Action not permitted
Modal body text goes here.
wid-sec-w-2022-1738
Vulnerability from csaf_certbund
Published
2022-10-16 22:00
Modified
2023-09-27 22:00
Summary
IBM InfoSphere Information Server: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM InfoSphere Information Server ist eine Softwareplattform zur Integration heterogener Daten.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM InfoSphere Information Server ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "IBM InfoSphere Information Server ist eine Softwareplattform zur Integration heterogener Daten.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM InfoSphere Information Server ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2022-1738 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1738.json" }, { "category": "self", "summary": "WID-SEC-2022-1738 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1738" }, { "category": "external", "summary": "IBM Security Bulletin 7038982 vom 2023-09-28", "url": "https://www.ibm.com/support/pages/node/7038982" }, { "category": "external", "summary": "IBM Security Bulletin: 6829353 vom 2022-10-16", "url": "https://www.ibm.com/support/pages/node/6829353" }, { "category": "external", "summary": "IBM Security Bulletin: 6829371 vom 2022-10-16", "url": "https://www.ibm.com/support/pages/node/6829371" }, { "category": "external", "summary": "IBM Security Bulletin: 6829373 vom 2022-10-16", "url": "https://www.ibm.com/support/pages/node/6829373" }, { "category": "external", "summary": "IBM Security Bulletin: 6829335 vom 2022-10-16", "url": "https://www.ibm.com/support/pages/node/6829335" }, { "category": "external", "summary": "IBM Security Bulletin: 6829311 vom 2022-10-16", "url": "https://www.ibm.com/support/pages/node/6829311" }, { "category": "external", "summary": "IBM Security Bulletin: 6829369 vom 2022-10-16", "url": "https://www.ibm.com/support/pages/node/6829369" }, { "category": "external", "summary": "IBM Security Bulletin: 6829325 vom 2022-10-16", "url": "https://www.ibm.com/support/pages/node/6829325" }, { "category": "external", "summary": "IBM Security Bulletin: 6829365 vom 2022-10-16", "url": "https://www.ibm.com/support/pages/node/6829365" }, { "category": "external", "summary": "IBM Security Bulletin: 6829361 vom 2022-10-16", "url": "https://www.ibm.com/support/pages/node/6829361" }, { "category": "external", "summary": "IBM Security Bulletin: 6829339 vom 2022-10-16", "url": "https://www.ibm.com/support/pages/node/6829339" }, { "category": "external", "summary": "IBM Security Bulletin: 6829349 vom 2022-10-16", "url": "https://www.ibm.com/support/pages/node/6829349" }, { "category": "external", "summary": "IBM Security Bulletin: 6829363 vom 2022-10-16", "url": "https://www.ibm.com/support/pages/node/6829363" }, { "category": "external", "summary": "IBM Security Bulletin: 6829327 vom 2022-10-16", "url": "https://www.ibm.com/support/pages/node/6829327" }, { "category": "external", "summary": "IBM Security Bulletin 6955819 vom 2023-02-15", "url": "https://www.ibm.com/support/pages/node/6955819" } ], "source_lang": "en-US", "title": "IBM InfoSphere Information Server: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-09-27T22:00:00.000+00:00", "generator": { "date": "2024-02-15T17:00:50.645+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2022-1738", "initial_release_date": "2022-10-16T22:00:00.000+00:00", "revision_history": [ { "date": "2022-10-16T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2022-11-03T23:00:00.000+00:00", "number": "2", "summary": "CVE erg\u00e4nzt" }, { "date": "2023-02-15T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von IBM aufgenommen" }, { "date": "2023-09-27T22:00:00.000+00:00", "number": "4", "summary": "Neue Updates von IBM aufgenommen" } ], "status": "final", "version": "4" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "IBM InfoSphere Information Server 11.7", "product": { "name": "IBM InfoSphere Information Server 11.7", "product_id": "444803", "product_identification_helper": { "cpe": "cpe:/a:ibm:infosphere_information_server:11.7" } } }, { "category": "product_name", "name": "IBM QRadar SIEM", "product": { "name": "IBM QRadar SIEM", "product_id": "T021415", "product_identification_helper": { "cpe": "cpe:/a:ibm:qradar_siem:-" } } } ], "category": "vendor", "name": "IBM" } ] }, "vulnerabilities": [ { "cve": "CVE-2009-0217", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2009-0217" }, { "cve": "CVE-2009-2625", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2009-2625" }, { "cve": "CVE-2012-0881", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2012-0881" }, { "cve": "CVE-2012-2098", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2012-2098" }, { "cve": "CVE-2013-2172", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2013-2172" }, { "cve": "CVE-2013-4002", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2013-4002" }, { "cve": "CVE-2013-4517", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2013-4517" }, { "cve": "CVE-2015-4852", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2015-4852" }, { "cve": "CVE-2015-6420", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2015-6420" }, { "cve": "CVE-2015-7501", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2015-7501" }, { "cve": "CVE-2017-15708", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2017-15708" }, { "cve": "CVE-2019-13116", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2019-13116" }, { "cve": "CVE-2021-33813", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2021-33813" }, { "cve": "CVE-2021-36373", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2021-36373" }, { "cve": "CVE-2021-36374", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2021-36374" }, { "cve": "CVE-2021-40690", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2021-40690" }, { "cve": "CVE-2021-41089", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2021-41089" }, { "cve": "CVE-2021-41091", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2021-41091" }, { "cve": "CVE-2022-22442", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2022-22442" }, { "cve": "CVE-2022-23437", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2022-23437" }, { "cve": "CVE-2022-24769", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2022-24769" }, { "cve": "CVE-2022-30608", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2022-30608" }, { "cve": "CVE-2022-30615", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2022-30615" }, { "cve": "CVE-2022-31129", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2022-31129" }, { "cve": "CVE-2022-35642", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2022-35642" }, { "cve": "CVE-2022-35717", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2022-35717" }, { "cve": "CVE-2022-36109", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2022-36109" }, { "cve": "CVE-2022-40235", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2022-40235" }, { "cve": "CVE-2022-40747", "notes": [ { "category": "description", "text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "444803", "T021415" ] }, "release_date": "2022-10-16T22:00:00Z", "title": "CVE-2022-40747" } ] }
cve-2021-36373
Vulnerability from cvelistv5
Published
2021-07-14 06:20
Modified
2024-08-04 00:54
Severity ?
EPSS score ?
Summary
Apache Ant TAR archive denial of service vulnerability
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Apache Software Foundation | Apache Ant |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T00:54:51.488Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ant.apache.org/security.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E" }, { "name": "[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E" }, { "name": "[groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E" }, { "name": "[groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E" }, { "name": "[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210819-0007/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache Ant", "vendor": "Apache Software Foundation", "versions": [ { "changes": [ { "at": "1.9.0", "status": "affected" } ], "lessThanOrEqual": "1.9.15", "status": "affected", "version": "Apache Ant 1.9.x", "versionType": "custom" }, { "changes": [ { "at": "1.10.0", "status": "affected" } ], "lessThanOrEqual": "1.10.10", "status": "affected", "version": "Apache Ant 1.10.x", "versionType": "custom" }, { "lessThan": "1.9.0", "status": "unaffected", "version": "Apache Ant", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "This issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517 present in Apache Commons Compress which has been detected by OSS Fuzz." } ], "descriptions": [ { "lang": "en", "value": "When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-130", "description": "CWE-130 Improper Handling of Length Parameter Inconsistency ", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-25T16:30:21", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://ant.apache.org/security.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E" }, { "name": "[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E" }, { "name": "[groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E" }, { "name": "[groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E" }, { "name": "[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210819-0007/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "Apache Ant TAR archive denial of service vulnerability", "workarounds": [ { "lang": "en", "value": "Apache Ant 1.9.x users should upgrade to 1.9.16 or later.\nApache Ant 1.10.x users should upgrade to 1.10.11 or later." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2021-36373", "STATE": "PUBLIC", "TITLE": "Apache Ant TAR archive denial of service vulnerability" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Ant", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "Apache Ant 1.9.x", "version_value": "1.9.15" }, { "version_affected": "\u003c=", "version_name": "Apache Ant 1.10.x", "version_value": "1.10.10" }, { "version_affected": "\u003e=", "version_name": "Apache Ant 1.9.x", "version_value": "1.9.0" }, { "version_affected": "\u003e=", "version_name": "Apache Ant 1.10.x", "version_value": "1.10.0" }, { "version_affected": "!\u003c", "version_name": "Apache Ant", "version_value": "1.9.0" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "credit": [ { "lang": "eng", "value": "This issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517 present in Apache Commons Compress which has been detected by OSS Fuzz." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ {} ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-130 Improper Handling of Length Parameter Inconsistency " } ] } ] }, "references": { "reference_data": [ { "name": "https://ant.apache.org/security.html", "refsource": "MISC", "url": "https://ant.apache.org/security.html" }, { "name": "https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E" }, { "name": "[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a@%3Ccommits.groovy.apache.org%3E" }, { "name": "[groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d@%3Ccommits.groovy.apache.org%3E" }, { "name": "[groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a@%3Cnotifications.groovy.apache.org%3E" }, { "name": "[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6@%3Cdev.myfaces.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210819-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210819-0007/" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ] }, "source": { "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Apache Ant 1.9.x users should upgrade to 1.9.16 or later.\nApache Ant 1.10.x users should upgrade to 1.10.11 or later." } ] } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-36373", "datePublished": "2021-07-14T06:20:11", "dateReserved": "2021-07-12T00:00:00", "dateUpdated": "2024-08-04T00:54:51.488Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-35642
Vulnerability from cvelistv5
Published
2022-11-03 00:00
Modified
2024-08-03 09:36
Severity ?
