitHub] [jmeter] sseide opened a new pull request #648: update xmlgraphics-commons to 2.6 (from 2.3)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b@%3Cdev.jmeter.apache.org%3E"
          },
          {
            "name": "[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E"
          },
          {
            "name": "FEDORA-2021-aa2936e810",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/"
          },
          {
            "name": "FEDORA-2021-c07a9e79cf",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/"
          },
          {
            "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[2.4]",
          "affected_versions": "Version 2.4",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2021-12-03",
          "description": "Apache XmlGraphics Commons is vulnerable to server-side request forgery, caused by improper input validation by the `XMPParser`. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.",
          "fixed_versions": [
            "2.6"
          ],
          "identifier": "CVE-2020-11988",
          "identifiers": [
            "CVE-2020-11988"
          ],
          "not_impacted": "All versions before 2.4, all versions after 2.4",
          "package_slug": "maven/org.apache.xmlgraphics/xmlgraphics-commons",
          "pubdate": "2021-02-24",
          "solution": "Upgrade to version 2.6 or above.",
          "title": "Server-Side Request Forgery (SSRF)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-11988",
            "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E",
            "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E",
            "https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b@%3Cdev.jmeter.apache.org%3E",
            "https://xmlgraphics.apache.org/security.html"
          ],
          "uuid": "069d7a43-0821-43bf-b8d5-5d2b247ae6f0"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:xmlgraphics_commons:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-11988"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                },
                {
                  "lang": "en",
                  "value": "CWE-918"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://xmlgraphics.apache.org/security.html",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://xmlgraphics.apache.org/security.html"
            },
            {
              "name": "[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E"
            },
            {
              "name": "[jmeter-dev] 20210305 [GitHub] [jmeter] sseide opened a new pull request #648: update xmlgraphics-commons to 2.6 (from 2.3)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b@%3Cdev.jmeter.apache.org%3E"
            },
            {
              "name": "[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E"
            },
            {
              "name": "FEDORA-2021-aa2936e810",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/"
            },
            {
              "name": "FEDORA-2021-c07a9e79cf",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/"
            },
            {
              "name": "N/A",
              "refsource": "N/A",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 4.2
        }
      },
      "lastModifiedDate": "2022-04-22T18:54Z",
      "publishedDate": "2021-02-24T18:15Z"
    }
  }
}

NCSC-2025-0333

Vulnerability from csaf_ncscnl - Published: 2025-10-23 13:35 - Updated: 2025-10-23 13:35

Summary

Kwetsbaarheden verholpen in Oracle Financial Services

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: Oracle heeft kwetsbaarheden verholpen in Oracle Financial Services componenten.

Interpretaties: De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om ongeautoriseerde toegang te krijgen tot gevoelige gegevens via HTTP. Dit kan leiden tot ongeoorloofde toegang en wijzigingen van kritieke data, met een CVSS-score van 9.8 die de significante impact op de vertrouwelijkheid benadrukt. Daarnaast zijn er kwetsbaarheden die kunnen leiden tot denial-of-service (DoS) aanvallen, wat de beschikbaarheid van het systeem in gevaar kan brengen.

Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans: medium

Schade: high

CWE-20: Improper Input Validation

CWE-23: Relative Path Traversal

CWE-125: Out-of-bounds Read

CWE-197: Numeric Truncation Error

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-284: Improper Access Control

CWE-285: Improper Authorization

CWE-306: Missing Authentication for Critical Function

CWE-400: Uncontrolled Resource Consumption

CWE-404: Improper Resource Shutdown or Release

CWE-611: Improper Restriction of XML External Entity Reference

CWE-674: Uncontrolled Recursion

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-862: Missing Authorization

CWE-863: Incorrect Authorization

CWE-918: Server-Side Request Forgery (SSRF)

CWE-937: CWE-937

CWE-1035: CWE-1035

CWE-1284: Improper Validation of Specified Quantity in Input

CVE-2020-11988

Multiple vulnerabilities in Oracle Financial Services applications and Apache XmlGraphics Commons allow unauthorized access to critical data and server-side request forgery, all with a CVSS score of 8.2.