EPSS score ?
Summary
"IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227592."
References
Impacted products
▼ | Vendor | Product |
---|---|---|
n/a | IBM InfoSphere Information Server |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T09:36:44.433Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.ibm.com/support/pages/node/6829311" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "IBM InfoSphere Information Server", "vendor": "n/a", "versions": [ { "status": "affected", "version": "11.7" } ] } ], "descriptions": [ { "lang": "en", "value": "\"IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227592.\"" } ], "problemTypes": [ { "descriptions": [ { "description": "Cross-Site Scripting", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-03T00:00:00", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm" }, "references": [ { "url": "https://www.ibm.com/support/pages/node/6829311" } ] } }, "cveMetadata": { "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2022-35642", "datePublished": "2022-11-03T00:00:00", "dateReserved": "2022-07-11T00:00:00", "dateUpdated": "2024-08-03T09:36:44.433Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-30608
Vulnerability from cvelistv5
Published
2022-11-03 00:00
Modified
2024-08-03 06:56
Severity ?
EPSS score ?
Summary
"IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a "user that the website trusts. IBM X-Force ID: 227295.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
n/a | IBM InfoSphere Information Server |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T06:56:12.973Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.ibm.com/support/pages/node/6829335" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "IBM InfoSphere Information Server", "vendor": "n/a", "versions": [ { "status": "affected", "version": "11.7" } ] } ], "descriptions": [ { "lang": "en", "value": "\"IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a \"user that the website trusts. IBM X-Force ID: 227295." } ], "problemTypes": [ { "descriptions": [ { "description": "Cross-Site Request Forgery", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-03T00:00:00", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm" }, "references": [ { "url": "https://www.ibm.com/support/pages/node/6829335" } ] } }, "cveMetadata": { "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2022-30608", "datePublished": "2022-11-03T00:00:00", "dateReserved": "2022-05-12T00:00:00", "dateUpdated": "2024-08-03T06:56:12.973Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-33813
Vulnerability from cvelistv5
Published
2021-06-16 11:18
Modified
2024-08-03 23:58
Severity ?
EPSS score ?
Summary
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T23:58:23.111Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/hunterhacker/jdom/pull/188" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/hunterhacker/jdom/releases" }, { "name": "[debian-lts-announce] 20210629 [SECURITY] [DLA 2696-1] libjdom2-java security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00026.html" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15530) High security vulnerability in jackson-databind bundled within Solr 8.9", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r89b3800cfabb1e773e49425e5d4239c28a659839a2eca6af3431482e%40%3Cissues.solr.apache.org%3E" }, { "name": "[debian-lts-announce] 20210720 [SECURITY] [DLA 2712-1] libjdom1-java security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00012.html" }, { "name": "[tika-dev] 20210721 [jira] [Created] (TIKA-3488) Security issue XXE in TIKA due to JDOM", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rfb7a93e40ebeb1e0068cde0bf3834dcab46bb1ef06d6424db48ed9fd%40%3Cdev.tika.apache.org%3E" }, { "name": "[solr-issues] 20210813 [jira] [Commented] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r845e987b7cd8efe610284958e997b84583f5a98d3394adc09e3482fe%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210813 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5674106135bb1a6ef57483f4c63a9c44bca85d0e2a8a05895a8f1d89%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210819 [jira] [Commented] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6db397ae7281ead825338200d1f62d2827585a70797cc9ac0c4bd23f%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210819 [jira] [Resolved] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r21c406c7ed88fe340db7dbae75e58355159e6c324037c7d5547bf40b%40%3Cissues.solr.apache.org%3E" }, { "name": "FEDORA-2021-3cb0d02576", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AH46QHE5GIMT6BL6C3GDTOYF27JYILXM/" }, { "name": "FEDORA-2021-f88d2dcc47", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWFVYTHGILOQXUA7U3SPOERQXL7OPSZG/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://alephsecurity.com/vulns/aleph-2021003" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-25T16:28:45", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/hunterhacker/jdom/pull/188" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/hunterhacker/jdom/releases" }, { "name": "[debian-lts-announce] 20210629 [SECURITY] [DLA 2696-1] libjdom2-java security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00026.html" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15530) High security vulnerability in jackson-databind bundled within Solr 8.9", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r89b3800cfabb1e773e49425e5d4239c28a659839a2eca6af3431482e%40%3Cissues.solr.apache.org%3E" }, { "name": "[debian-lts-announce] 20210720 [SECURITY] [DLA 2712-1] libjdom1-java security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00012.html" }, { "name": "[tika-dev] 20210721 [jira] [Created] (TIKA-3488) Security issue XXE in TIKA due to JDOM", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rfb7a93e40ebeb1e0068cde0bf3834dcab46bb1ef06d6424db48ed9fd%40%3Cdev.tika.apache.org%3E" }, { "name": "[solr-issues] 20210813 [jira] [Commented] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r845e987b7cd8efe610284958e997b84583f5a98d3394adc09e3482fe%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210813 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5674106135bb1a6ef57483f4c63a9c44bca85d0e2a8a05895a8f1d89%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210819 [jira] [Commented] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6db397ae7281ead825338200d1f62d2827585a70797cc9ac0c4bd23f%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210819 [jira] [Resolved] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r21c406c7ed88fe340db7dbae75e58355159e6c324037c7d5547bf40b%40%3Cissues.solr.apache.org%3E" }, { "name": "FEDORA-2021-3cb0d02576", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AH46QHE5GIMT6BL6C3GDTOYF27JYILXM/" }, { "name": "FEDORA-2021-f88d2dcc47", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWFVYTHGILOQXUA7U3SPOERQXL7OPSZG/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://alephsecurity.com/vulns/aleph-2021003" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-33813", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/hunterhacker/jdom/pull/188", "refsource": "MISC", "url": "https://github.com/hunterhacker/jdom/pull/188" }, { "name": "https://github.com/hunterhacker/jdom/releases", "refsource": "MISC", "url": "https://github.com/hunterhacker/jdom/releases" }, { "name": "[debian-lts-announce] 20210629 [SECURITY] [DLA 2696-1] libjdom2-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00026.html" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15530) High security vulnerability in jackson-databind bundled within Solr 8.9", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r89b3800cfabb1e773e49425e5d4239c28a659839a2eca6af3431482e@%3Cissues.solr.apache.org%3E" }, { "name": "[debian-lts-announce] 20210720 [SECURITY] [DLA 2712-1] libjdom1-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00012.html" }, { "name": "[tika-dev] 20210721 [jira] [Created] (TIKA-3488) Security issue XXE in TIKA due to JDOM", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfb7a93e40ebeb1e0068cde0bf3834dcab46bb1ef06d6424db48ed9fd@%3Cdev.tika.apache.org%3E" }, { "name": "[solr-issues] 20210813 [jira] [Commented] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r845e987b7cd8efe610284958e997b84583f5a98d3394adc09e3482fe@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210813 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5674106135bb1a6ef57483f4c63a9c44bca85d0e2a8a05895a8f1d89@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210819 [jira] [Commented] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6db397ae7281ead825338200d1f62d2827585a70797cc9ac0c4bd23f@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210819 [jira] [Resolved] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r21c406c7ed88fe340db7dbae75e58355159e6c324037c7d5547bf40b@%3Cissues.solr.apache.org%3E" }, { "name": "FEDORA-2021-3cb0d02576", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AH46QHE5GIMT6BL6C3GDTOYF27JYILXM/" }, { "name": "FEDORA-2021-f88d2dcc47", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWFVYTHGILOQXUA7U3SPOERQXL7OPSZG/" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://alephsecurity.com/vulns/aleph-2021003", "refsource": "MISC", "url": "https://alephsecurity.com/vulns/aleph-2021003" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-33813", "datePublished": "2021-06-16T11:18:14", "dateReserved": "2021-06-03T00:00:00", "dateUpdated": "2024-08-03T23:58:23.111Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-40690
Vulnerability from cvelistv5
Published
2021-09-19 00:00
Modified
2024-08-04 02:51
Severity ?
EPSS score ?
Summary
Bypass of the secureValidation property
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Apache Software Foundation | Apache Santuario |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T02:51:06.487Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E" }, { "name": "[tomee-commits] 20210922 [tomee] 02/02: Update xmlsec to 2.2.3 to mitigate CVE-2021-40690", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32fb2f785519ac5e059f%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Resolved] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Created] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Assigned] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[poi-user] 20210923 Re: CVE-2021-40690 on xmlsec jar", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d0d066ab176c6170e8%40%3Cuser.poi.apache.org%3E" }, { "name": "[debian-lts-announce] 20210927 [SECURITY] [DLA 2767-1] libxml-security-java security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html" }, { "name": "[cxf-issues] 20211027 [jira] [Created] (CXF-8613) High Security issues reported with Apache Santuario library bundled in CXF 3.4.4", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59%40%3Cissues.cxf.apache.org%3E" }, { "name": "[tomee-commits] 20211028 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb21934df8e14e5e641597c%40%3Ccommits.tomee.apache.org%3E" }, { "name": "DSA-5010", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-5010" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20230818-0002/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache Santuario", "vendor": "Apache Software Foundation", "versions": [ { "lessThan": "2.2.3,2.1.7", "status": "affected", "version": "XML Security for Java", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "An Trinh, Calif." } ], "descriptions": [ { "lang": "en", "value": "All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the \"secureValidation\" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-08-18T13:06:19.359156", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "url": "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E" }, { "name": "[tomee-commits] 20210922 [tomee] 02/02: Update xmlsec to 2.2.3 to mitigate CVE-2021-40690", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32fb2f785519ac5e059f%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Resolved] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Created] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Assigned] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[tomee-commits] 20210923 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa%40%3Ccommits.tomee.apache.org%3E" }, { "name": "[poi-user] 20210923 Re: CVE-2021-40690 on xmlsec jar", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d0d066ab176c6170e8%40%3Cuser.poi.apache.org%3E" }, { "name": "[debian-lts-announce] 20210927 [SECURITY] [DLA 2767-1] libxml-security-java security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html" }, { "name": "[cxf-issues] 20211027 [jira] [Created] (CXF-8613) High Security issues reported with Apache Santuario library bundled in CXF 3.4.4", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59%40%3Cissues.cxf.apache.org%3E" }, { "name": "[tomee-commits] 20211028 [jira] [Updated] (TOMEE-3798) TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb21934df8e14e5e641597c%40%3Ccommits.tomee.apache.org%3E" }, { "name": "DSA-5010", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2021/dsa-5010" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "url": "https://security.netapp.com/advisory/ntap-20230818-0002/" } ], "source": { "discovery": "UNKNOWN" }, "title": "Bypass of the secureValidation property", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-40690", "datePublished": "2021-09-19T00:00:00", "dateReserved": "2021-09-08T00:00:00", "dateUpdated": "2024-08-04T02:51:06.487Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2015-7501
Vulnerability from cvelistv5
Published
2017-11-09 00:00
Modified
2024-08-06 07:51
Severity ?
EPSS score ?
Summary
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T07:51:28.224Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2016:0040", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-0040.html" }, { "name": "RHSA-2015:2670", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2670.html" }, { "name": "RHSA-2015:2501", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2501.html" }, { "name": "RHSA-2015:2517", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2517.html" }, { "name": "78215", "tags": [ "vdb-entry", "x_transferred" ], "url": "http://www.securityfocus.com/bid/78215" }, { "name": "1034097", "tags": [ "vdb-entry", "x_transferred" ], "url": "http://www.securitytracker.com/id/1034097" }, { "name": "RHSA-2015:2671", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2671.html" }, { "name": "1037052", "tags": [ "vdb-entry", "x_transferred" ], "url": "http://www.securitytracker.com/id/1037052" }, { "name": "1037640", "tags": [ "vdb-entry", "x_transferred" ], "url": "http://www.securitytracker.com/id/1037640" }, { "name": "RHSA-2015:2522", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2522.html" }, { "name": "RHSA-2015:2521", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2521.html" }, { "name": "RHSA-2015:2516", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2516.html" }, { "name": "RHSA-2015:2500", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2500.html" }, { "name": "RHSA-2015:2514", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2514.html" }, { "name": "RHSA-2015:2502", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2502.html" }, { "name": "RHSA-2015:2536", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2015-2536.html" }, { "name": "RHSA-2016:1773", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html" }, { "name": "RHSA-2015:2524", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2524.html" }, { "name": "1037053", "tags": [ "vdb-entry", "x_transferred" ], "url": "http://www.securitytracker.com/id/1037053" }, { "tags": [ "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330" }, { "tags": [ "x_transferred" ], "url": "https://access.redhat.com/solutions/2045023" }, { "tags": [ "x_transferred" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "tags": [ "x_transferred" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" }, { "tags": [ "x_transferred" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" }, { "tags": [ "x_transferred" ], "url": "https://access.redhat.com/security/vulnerabilities/2059393" }, { "tags": [ "x_transferred" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240216-0010/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-11-06T00:00:00", "descriptions": [ { "lang": "en", "value": "Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2024-02-16T13:06:08.221728", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2016:0040", "tags": [ "vendor-advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-0040.html" }, { "name": "RHSA-2015:2670", "tags": [ "vendor-advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2670.html" }, { "name": "RHSA-2015:2501", "tags": [ "vendor-advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2501.html" }, { "name": "RHSA-2015:2517", "tags": [ "vendor-advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2517.html" }, { "name": "78215", "tags": [ "vdb-entry" ], "url": "http://www.securityfocus.com/bid/78215" }, { "name": "1034097", "tags": [ "vdb-entry" ], "url": "http://www.securitytracker.com/id/1034097" }, { "name": "RHSA-2015:2671", "tags": [ "vendor-advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2671.html" }, { "name": "1037052", "tags": [ "vdb-entry" ], "url": "http://www.securitytracker.com/id/1037052" }, { "name": "1037640", "tags": [ "vdb-entry" ], "url": "http://www.securitytracker.com/id/1037640" }, { "name": "RHSA-2015:2522", "tags": [ "vendor-advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2522.html" }, { "name": "RHSA-2015:2521", "tags": [ "vendor-advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2521.html" }, { "name": "RHSA-2015:2516", "tags": [ "vendor-advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2516.html" }, { "name": "RHSA-2015:2500", "tags": [ "vendor-advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2500.html" }, { "name": "RHSA-2015:2514", "tags": [ "vendor-advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2514.html" }, { "name": "RHSA-2015:2502", "tags": [ "vendor-advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2502.html" }, { "name": "RHSA-2015:2536", "tags": [ "vendor-advisory" ], "url": "https://rhn.redhat.com/errata/RHSA-2015-2536.html" }, { "name": "RHSA-2016:1773", "tags": [ "vendor-advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html" }, { "name": "RHSA-2015:2524", "tags": [ "vendor-advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2524.html" }, { "name": "1037053", "tags": [ "vdb-entry" ], "url": "http://www.securitytracker.com/id/1037053" }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330" }, { "url": "https://access.redhat.com/solutions/2045023" }, { "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" }, { "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" }, { "url": "https://access.redhat.com/security/vulnerabilities/2059393" }, { "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" }, { "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "url": "https://security.netapp.com/advisory/ntap-20240216-0010/" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-7501", "datePublished": "2017-11-09T00:00:00", "dateReserved": "2015-09-29T00:00:00", "dateUpdated": "2024-08-06T07:51:28.224Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2013-4517
Vulnerability from cvelistv5
Published
2014-01-11 01:00
Modified
2024-08-06 16:45
Severity ?
EPSS score ?