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-918 - Server-Side Request Forgery (SSRF)

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2024-28168

Recent updates address multiple security vulnerabilities across various products, including XML External Entity (XXE) issues in Apache XML Graphics FOP and Oracle applications, allowing unauthorized access to sensitive data.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-5115

The 'MadeYouReset' vulnerability in HTTP/2 affects certain Jetty versions, allowing denial of service through malformed control frames, while additional vulnerabilities exist in Oracle Communications and SAP Commerce Cloud.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-6965

Critical vulnerabilities in Oracle Communications Cloud Native Core and SQLite versions prior to 3.50.2 expose systems to severe risks, including memory corruption and integer truncation issues.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-197 - Numeric Truncation Error

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-27553

Recent vulnerabilities in Oracle Middleware and Apache Commons VFS expose critical data and allow unauthorized file access, with significant risks associated with their exploitation.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-23 - Relative Path Traversal

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-27817

Multiple vulnerabilities across Apache Kafka and Oracle applications allow unauthorized access to sensitive data, with notable SSRF risks and CVSS scores of 7.5 for Oracle products.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-918 - Server-Side Request Forgery (SSRF)

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-31672

Multiple vulnerabilities have been identified across various products, including Apache POI, Oracle BPM Suite, JD Edwards EnterpriseOne, and SAP BusinessObjects, affecting data integrity and allowing unauthorized access or manipulation.

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE-20 - Improper Input Validation

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-32415

Multiple vulnerabilities have been identified in Oracle Java SE and libxml2, allowing for potential system compromise and denial of service, with CVSS scores of 7.5 for several issues.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-1284 - Improper Validation of Specified Quantity in Input

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-41249

Recent vulnerabilities in Oracle Financial Services and the Spring Framework expose critical data and authorization flaws, affecting multiple versions and products with significant security implications.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-285 - Improper Authorization

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-48924

Recent vulnerabilities in Oracle WebLogic Server and Apache Commons Lang versions expose systems to denial of service risks, including an uncontrolled recursion flaw leading to StackOverflowErrors.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-674 - Uncontrolled Recursion

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-48976

Multiple vulnerabilities affecting Oracle Application Testing Suite and Apache Commons FileUpload, including DoS risks due to insufficient multipart header limits, have been identified, with CVSS scores reaching 7.5.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-48989

Recent updates for Apache Tomcat versions 9, 10, and 11 address the 'MadeYouReset' DoS vulnerability in HTTP/2, along with various enhancements to components like Catalina and Coyote.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-404 - Improper Resource Shutdown or Release

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-50074

A vulnerability in Oracle Financial Services Revenue Management and Billing (versions 2.9.0.0.0-7.2.0.0.0) allows high-privileged attackers to gain unauthorized access to critical data via HTTP, with a CVSS 3.1 Base Score of 4.9.

4.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-50075

A vulnerability in Oracle Financial Services Revenue Management and Billing (versions 2.9.0.0.0-7.2.0.0.0) allows low privileged attackers with HTTP access to potentially gain unauthorized access to critical data, with a CVSS score of 6.5.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-284 - Improper Access Control

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-53034

A vulnerability in Oracle Financial Services Analytical Applications Infrastructure versions 8.0.7.9, 8.0.8.7, and 8.1.2.5 allows unauthenticated attackers to compromise the system with human interaction, leading to unauthorized data access and modifications.

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE-306 - Missing Authentication for Critical Function

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-53035

A vulnerability in Oracle Financial Services Analytical Applications Infrastructure allows low privileged attackers to access critical data, affecting versions 8.0.7.9, 8.0.8.7, and 8.1.2.5, with a CVSS score of 6.5.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-284 - Improper Access Control

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-53036

A vulnerability in Oracle Financial Services Analytical Applications Infrastructure versions 8.0.7.9, 8.0.8.7, and 8.1.2.5 allows unauthenticated attackers to access critical data via HTTP, with a CVSS score of 8.6.

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-53037

A critical vulnerability in Oracle Financial Services Analytical Applications Infrastructure (versions 8.0.7.9, 8.0.8.7, and 8.1.2.5) allows unauthenticated attackers to compromise the system via HTTP, with a CVSS score of 9.8.

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-306 - Missing Authentication for Critical Function

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-55163

Recent updates to Netty address critical vulnerabilities, including the 'MadeYouReset' DDoS attack in HTTP/2, which can lead to denial of service through resource exhaustion in various affected versions.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-59375

A memory amplification vulnerability in libexpat (CVE-2025-59375) allows excessive memory allocations from crafted XML input, affecting versions prior to 2.7.2, while a Security-in-Depth issue exists in Oracle Database Server's Perl component but is not exploitable.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-61751

A vulnerability in Oracle Financial Services Analytical Applications Infrastructure versions 8.0.7.9, 8.0.8.7, and 8.1.2.5 allows low-privileged attackers to exploit it via HTTP, posing significant risks to data confidentiality and integrity.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-862 - Missing Authorization