Summary
Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T16:45:14.816Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2014:1728", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1728.html" }, { "name": "RHSA-2014:1726", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1726.html" }, { "name": "RHSA-2014:0170", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-0170.html" }, { "name": "RHSA-2015:0675", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" }, { "name": "101169", "tags": [ "vdb-entry", "x_refsource_OSVDB", "x_transferred" ], "url": "http://osvdb.org/101169" }, { "name": "RHSA-2015:0850", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html" }, { "name": "RHSA-2014:0195", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-0195.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.tenable.com/security/tns-2018-15" }, { "name": "santuario-xmlsecurity-cve20134517-dos(89891)", "tags": [ "vdb-entry", "x_refsource_XF", "x_transferred" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89891" }, { "name": "RHSA-2014:1727", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1727.html" }, { "name": "RHSA-2015:0851", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html" }, { "name": "20131218 Apache Santuario security advisory CVE-2013-4517 released", "tags": [ "mailing-list", "x_refsource_FULLDISC", "x_transferred" ], "url": "http://seclists.org/fulldisclosure/2013/Dec/169" }, { "name": "1029524", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1029524" }, { "name": "RHSA-2014:0172", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-0172.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc" }, { "name": "RHSA-2014:0171", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-0171.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html" }, { "name": "64437", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/64437" }, { "name": "RHSA-2014:1725", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1725.html" }, { "name": "55639", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/55639" }, { "name": "[santuario-commits] 20190823 svn commit: r1049214 - in /websites/production/santuario/content: cache/main.pageCache download.html index.html javaindex.html javareleasenotes.html secadv.data/CVE-2019-12400.asc secadv.html", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E" }, { "name": "[santuario-commits] 20210917 svn commit: r1076843 - in /websites/production/santuario/content: cache/main.pageCache index.html javaindex.html secadv.data/CVE-2021-40690.txt.asc secadv.html", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2013-12-18T00:00:00", "descriptions": [ { "lang": "en", "value": "Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-09-17T10:06:09", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2014:1728", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1728.html" }, { "name": "RHSA-2014:1726", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1726.html" }, { "name": "RHSA-2014:0170", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-0170.html" }, { "name": "RHSA-2015:0675", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" }, { "name": "101169", "tags": [ "vdb-entry", "x_refsource_OSVDB" ], "url": "http://osvdb.org/101169" }, { "name": "RHSA-2015:0850", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html" }, { "name": "RHSA-2014:0195", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-0195.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.tenable.com/security/tns-2018-15" }, { "name": "santuario-xmlsecurity-cve20134517-dos(89891)", "tags": [ "vdb-entry", "x_refsource_XF" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89891" }, { "name": "RHSA-2014:1727", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1727.html" }, { "name": "RHSA-2015:0851", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html" }, { "name": "20131218 Apache Santuario security advisory CVE-2013-4517 released", "tags": [ "mailing-list", "x_refsource_FULLDISC" ], "url": "http://seclists.org/fulldisclosure/2013/Dec/169" }, { "name": "1029524", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1029524" }, { "name": "RHSA-2014:0172", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-0172.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc" }, { "name": "RHSA-2014:0171", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-0171.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html" }, { "name": "64437", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/64437" }, { "name": "RHSA-2014:1725", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1725.html" }, { "name": "55639", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/55639" }, { "name": "[santuario-commits] 20190823 svn commit: r1049214 - in /websites/production/santuario/content: cache/main.pageCache download.html index.html javaindex.html javareleasenotes.html secadv.data/CVE-2019-12400.asc secadv.html", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E" }, { "name": "[santuario-commits] 20210917 svn commit: r1076843 - in /websites/production/santuario/content: cache/main.pageCache index.html javaindex.html secadv.data/CVE-2021-40690.txt.asc secadv.html", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-4517", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "RHSA-2014:1728", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1728.html" }, { "name": "RHSA-2014:1726", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1726.html" }, { "name": "RHSA-2014:0170", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-0170.html" }, { "name": "RHSA-2015:0675", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" }, { "name": "101169", "refsource": "OSVDB", "url": "http://osvdb.org/101169" }, { "name": "RHSA-2015:0850", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html" }, { "name": "RHSA-2014:0195", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-0195.html" }, { "name": "https://www.tenable.com/security/tns-2018-15", "refsource": "CONFIRM", "url": "https://www.tenable.com/security/tns-2018-15" }, { "name": "santuario-xmlsecurity-cve20134517-dos(89891)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89891" }, { "name": "RHSA-2014:1727", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1727.html" }, { "name": "RHSA-2015:0851", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html" }, { "name": "20131218 Apache Santuario security advisory CVE-2013-4517 released", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2013/Dec/169" }, { "name": "1029524", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1029524" }, { "name": "RHSA-2014:0172", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-0172.html" }, { "name": "http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc", "refsource": "CONFIRM", "url": "http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc" }, { "name": "RHSA-2014:0171", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-0171.html" }, { "name": "http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html", "refsource": "CONFIRM", "url": "http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html" }, { "name": "64437", "refsource": "BID", "url": "http://www.securityfocus.com/bid/64437" }, { "name": "RHSA-2014:1725", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1725.html" }, { "name": "55639", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/55639" }, { "name": "[santuario-commits] 20190823 svn commit: r1049214 - in /websites/production/santuario/content: cache/main.pageCache download.html index.html javaindex.html javareleasenotes.html secadv.data/CVE-2019-12400.asc secadv.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3@%3Ccommits.santuario.apache.org%3E" }, { "name": "[santuario-commits] 20210917 svn commit: r1076843 - in /websites/production/santuario/content: cache/main.pageCache index.html javaindex.html secadv.data/CVE-2021-40690.txt.asc secadv.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd@%3Ccommits.santuario.apache.org%3E" } ] } } } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-4517", "datePublished": "2014-01-11T01:00:00", "dateReserved": "2013-06-12T00:00:00", "dateUpdated": "2024-08-06T16:45:14.816Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2009-2625
Vulnerability from cvelistv5
Published
2009-08-06 15:00
Modified
2024-08-07 05:59
Severity ?
EPSS score ?
Summary
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-07T05:59:56.314Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "SSA:2011-041-02", "tags": [ "vendor-advisory", "x_refsource_SLACKWARE", "x_transferred" ], "url": "http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2011\u0026m=slackware-security.486026" }, { "name": "RHSA-2009:1200", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1200.html" }, { "name": "RHSA-2009:1199", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1199.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.networkworld.com/columnists/2009/080509-xml-flaw.html" }, { "name": "USN-890-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-890-1" }, { "name": "36162", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/36162" }, { "name": "ADV-2009-2543", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2009/2543" }, { "name": "DSA-1984", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2010/dsa-1984" }, { "name": "[oss-security] 20091022 Re: Regarding expat bug 1990430", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2009/10/22/9" }, { "name": "1021506", "tags": [ "vendor-advisory", "x_refsource_SUNALERT", "x_transferred" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1" }, { "name": "37460", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/37460" }, { "name": "RHSA-2009:1615", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://www.redhat.com/support/errata/RHSA-2009-1615.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html" }, { "name": "HPSBUX02476", "tags": [ "vendor-advisory", "x_refsource_HP", "x_transferred" ], "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" }, { "name": "37754", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/37754" }, { "name": "RHSA-2009:1637", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1637.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.cert.fi/en/reports/2009/vulnerability2009085.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.codenomicon.com/labs/xml/" }, { "name": "36199", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/36199" }, { "name": "RHSA-2012:1537", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2012-1537.html" }, { "name": "SUSE-SR:2010:013", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html" }, { "name": "MDVSA-2009:209", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:209" }, { "name": "FEDORA-2009-8329", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html" }, { "name": "RHSA-2011:0858", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://www.redhat.com/support/errata/RHSA-2011-0858.html" }, { "name": "SSRT090250", "tags": [ "vendor-advisory", "x_refsource_HP", "x_transferred" ], "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" }, { "name": "1022680", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id?1022680" }, { "name": "37671", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/37671" }, { "name": "38342", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/38342" }, { "name": "RHSA-2009:1636", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1636.html" }, { "name": "35958", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/35958" }, { "name": "20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded" }, { "name": "RHSA-2009:1649", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1649.html" }, { "name": "[oss-security] 20091026 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2009/10/26/3" }, { "name": "TA09-294A", "tags": [ "third-party-advisory", "x_refsource_CERT", "x_transferred" ], "url": "http://www.us-cert.gov/cas/techalerts/TA09-294A.html" }, { "name": "50549", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/50549" }, { "name": "oval:org.mitre.oval:def:8520", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL", "x_transferred" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520" }, { "name": "36180", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/36180" }, { "name": "38231", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/38231" }, { "name": "272209", "tags": [ "vendor-advisory", "x_refsource_SUNALERT", "x_transferred" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1" }, { "name": "MDVSA-2011:108", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:108" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1" }, { "name": "36176", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/36176" }, { "name": "FEDORA-2009-8337", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html" }, { "name": "43300", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/43300" }, { "name": "oval:org.mitre.oval:def:9356", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL", "x_transferred" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356" }, { "name": "TA10-012A", "tags": [ "third-party-advisory", "x_refsource_CERT", "x_transferred" ], "url": "http://www.us-cert.gov/cas/techalerts/TA10-012A.html" }, { "name": "SUSE-SR:2009:016", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html" }, { "name": "RHSA-2012:1232", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html" }, { "name": "263489", "tags": [ "vendor-advisory", "x_refsource_SUNALERT", "x_transferred" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055\u0026r2=787352\u0026pathrev=787353\u0026diff_format=h" }, { "name": "37300", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/37300" }, { "name": "APPLE-SA-2009-09-03-1", "tags": [ "vendor-advisory", "x_refsource_APPLE", "x_transferred" ], "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html" }, { "name": "SUSE-SA:2009:053", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=512921" }, { "name": "RHSA-2009:1201", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1201.html" }, { "name": "SUSE-SR:2009:017", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html" }, { "name": "[oss-security] 20090906 Re: Re: expat bug 1990430", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2009/09/06/1" }, { "name": "[oss-security] 20091023 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2009/10/23/6" }, { "name": "ADV-2011-0359", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2011/0359" }, { "name": "ADV-2009-3316", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2009/3316" }, { "name": "RHSA-2009:1650", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1650.html" }, { "name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2009-08-05T00:00:00", "descriptions": [ { "lang": "en", "value": "XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-03-20T16:06:10", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc" }, "references": [ { "name": "SSA:2011-041-02", "tags": [ "vendor-advisory", "x_refsource_SLACKWARE" ], "url": "http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2011\u0026m=slackware-security.486026" }, { "name": "RHSA-2009:1200", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1200.html" }, { "name": "RHSA-2009:1199", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1199.html" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.networkworld.com/columnists/2009/080509-xml-flaw.html" }, { "name": "USN-890-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-890-1" }, { "name": "36162", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/36162" }, { "name": "ADV-2009-2543", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2009/2543" }, { "name": "DSA-1984", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2010/dsa-1984" }, { "name": "[oss-security] 20091022 Re: Regarding expat bug 1990430", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2009/10/22/9" }, { "name": "1021506", "tags": [ "vendor-advisory", "x_refsource_SUNALERT" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1" }, { "name": "37460", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/37460" }, { "name": "RHSA-2009:1615", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://www.redhat.com/support/errata/RHSA-2009-1615.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html" }, { "name": "HPSBUX02476", "tags": [ "vendor-advisory", "x_refsource_HP" ], "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" }, { "name": "37754", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/37754" }, { "name": "RHSA-2009:1637", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1637.html" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.cert.fi/en/reports/2009/vulnerability2009085.html" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.codenomicon.com/labs/xml/" }, { "name": "36199", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/36199" }, { "name": "RHSA-2012:1537", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2012-1537.html" }, { "name": "SUSE-SR:2010:013", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html" }, { "name": "MDVSA-2009:209", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:209" }, { "name": "FEDORA-2009-8329", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html" }, { "name": "RHSA-2011:0858", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://www.redhat.com/support/errata/RHSA-2011-0858.html" }, { "name": "SSRT090250", "tags": [ "vendor-advisory", "x_refsource_HP" ], "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" }, { "name": "1022680", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id?1022680" }, { "name": "37671", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/37671" }, { "name": "38342", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/38342" }, { "name": "RHSA-2009:1636", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1636.html" }, { "name": "35958", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/35958" }, { "name": "20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded" }, { "name": "RHSA-2009:1649", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1649.html" }, { "name": "[oss-security] 20091026 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2009/10/26/3" }, { "name": "TA09-294A", "tags": [ "third-party-advisory", "x_refsource_CERT" ], "url": "http://www.us-cert.gov/cas/techalerts/TA09-294A.html" }, { "name": "50549", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/50549" }, { "name": "oval:org.mitre.oval:def:8520", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520" }, { "name": "36180", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/36180" }, { "name": "38231", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/38231" }, { "name": "272209", "tags": [ "vendor-advisory", "x_refsource_SUNALERT" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1" }, { "name": "MDVSA-2011:108", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:108" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1" }, { "name": "36176", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/36176" }, { "name": "FEDORA-2009-8337", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html" }, { "name": "43300", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/43300" }, { "name": "oval:org.mitre.oval:def:9356", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356" }, { "name": "TA10-012A", "tags": [ "third-party-advisory", "x_refsource_CERT" ], "url": "http://www.us-cert.gov/cas/techalerts/TA10-012A.html" }, { "name": "SUSE-SR:2009:016", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html" }, { "name": "RHSA-2012:1232", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html" }, { "name": "263489", "tags": [ "vendor-advisory", "x_refsource_SUNALERT" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055\u0026r2=787352\u0026pathrev=787353\u0026diff_format=h" }, { "name": "37300", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/37300" }, { "name": "APPLE-SA-2009-09-03-1", "tags": [ "vendor-advisory", "x_refsource_APPLE" ], "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html" }, { "name": "SUSE-SA:2009:053", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=512921" }, { "name": "RHSA-2009:1201", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1201.html" }, { "name": "SUSE-SR:2009:017", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html" }, { "name": "[oss-security] 20090906 Re: Re: expat bug 1990430", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2009/09/06/1" }, { "name": "[oss-security] 20091023 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2009/10/23/6" }, { "name": "ADV-2011-0359", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2011/0359" }, { "name": "ADV-2009-3316", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2009/3316" }, { "name": "RHSA-2009:1650", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1650.html" }, { "name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cert@cert.org", "ID": "CVE-2009-2625", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "SSA:2011-041-02", "refsource": "SLACKWARE", "url": "http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2011\u0026m=slackware-security.486026" }, { "name": "RHSA-2009:1200", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1200.html" }, { "name": "RHSA-2009:1199", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1199.html" }, { "name": "http://www.networkworld.com/columnists/2009/080509-xml-flaw.html", "refsource": "MISC", "url": "http://www.networkworld.com/columnists/2009/080509-xml-flaw.html" }, { "name": "USN-890-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-890-1" }, { "name": "36162", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36162" }, { "name": "ADV-2009-2543", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/2543" }, { "name": "DSA-1984", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2010/dsa-1984" }, { "name": "[oss-security] 20091022 Re: Regarding expat bug 1990430", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/10/22/9" }, { "name": "1021506", "refsource": "SUNALERT", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1" }, { "name": "37460", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/37460" }, { "name": "RHSA-2009:1615", "refsource": "REDHAT", "url": "http://www.redhat.com/support/errata/RHSA-2009-1615.html" }, { "name": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html", "refsource": "CONFIRM", "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html" }, { "name": "HPSBUX02476", "refsource": "HP", "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" }, { "name": "37754", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/37754" }, { "name": "RHSA-2009:1637", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1637.html" }, { "name": "http://www.cert.fi/en/reports/2009/vulnerability2009085.html", "refsource": "MISC", "url": "http://www.cert.fi/en/reports/2009/vulnerability2009085.html" }, { "name": "http://www.codenomicon.com/labs/xml/", "refsource": "MISC", "url": "http://www.codenomicon.com/labs/xml/" }, { "name": "36199", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36199" }, { "name": "RHSA-2012:1537", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2012-1537.html" }, { "name": "SUSE-SR:2010:013", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html" }, { "name": "MDVSA-2009:209", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:209" }, { "name": "FEDORA-2009-8329", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html" }, { "name": "RHSA-2011:0858", "refsource": "REDHAT", "url": "http://www.redhat.com/support/errata/RHSA-2011-0858.html" }, { "name": "SSRT090250", "refsource": "HP", "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" }, { "name": "1022680", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1022680" }, { "name": "37671", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/37671" }, { "name": "38342", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/38342" }, { "name": "RHSA-2009:1636", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1636.html" }, { "name": "35958", "refsource": "BID", "url": "http://www.securityfocus.com/bid/35958" }, { "name": "20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded" }, { "name": "RHSA-2009:1649", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1649.html" }, { "name": "[oss-security] 20091026 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/10/26/3" }, { "name": "TA09-294A", "refsource": "CERT", "url": "http://www.us-cert.gov/cas/techalerts/TA09-294A.html" }, { "name": "50549", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/50549" }, { "name": "oval:org.mitre.oval:def:8520", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520" }, { "name": "36180", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36180" }, { "name": "38231", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/38231" }, { "name": "272209", "refsource": "SUNALERT", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1" }, { "name": "MDVSA-2011:108", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:108" }, { "name": "http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html" }, { "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html" }, { "name": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1", "refsource": "CONFIRM", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1" }, { "name": "36176", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36176" }, { "name": "FEDORA-2009-8337", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html" }, { "name": "43300", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/43300" }, { "name": "oval:org.mitre.oval:def:9356", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356" }, { "name": "TA10-012A", "refsource": "CERT", "url": "http://www.us-cert.gov/cas/techalerts/TA10-012A.html" }, { "name": "SUSE-SR:2009:016", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html" }, { "name": "RHSA-2012:1232", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html" }, { "name": "263489", "refsource": "SUNALERT", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1" }, { "name": "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055\u0026r2=787352\u0026pathrev=787353\u0026diff_format=h", "refsource": "CONFIRM", "url": "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055\u0026r2=787352\u0026pathrev=787353\u0026diff_format=h" }, { "name": "37300", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/37300" }, { "name": "APPLE-SA-2009-09-03-1", "refsource": "APPLE", "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html" }, { "name": "SUSE-SA:2009:053", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html" }, { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=512921", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=512921" }, { "name": "RHSA-2009:1201", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1201.html" }, { "name": "SUSE-SR:2009:017", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html" }, { "name": "[oss-security] 20090906 Re: Re: expat bug 1990430", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/09/06/1" }, { "name": "[oss-security] 20091023 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/10/23/6" }, { "name": "ADV-2011-0359", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2011/0359" }, { "name": "ADV-2009-3316", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/3316" }, { "name": "RHSA-2009:1650", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1650.html" }, { "name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" } ] } } } }, "cveMetadata": { "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2009-2625", "datePublished": "2009-08-06T15:00:00", "dateReserved": "2009-07-28T00:00:00", "dateUpdated": "2024-08-07T05:59:56.314Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-40747
Vulnerability from cvelistv5
Published
2022-11-03 00:00
Modified
2024-08-03 12:28
Severity ?
EPSS score ?
Summary
"IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584."
References
Impacted products
▼ | Vendor | Product |
---|---|---|
n/a | IBM InfoSphere Information Server |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:28:41.548Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.ibm.com/support/pages/node/6829373" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "IBM InfoSphere Information Server", "vendor": "n/a", "versions": [ { "status": "affected", "version": "11.7" } ] } ], "descriptions": [ { "lang": "en", "value": "\"IBM InfoSphere Information Server 11.7 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 236584.\"" } ], "problemTypes": [ { "descriptions": [ { "description": "XML External Entity Injection", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-03T00:00:00", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm" }, "references": [ { "url": "https://www.ibm.com/support/pages/node/6829373" } ] } }, "cveMetadata": { "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2022-40747", "datePublished": "2022-11-03T00:00:00", "dateReserved": "2022-09-16T00:00:00", "dateUpdated": "2024-08-03T12:28:41.548Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-13116
Vulnerability from cvelistv5
Published
2019-10-16 19:06
Modified
2024-08-04 23:41
Severity ?