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

CVE-2025-61756

A vulnerability in Oracle Financial Services Analytical Applications Infrastructure allows unauthenticated attackers to execute denial of service attacks on specific versions, rated with a CVSS score of 7.5.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-306 - Missing Authentication for Critical Function

Affected products

Known affected 9 products

Product	Identifier	Version	Remediation
vers:unknown/* Oracle / Financial Services Revenue Management And Billing		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Branch		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Corporate Lending Process Management		vers:unknown/*
vers:unknown/* Oracle / Oracle Banking Origination		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Analytical Applications Infrastructure		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Behavior Detection Platform		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Compliance Studio		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Model Management and Governance		vers:unknown/*
vers:unknown/* Oracle / Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition		vers:unknown/*

References

23 references

URL	Category
https://www.oracle.com/security-alerts/cpuoct2025.html	external
https://vulnerabilities.ncsc.nl/csaf/v2/2020/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Oracle heeft kwetsbaarheden verholpen in Oracle Financial Services componenten.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om ongeautoriseerde toegang te krijgen tot gevoelige gegevens via HTTP. Dit kan leiden tot ongeoorloofde toegang en wijzigingen van kritieke data, met een CVSS-score van 9.8 die de significante impact op de vertrouwelijkheid benadrukt. Daarnaast zijn er kwetsbaarheden die kunnen leiden tot denial-of-service (DoS) aanvallen, wat de beschikbaarheid van het systeem in gevaar kan brengen.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      },
      {
        "category": "general",
        "text": "Relative Path Traversal",
        "title": "CWE-23"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Read",
        "title": "CWE-125"
      },
      {
        "category": "general",
        "text": "Numeric Truncation Error",
        "title": "CWE-197"
      },
      {
        "category": "general",
        "text": "Exposure of Sensitive Information to an Unauthorized Actor",
        "title": "CWE-200"
      },
      {
        "category": "general",
        "text": "Improper Access Control",
        "title": "CWE-284"
      },
      {
        "category": "general",
        "text": "Improper Authorization",
        "title": "CWE-285"
      },
      {
        "category": "general",
        "text": "Missing Authentication for Critical Function",
        "title": "CWE-306"
      },
      {
        "category": "general",
        "text": "Uncontrolled Resource Consumption",
        "title": "CWE-400"
      },
      {
        "category": "general",
        "text": "Improper Resource Shutdown or Release",
        "title": "CWE-404"
      },
      {
        "category": "general",
        "text": "Improper Restriction of XML External Entity Reference",
        "title": "CWE-611"
      },
      {
        "category": "general",
        "text": "Uncontrolled Recursion",
        "title": "CWE-674"
      },
      {
        "category": "general",
        "text": "Allocation of Resources Without Limits or Throttling",
        "title": "CWE-770"
      },
      {
        "category": "general",
        "text": "Missing Authorization",
        "title": "CWE-862"
      },
      {
        "category": "general",
        "text": "Incorrect Authorization",
        "title": "CWE-863"
      },
      {
        "category": "general",
        "text": "Server-Side Request Forgery (SSRF)",
        "title": "CWE-918"
      },
      {
        "category": "general",
        "text": "CWE-937",
        "title": "CWE-937"
      },
      {
        "category": "general",
        "text": "CWE-1035",
        "title": "CWE-1035"
      },
      {
        "category": "general",
        "text": "Improper Validation of Specified Quantity in Input",
        "title": "CWE-1284"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Oracle Financial Services",
    "tracking": {
      "current_release_date": "2025-10-23T13:35:32.902231Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2025-0333",
      "initial_release_date": "2025-10-23T13:35:32.902231Z",
      "revision_history": [
        {
          "date": "2025-10-23T13:35:32.902231Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Financial Services Revenue Management And Billing"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Banking Branch"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-3"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Banking Corporate Lending Process Management"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-4"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Banking Origination"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-5"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Financial Services Analytical Applications Infrastructure"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-6"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Financial Services Behavior Detection Platform"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-7"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Financial Services Compliance Studio"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-8"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Financial Services Model Management and Governance"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-9"
                }
              }
            ],
            "category": "product_name",
            "name": "Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-11988",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Server-Side Request Forgery (SSRF)",
          "title": "CWE-918"
        },
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities in Oracle Financial Services applications and Apache XmlGraphics Commons allow unauthorized access to critical data and server-side request forgery, all with a CVSS score of 8.2.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-11988 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2020/cve-2020-11988.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2020-11988"
    },
    {
      "cve": "CVE-2024-28168",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Restriction of XML External Entity Reference",
          "title": "CWE-611"
        },
        {
          "category": "description",