EPSS score ?
Summary
The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections
References
▼ | URL | Tags |
---|---|---|
https://docs.mulesoft.com/release-notes/mule-runtime/mule-3.8.0-release-notes | x_refsource_MISC | |
https://threat.tevora.com/mulesoft-3-8-unauthenticated-rce/ | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:41:10.467Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://docs.mulesoft.com/release-notes/mule-runtime/mule-3.8.0-release-notes" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://threat.tevora.com/mulesoft-3-8-unauthenticated-rce/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections" } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-10-29T21:39:56", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://docs.mulesoft.com/release-notes/mule-runtime/mule-3.8.0-release-notes" }, { "tags": [ "x_refsource_MISC" ], "url": "https://threat.tevora.com/mulesoft-3-8-unauthenticated-rce/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-13116", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://docs.mulesoft.com/release-notes/mule-runtime/mule-3.8.0-release-notes", "refsource": "MISC", "url": "https://docs.mulesoft.com/release-notes/mule-runtime/mule-3.8.0-release-notes" }, { "name": "https://threat.tevora.com/mulesoft-3-8-unauthenticated-rce/", "refsource": "MISC", "url": "https://threat.tevora.com/mulesoft-3-8-unauthenticated-rce/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-13116", "datePublished": "2019-10-16T19:06:39", "dateReserved": "2019-06-30T00:00:00", "dateUpdated": "2024-08-04T23:41:10.467Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-15708
Vulnerability from cvelistv5
Published
2017-12-11 15:00
Modified
2024-09-17 02:51
Severity ?
EPSS score ?
Summary
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
References
▼ | URL | Tags |
---|---|---|
http://www.securityfocus.com/bid/102154 | vdb-entry, x_refsource_BID | |
https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3E | mailing-list, x_refsource_MLIST | |
https://www.oracle.com/security-alerts/cpujul2020.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpujan2020.html | x_refsource_MISC | |
https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3E | mailing-list, x_refsource_MLIST | |
https://security.gentoo.org/glsa/202107-37 | vendor-advisory, x_refsource_GENTOO |
Impacted products
▼ | Vendor | Product |
---|---|---|
Apache Software Foundation | Apache Synapse |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T20:04:50.319Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "102154", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/102154" }, { "name": "[dev] 20171210 [CVE-2017-15708] Apache Synapse Remote Code Execution Vulnerability", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "name": "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5595: [FE][Fix]Update commons-collections to fix a security issue", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3E" }, { "name": "GLSA-202107-37", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202107-37" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache Synapse", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "3.0.0" }, { "status": "affected", "version": "2.1.0" }, { "status": "affected", "version": "2.0.0" }, { "status": "affected", "version": "1.2" }, { "status": "affected", "version": "1.1.2" }, { "status": "affected", "version": "1.1.1" } ] } ], "datePublic": "2017-12-10T00:00:00", "descriptions": [ { "lang": "en", "value": "In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version." } ], "problemTypes": [ { "descriptions": [ { "description": "Remote Code Execution Vulnerability", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-07-16T07:06:16", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "name": "102154", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/102154" }, { "name": "[dev] 20171210 [CVE-2017-15708] Apache Synapse Remote Code Execution Vulnerability", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "name": "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5595: [FE][Fix]Update commons-collections to fix a security issue", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3E" }, { "name": "GLSA-202107-37", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202107-37" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2017-12-10T00:00:00", "ID": "CVE-2017-15708", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Synapse", "version": { "version_data": [ { "version_value": "3.0.0" }, { "version_value": "2.1.0" }, { "version_value": "2.0.0" }, { "version_value": "1.2" }, { "version_value": "1.1.2" }, { "version_value": "1.1.1" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Remote Code Execution Vulnerability" } ] } ] }, "references": { "reference_data": [ { "name": "102154", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102154" }, { "name": "[dev] 20171210 [CVE-2017-15708] Apache Synapse Remote Code Execution Vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpujul2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "name": "https://www.oracle.com/security-alerts/cpujan2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "name": "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5595: [FE][Fix]Update commons-collections to fix a security issue", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6@%3Ccommits.doris.apache.org%3E" }, { "name": "GLSA-202107-37", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202107-37" } ] } } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-15708", "datePublished": "2017-12-11T15:00:00Z", "dateReserved": "2017-10-21T00:00:00", "dateUpdated": "2024-09-17T02:51:55.934Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-24769
Vulnerability from cvelistv5
Published
2022-03-24 00:00
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
Default inheritable capabilities for linux container should be empty
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:20:49.949Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq" }, { "tags": [ "x_transferred" ], "url": "https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f" }, { "tags": [ "x_transferred" ], "url": "https://github.com/moby/moby/releases/tag/v20.10.14" }, { "name": "FEDORA-2022-e9a09c1a7d", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/" }, { "name": "FEDORA-2022-ed53f2439a", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/" }, { "name": "FEDORA-2022-c07546070d", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/" }, { "name": "FEDORA-2022-cac2323802", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/" }, { "name": "FEDORA-2022-eda0049dd7", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/" }, { "name": "FEDORA-2022-3826c8f549", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/" }, { "name": "[oss-security] 20220512 CVE-2022-29162: runc \u003c 1.1.2 incorrect handling of inheritable capabilities in default configuration", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/05/12/1" }, { "name": "DSA-5162", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5162" }, { "name": "GLSA-202401-31", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202401-31" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003c 20.10.14" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container\u0027s bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container\u0027s bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-01-31T13:06:22.056004", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq" }, { "url": "https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f" }, { "url": "https://github.com/moby/moby/releases/tag/v20.10.14" }, { "name": "FEDORA-2022-e9a09c1a7d", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/" }, { "name": "FEDORA-2022-ed53f2439a", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/" }, { "name": "FEDORA-2022-c07546070d", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/" }, { "name": "FEDORA-2022-cac2323802", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/" }, { "name": "FEDORA-2022-eda0049dd7", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/" }, { "name": "FEDORA-2022-3826c8f549", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/" }, { "name": "[oss-security] 20220512 CVE-2022-29162: runc \u003c 1.1.2 incorrect handling of inheritable capabilities in default configuration", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/05/12/1" }, { "name": "DSA-5162", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2022/dsa-5162" }, { "name": "GLSA-202401-31", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202401-31" } ], "source": { "advisory": "GHSA-2mm7-x5h6-5pvq", "discovery": "UNKNOWN" }, "title": "Default inheritable capabilities for linux container should be empty" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24769", "datePublished": "2022-03-24T00:00:00", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:49.949Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2009-0217
Vulnerability from cvelistv5
Published
2009-07-14 23:00
Modified
2024-08-07 04:24
Severity ?
EPSS score ?
Summary
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-07T04:24:18.400Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2009:1428", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1428.html" }, { "name": "ADV-2009-3122", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2009/3122" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.openoffice.org/security/cves/CVE-2009-0217.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=47526" }, { "name": "60799", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/60799" }, { "name": "GLSA-201408-19", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml" }, { "name": "PK80596", "tags": [ "vendor-advisory", "x_refsource_AIXAPAR", "x_transferred" ], "url": "http://www-01.ibm.com/support/docview.wss?rs=180\u0026context=SSEQTP\u0026dc=D400\u0026uid=swg24023545\u0026loc=en_US\u0026cs=UTF-8\u0026lang=en\u0026rss=ct180websphere" }, { "name": "RHSA-2009:1200", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1200.html" }, { "name": "35776", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/35776" }, { "name": "36162", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/36162" }, { "name": "36494", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/36494" }, { "name": "ADV-2009-2543", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2009/2543" }, { "name": "35858", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/35858" }, { "name": "38695", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/38695" }, { "name": "269208", "tags": [ "vendor-advisory", "x_refsource_SUNALERT", "x_transferred" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1" }, { "name": "DSA-1995", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2010/dsa-1995" }, { "name": "HPSBUX02476", "tags": [ "vendor-advisory", "x_refsource_HP", "x_transferred" ], "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" }, { "name": "35853", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/35853" }, { "name": "RHSA-2009:1637", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1637.html" }, { "name": "RHSA-2009:1694", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://www.redhat.com/support/errata/RHSA-2009-1694.html" }, { "name": "35852", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/35852" }, { "name": "35854", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/35854" }, { "name": "34461", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/34461" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.kb.cert.org/vuls/id/WDON-7TY529" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.mono-project.com/Vulnerabilities" }, { "name": "1020710", "tags": [ "vendor-advisory", "x_refsource_SUNALERT", "x_transferred" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1" }, { "name": "USN-903-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-903-1" }, { "name": "35671", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/35671" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=47527" }, { "name": "ADV-2010-0366", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2010/0366" }, { "name": "55907", "tags": [ "vdb-entry", "x_refsource_OSVDB", "x_transferred" ], "url": "http://osvdb.org/55907" }, { "name": "MDVSA-2009:209", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:209" }, { "name": "SUSE-SA:2010:017", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html" }, { "name": "38567", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/38567" }, { "name": "FEDORA-2009-8329", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html" }, { "name": "263429", "tags": [ "vendor-advisory", "x_refsource_SUNALERT", "x_transferred" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161" }, { "name": "SSRT090250", "tags": [ "vendor-advisory", "x_refsource_HP", "x_transferred" ], "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" }, { "name": "ADV-2009-1900", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2009/1900" }, { "name": "1022561", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id?1022561" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html" }, { "name": "37671", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/37671" }, { "name": "VU#466161", "tags": [ "third-party-advisory", "x_refsource_CERT-VN", "x_transferred" ], "url": "http://www.kb.cert.org/vuls/id/466161" }, { "name": "1022567", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id?1022567" }, { "name": "RHSA-2009:1636", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1636.html" }, { "name": "PK80627", "tags": [ "vendor-advisory", "x_refsource_AIXAPAR", "x_transferred" ], "url": "http://www-01.ibm.com/support/docview.wss?rs=180\u0026context=SSEQTP\u0026dc=D400\u0026uid=swg24023723\u0026loc=en_US\u0026cs=UTF-8\u0026lang=en\u0026rss=ct180websphere" }, { "name": "RHSA-2009:1649", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1649.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html" }, { "name": "TA09-294A", "tags": [ "third-party-advisory", "x_refsource_CERT", "x_transferred" ], "url": "http://www.us-cert.gov/cas/techalerts/TA09-294A.html" }, { "name": "ADV-2009-1909", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2009/1909" }, { "name": "ADV-2010-0635", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2010/0635" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://svn.apache.org/viewvc?revision=794013\u0026view=revision" }, { "name": "38568", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/38568" }, { "name": "36180", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/36180" }, { "name": "FEDORA-2009-8456", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.w3.org/2008/06/xmldsigcore-errata.html#e03" }, { "name": "USN-826-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/826-1/" }, { "name": "37841", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/37841" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1" }, { "name": "35855", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/35855" }, { "name": "FEDORA-2009-8473", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html" }, { "name": "36176", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/36176" }, { "name": "oval:org.mitre.oval:def:7158", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL", "x_transferred" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html" }, { "name": "ADV-2009-1908", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2009/1908" }, { "name": "FEDORA-2009-8337", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www-01.ibm.com/support/docview.wss?rs=180\u0026uid=swg21384925" }, { "name": "41818", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/41818" }, { "name": "1022661", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id?1022661" }, { "name": "37300", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/37300" }, { "name": "ADV-2009-1911", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2009/1911" }, { "name": "APPLE-SA-2009-09-03-1", "tags": [ "vendor-advisory", "x_refsource_APPLE", "x_transferred" ], "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html" }, { "name": "SUSE-SA:2009:053", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html" }, { "name": "oval:org.mitre.oval:def:8717", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL", "x_transferred" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717" }, { "name": "RHSA-2009:1201", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1201.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ" }, { "name": "TA10-159B", "tags": [ "third-party-advisory", "x_refsource_CERT", "x_transferred" ], "url": "http://www.us-cert.gov/cas/techalerts/TA10-159B.html" }, { "name": "oval:org.mitre.oval:def:10186", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL", "x_transferred" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186" }, { "name": "55895", "tags": [ "vdb-entry", "x_refsource_OSVDB", "x_transferred" ], "url": "http://osvdb.org/55895" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.aleksey.com/xmlsec/" }, { "name": "MS10-041", "tags": [ "vendor-advisory", "x_refsource_MS", "x_transferred" ], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041" }, { "name": "38921", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/38921" }, { "name": "RHSA-2009:1650", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1650.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=511915" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2009-07-14T00:00:00", "descriptions": [ { "lang": "en", "value": "The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-10-12T19:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc" }, "references": [ { "name": "RHSA-2009:1428", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1428.html" }, { "name": "ADV-2009-3122", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2009/3122" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.openoffice.org/security/cves/CVE-2009-0217.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=47526" }, { "name": "60799", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/60799" }, { "name": "GLSA-201408-19", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml" }, { "name": "PK80596", "tags": [ "vendor-advisory", "x_refsource_AIXAPAR" ], "url": "http://www-01.ibm.com/support/docview.wss?rs=180\u0026context=SSEQTP\u0026dc=D400\u0026uid=swg24023545\u0026loc=en_US\u0026cs=UTF-8\u0026lang=en\u0026rss=ct180websphere" }, { "name": "RHSA-2009:1200", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1200.html" }, { "name": "35776", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/35776" }, { "name": "36162", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/36162" }, { "name": "36494", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/36494" }, { "name": "ADV-2009-2543", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2009/2543" }, { "name": "35858", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/35858" }, { "name": "38695", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/38695" }, { "name": "269208", "tags": [ "vendor-advisory", "x_refsource_SUNALERT" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1" }, { "name": "DSA-1995", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2010/dsa-1995" }, { "name": "HPSBUX02476", "tags": [ "vendor-advisory", "x_refsource_HP" ], "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" }, { "name": "35853", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/35853" }, { "name": "RHSA-2009:1637", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1637.html" }, { "name": "RHSA-2009:1694", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://www.redhat.com/support/errata/RHSA-2009-1694.html" }, { "name": "35852", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/35852" }, { "name": "35854", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/35854" }, { "name": "34461", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/34461" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.kb.cert.org/vuls/id/WDON-7TY529" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.mono-project.com/Vulnerabilities" }, { "name": "1020710", "tags": [ "vendor-advisory", "x_refsource_SUNALERT" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1" }, { "name": "USN-903-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-903-1" }, { "name": "35671", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/35671" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=47527" }, { "name": "ADV-2010-0366", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2010/0366" }, { "name": "55907", "tags": [ "vdb-entry", "x_refsource_OSVDB" ], "url": "http://osvdb.org/55907" }, { "name": "MDVSA-2009:209", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:209" }, { "name": "SUSE-SA:2010:017", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html" }, { "name": "38567", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/38567" }, { "name": "FEDORA-2009-8329", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html" }, { "name": "263429", "tags": [ "vendor-advisory", "x_refsource_SUNALERT" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161" }, { "name": "SSRT090250", "tags": [ "vendor-advisory", "x_refsource_HP" ], "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" }, { "name": "ADV-2009-1900", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2009/1900" }, { "name": "1022561", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id?1022561" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html" }, { "name": "37671", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/37671" }, { "name": "VU#466161", "tags": [ "third-party-advisory", "x_refsource_CERT-VN" ], "url": "http://www.kb.cert.org/vuls/id/466161" }, { "name": "1022567", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id?1022567" }, { "name": "RHSA-2009:1636", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1636.html" }, { "name": "PK80627", "tags": [ "vendor-advisory", "x_refsource_AIXAPAR" ], "url": "http://www-01.ibm.com/support/docview.wss?rs=180\u0026context=SSEQTP\u0026dc=D400\u0026uid=swg24023723\u0026loc=en_US\u0026cs=UTF-8\u0026lang=en\u0026rss=ct180websphere" }, { "name": "RHSA-2009:1649", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1649.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html" }, { "name": "TA09-294A", "tags": [ "third-party-advisory", "x_refsource_CERT" ], "url": "http://www.us-cert.gov/cas/techalerts/TA09-294A.html" }, { "name": "ADV-2009-1909", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2009/1909" }, { "name": "ADV-2010-0635", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2010/0635" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://svn.apache.org/viewvc?revision=794013\u0026view=revision" }, { "name": "38568", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/38568" }, { "name": "36180", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/36180" }, { "name": "FEDORA-2009-8456", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.w3.org/2008/06/xmldsigcore-errata.html#e03" }, { "name": "USN-826-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/826-1/" }, { "name": "37841", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/37841" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1" }, { "name": "35855", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/35855" }, { "name": "FEDORA-2009-8473", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html" }, { "name": "36176", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/36176" }, { "name": "oval:org.mitre.oval:def:7158", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html" }, { "name": "ADV-2009-1908", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2009/1908" }, { "name": "FEDORA-2009-8337", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www-01.ibm.com/support/docview.wss?rs=180\u0026uid=swg21384925" }, { "name": "41818", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/41818" }, { "name": "1022661", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id?1022661" }, { "name": "37300", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/37300" }, { "name": "ADV-2009-1911", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2009/1911" }, { "name": "APPLE-SA-2009-09-03-1", "tags": [ "vendor-advisory", "x_refsource_APPLE" ], "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html" }, { "name": "SUSE-SA:2009:053", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html" }, { "name": "oval:org.mitre.oval:def:8717", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717" }, { "name": "RHSA-2009:1201", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1201.