          "text": "Recent updates address multiple security vulnerabilities across various products, including XML External Entity (XXE) issues in Apache XML Graphics FOP and Oracle applications, allowing unauthorized access to sensitive data.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-28168 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-28168.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2024-28168"
    },
    {
      "cve": "CVE-2025-5115",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "The \u0027MadeYouReset\u0027 vulnerability in HTTP/2 affects certain Jetty versions, allowing denial of service through malformed control frames, while additional vulnerabilities exist in Oracle Communications and SAP Commerce Cloud.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-5115 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5115.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-5115"
    },
    {
      "cve": "CVE-2025-6965",
      "cwe": {
        "id": "CWE-197",
        "name": "Numeric Truncation Error"
      },
      "notes": [
        {
          "category": "other",
          "text": "Numeric Truncation Error",
          "title": "CWE-197"
        },
        {
          "category": "description",
          "text": "Critical vulnerabilities in Oracle Communications Cloud Native Core and SQLite versions prior to 3.50.2 expose systems to severe risks, including memory corruption and integer truncation issues.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Green",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-6965 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-6965.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-6965"
    },
    {
      "cve": "CVE-2025-27553",
      "cwe": {
        "id": "CWE-23",
        "name": "Relative Path Traversal"
      },
      "notes": [
        {
          "category": "other",
          "text": "Relative Path Traversal",
          "title": "CWE-23"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Middleware and Apache Commons VFS expose critical data and allow unauthorized file access, with significant risks associated with their exploitation.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-27553 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27553.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-27553"
    },
    {
      "cve": "CVE-2025-27817",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Server-Side Request Forgery (SSRF)",
          "title": "CWE-918"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities across Apache Kafka and Oracle applications allow unauthorized access to sensitive data, with notable SSRF risks and CVSS scores of 7.5 for Oracle products.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-27817 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27817.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-27817"
    },
    {
      "cve": "CVE-2025-31672",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified across various products, including Apache POI, Oracle BPM Suite, JD Edwards EnterpriseOne, and SAP BusinessObjects, affecting data integrity and allowing unauthorized access or manipulation.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-31672 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-31672.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-31672"
    },
    {
      "cve": "CVE-2025-32415",
      "cwe": {
        "id": "CWE-1284",
        "name": "Improper Validation of Specified Quantity in Input"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Validation of Specified Quantity in Input",
          "title": "CWE-1284"
        },
        {
          "category": "other",
          "text": "Out-of-bounds Read",
          "title": "CWE-125"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities have been identified in Oracle Java SE and libxml2, allowing for potential system compromise and denial of service, with CVSS scores of 7.5 for several issues.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-32415 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-32415.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-32415"
    },
    {
      "cve": "CVE-2025-41249",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Authorization",
          "title": "CWE-285"
        },
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle Financial Services and the Spring Framework expose critical data and authorization flaws, affecting multiple versions and products with significant security implications.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-41249 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-41249.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-41249"
    },
    {
      "cve": "CVE-2025-48924",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Recursion",
          "title": "CWE-674"
        },
        {
          "category": "description",
          "text": "Recent vulnerabilities in Oracle WebLogic Server and Apache Commons Lang versions expose systems to denial of service risks, including an uncontrolled recursion flaw leading to StackOverflowErrors.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48924 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48924.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-48924"
    },
    {
      "cve": "CVE-2025-48976",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "Multiple vulnerabilities affecting Oracle Application Testing Suite and Apache Commons FileUpload, including DoS risks due to insufficient multipart header limits, have been identified, with CVSS scores reaching 7.5.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48976 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48976.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-48976"
    },
    {
      "cve": "CVE-2025-48989",
      "cwe": {
        "id": "CWE-404",
        "name": "Improper Resource Shutdown or Release"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        },
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "description",
          "text": "Recent updates for Apache Tomcat versions 9, 10, and 11 address the \u0027MadeYouReset\u0027 DoS vulnerability in HTTP/2, along with various enhancements to components like Catalina and Coyote.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-48989 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48989.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-48989"
    },
    {
      "cve": "CVE-2025-50074",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "other",
          "text": "Exposure of Sensitive Information to an Unauthorized Actor",
          "title": "CWE-200"
        },
        {
          "category": "description",
          "text": "A vulnerability in Oracle Financial Services Revenue Management and Billing (versions 2.9.0.0.0-7.2.0.0.0) allows high-privileged attackers to gain unauthorized access to critical data via HTTP, with a CVSS 3.1 Base Score of 4.9.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-50074 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-50074.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-50074"
    },
    {
      "cve": "CVE-2025-50075",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        },
        {
          "category": "description",
          "text": "A vulnerability in Oracle Financial Services Revenue Management and Billing (versions 2.9.0.0.0-7.2.0.0.0) allows low privileged attackers with HTTP access to potentially gain unauthorized access to critical data, with a CVSS score of 6.5.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-50075 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-50075.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-50075"
    },
    {
      "cve": "CVE-2025-53034",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "notes": [
        {
          "category": "other",
          "text": "Missing Authentication for Critical Function",
          "title": "CWE-306"
        },
        {
          "category": "description",
          "text": "A vulnerability in Oracle Financial Services Analytical Applications Infrastructure versions 8.0.7.9, 8.0.8.7, and 8.1.2.5 allows unauthenticated attackers to compromise the system with human interaction, leading to unauthorized data access and modifications.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53034 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53034.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-53034"
    },
    {
      "cve": "CVE-2025-53035",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        },
        {
          "category": "description",
          "text": "A vulnerability in Oracle Financial Services Analytical Applications Infrastructure allows low privileged attackers to access critical data, affecting versions 8.0.7.9, 8.0.8.7, and 8.1.2.5, with a CVSS score of 6.5.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53035 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53035.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-53035"
    },
    {
      "cve": "CVE-2025-53036",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "other",
          "text": "Exposure of Sensitive Information to an Unauthorized Actor",
          "title": "CWE-200"
        },
        {
          "category": "description",
          "text": "A vulnerability in Oracle Financial Services Analytical Applications Infrastructure versions 8.0.7.9, 8.0.8.7, and 8.1.2.5 allows unauthenticated attackers to access critical data via HTTP, with a CVSS score of 8.6.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53036 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53036.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-53036"
    },
    {
      "cve": "CVE-2025-53037",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "notes": [
        {
          "category": "other",
          "text": "Missing Authentication for Critical Function",
          "title": "CWE-306"
        },
        {
          "category": "description",
          "text": "A critical vulnerability in Oracle Financial Services Analytical Applications Infrastructure (versions 8.0.7.9, 8.0.8.7, and 8.1.2.5) allows unauthenticated attackers to compromise the system via HTTP, with a CVSS score of 9.8.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53037 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53037.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-53037"
    },
    {
      "cve": "CVE-2025-55163",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "other",
          "text": "CWE-1035",
          "title": "CWE-1035"
        },
        {
          "category": "other",
          "text": "CWE-937",
          "title": "CWE-937"
        },
        {
          "category": "description",
          "text": "Recent updates to Netty address critical vulnerabilities, including the \u0027MadeYouReset\u0027 DDoS attack in HTTP/2, which can lead to denial of service through resource exhaustion in various affected versions.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-55163 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55163.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-55163"
    },
    {
      "cve": "CVE-2025-59375",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        },
        {
          "category": "description",
          "text": "A memory amplification vulnerability in libexpat (CVE-2025-59375) allows excessive memory allocations from crafted XML input, affecting versions prior to 2.7.2, while a Security-in-Depth issue exists in Oracle Database Server\u0027s Perl component but is not exploitable.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-59375 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-59375.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-59375"
    },
    {
      "cve": "CVE-2025-61751",
      "cwe": {
        "id": "CWE-862",
        "name": "Missing Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Missing Authorization",
          "title": "CWE-862"
        },
        {
          "category": "description",
          "text": "A vulnerability in Oracle Financial Services Analytical Applications Infrastructure versions 8.0.7.9, 8.0.8.7, and 8.1.2.5 allows low-privileged attackers to exploit it via HTTP, posing significant risks to data confidentiality and integrity.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-61751 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-61751.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-61751"
    },
    {
      "cve": "CVE-2025-61756",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "notes": [
        {
          "category": "other",
          "text": "Missing Authentication for Critical Function",
          "title": "CWE-306"
        },
        {
          "category": "description",
          "text": "A vulnerability in Oracle Financial Services Analytical Applications Infrastructure allows unauthenticated attackers to execute denial of service attacks on specific versions, rated with a CVSS score of 7.5.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-61756 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-61756.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9"
          ]
        }
      ],
      "title": "CVE-2025-61756"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-11988 (GCVE-0-2020-11988)

Solution

Solution

Solution

Solution

Tags

Sightings

Nomenclature