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ" }, { "name": "TA10-159B", "tags": [ "third-party-advisory", "x_refsource_CERT" ], "url": "http://www.us-cert.gov/cas/techalerts/TA10-159B.html" }, { "name": "oval:org.mitre.oval:def:10186", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186" }, { "name": "55895", "tags": [ "vdb-entry", "x_refsource_OSVDB" ], "url": "http://osvdb.org/55895" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.aleksey.com/xmlsec/" }, { "name": "MS10-041", "tags": [ "vendor-advisory", "x_refsource_MS" ], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041" }, { "name": "38921", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/38921" }, { "name": "RHSA-2009:1650", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://rhn.redhat.com/errata/RHSA-2009-1650.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=511915" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cert@cert.org", "ID": "CVE-2009-0217", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "RHSA-2009:1428", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1428.html" }, { "name": "ADV-2009-3122", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/3122" }, { "name": "http://www.openoffice.org/security/cves/CVE-2009-0217.html", "refsource": "CONFIRM", "url": "http://www.openoffice.org/security/cves/CVE-2009-0217.html" }, { "name": "https://issues.apache.org/bugzilla/show_bug.cgi?id=47526", "refsource": "CONFIRM", "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=47526" }, { "name": "60799", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60799" }, { "name": "GLSA-201408-19", "refsource": "GENTOO", "url": "http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml" }, { "name": "PK80596", "refsource": "AIXAPAR", "url": "http://www-01.ibm.com/support/docview.wss?rs=180\u0026context=SSEQTP\u0026dc=D400\u0026uid=swg24023545\u0026loc=en_US\u0026cs=UTF-8\u0026lang=en\u0026rss=ct180websphere" }, { "name": "RHSA-2009:1200", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1200.html" }, { "name": "35776", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/35776" }, { "name": "36162", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36162" }, { "name": "36494", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36494" }, { "name": "ADV-2009-2543", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/2543" }, { "name": "35858", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/35858" }, { "name": "38695", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/38695" }, { "name": "269208", "refsource": "SUNALERT", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1" }, { "name": "DSA-1995", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2010/dsa-1995" }, { "name": "HPSBUX02476", "refsource": "HP", "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" }, { "name": "35853", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/35853" }, { "name": "RHSA-2009:1637", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1637.html" }, { "name": "RHSA-2009:1694", "refsource": "REDHAT", "url": "http://www.redhat.com/support/errata/RHSA-2009-1694.html" }, { "name": "35852", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/35852" }, { "name": "35854", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/35854" }, { "name": "34461", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34461" }, { "name": "http://www.kb.cert.org/vuls/id/WDON-7TY529", "refsource": "CONFIRM", "url": "http://www.kb.cert.org/vuls/id/WDON-7TY529" }, { "name": "http://www.mono-project.com/Vulnerabilities", "refsource": "CONFIRM", "url": "http://www.mono-project.com/Vulnerabilities" }, { "name": "1020710", "refsource": "SUNALERT", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1" }, { "name": "USN-903-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-903-1" }, { "name": "35671", "refsource": "BID", "url": "http://www.securityfocus.com/bid/35671" }, { "name": "https://issues.apache.org/bugzilla/show_bug.cgi?id=47527", "refsource": "CONFIRM", "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=47527" }, { "name": "ADV-2010-0366", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2010/0366" }, { "name": "55907", "refsource": "OSVDB", "url": "http://osvdb.org/55907" }, { "name": "MDVSA-2009:209", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:209" }, { "name": "SUSE-SA:2010:017", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html" }, { "name": "38567", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/38567" }, { "name": "FEDORA-2009-8329", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html" }, { "name": "263429", "refsource": "SUNALERT", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1" }, { "name": "http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161", "refsource": "CONFIRM", "url": "http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161" }, { "name": "SSRT090250", "refsource": "HP", "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" }, { "name": "ADV-2009-1900", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/1900" }, { "name": "1022561", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1022561" }, { "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html" }, { "name": "37671", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/37671" }, { "name": "VU#466161", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/466161" }, { "name": "1022567", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1022567" }, { "name": "RHSA-2009:1636", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1636.html" }, { "name": "PK80627", "refsource": "AIXAPAR", "url": "http://www-01.ibm.com/support/docview.wss?rs=180\u0026context=SSEQTP\u0026dc=D400\u0026uid=swg24023723\u0026loc=en_US\u0026cs=UTF-8\u0026lang=en\u0026rss=ct180websphere" }, { "name": "RHSA-2009:1649", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1649.html" }, { "name": "http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html" }, { "name": "TA09-294A", "refsource": "CERT", "url": "http://www.us-cert.gov/cas/techalerts/TA09-294A.html" }, { "name": "ADV-2009-1909", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/1909" }, { "name": "ADV-2010-0635", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2010/0635" }, { "name": "http://svn.apache.org/viewvc?revision=794013\u0026view=revision", "refsource": "CONFIRM", "url": "http://svn.apache.org/viewvc?revision=794013\u0026view=revision" }, { "name": "38568", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/38568" }, { "name": "36180", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36180" }, { "name": "FEDORA-2009-8456", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html" }, { "name": "http://www.w3.org/2008/06/xmldsigcore-errata.html#e03", "refsource": "CONFIRM", "url": "http://www.w3.org/2008/06/xmldsigcore-errata.html#e03" }, { "name": "USN-826-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/826-1/" }, { "name": "37841", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/37841" }, { "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html" }, { "name": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1", "refsource": "CONFIRM", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1" }, { "name": "35855", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/35855" }, { "name": "FEDORA-2009-8473", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html" }, { "name": "36176", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36176" }, { "name": "oval:org.mitre.oval:def:7158", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158" }, { "name": "http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html", "refsource": "MISC", "url": "http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html" }, { "name": "ADV-2009-1908", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/1908" }, { "name": "FEDORA-2009-8337", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html" }, { "name": "http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7", "refsource": "CONFIRM", "url": "http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7" }, { "name": "http://www-01.ibm.com/support/docview.wss?rs=180\u0026uid=swg21384925", "refsource": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?rs=180\u0026uid=swg21384925" }, { "name": "41818", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/41818" }, { "name": "1022661", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1022661" }, { "name": "37300", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/37300" }, { "name": "ADV-2009-1911", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/1911" }, { "name": "APPLE-SA-2009-09-03-1", "refsource": "APPLE", "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html" }, { "name": "SUSE-SA:2009:053", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html" }, { "name": "oval:org.mitre.oval:def:8717", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717" }, { "name": "RHSA-2009:1201", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1201.html" }, { "name": "http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7", "refsource": "CONFIRM", "url": "http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7" }, { "name": "http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ", "refsource": "CONFIRM", "url": "http://www.kb.cert.org/vuls/id/MAPG-7TSKXQ" }, { "name": "TA10-159B", "refsource": "CERT", "url": "http://www.us-cert.gov/cas/techalerts/TA10-159B.html" }, { "name": "oval:org.mitre.oval:def:10186", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186" }, { "name": "55895", "refsource": "OSVDB", "url": "http://osvdb.org/55895" }, { "name": "http://www.aleksey.com/xmlsec/", "refsource": "CONFIRM", "url": "http://www.aleksey.com/xmlsec/" }, { "name": "MS10-041", "refsource": "MS", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041" }, { "name": "38921", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/38921" }, { "name": "RHSA-2009:1650", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1650.html" }, { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=511915", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=511915" } ] } } } }, "cveMetadata": { "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2009-0217", "datePublished": "2009-07-14T23:00:00", "dateReserved": "2009-01-20T00:00:00", "dateUpdated": "2024-08-07T04:24:18.400Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2015-4852
Vulnerability from cvelistv5
Published
2015-11-18 15:00
Modified
2024-08-06 06:25
Severity ?
EPSS score ?
Summary
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T06:25:21.906Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852" }, { "name": "1038292", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1038292" }, { "name": "77539", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/77539" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html" }, { "name": "[oss-security] 20151117 Re: Assign CVE for common-collections remote code execution on deserialisation flaw", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2015/11/17/19" }, { "name": "42806", "tags": [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred" ], "url": "https://www.exploit-db.com/exploits/42806/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://packetstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html" }, { "name": "46628", "tags": [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred" ], "url": "https://www.exploit-db.com/exploits/46628/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-11-06T00:00:00", "descriptions": [ { "lang": "en", "value": "The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-03-28T18:06:07", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852" }, { "name": "1038292", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1038292" }, { "name": "77539", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/77539" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html" }, { "name": "[oss-security] 20151117 Re: Assign CVE for common-collections remote code execution on deserialisation flaw", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2015/11/17/19" }, { "name": "42806", "tags": [ "exploit", "x_refsource_EXPLOIT-DB" ], "url": "https://www.exploit-db.com/exploits/42806/" }, { "tags": [ "x_refsource_MISC" ], "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/" }, { "tags": [ "x_refsource_MISC" ], "url": "http://packetstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html" }, { "name": "46628", "tags": [ "exploit", "x_refsource_EXPLOIT-DB" ], "url": "https://www.exploit-db.com/exploits/46628/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2015-4852", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" }, { "name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html" }, { "name": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html" }, { "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" }, { "name": "https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py", "refsource": "MISC", "url": "https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py" }, { "name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { "name": "https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852", "refsource": "CONFIRM", "url": "https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852" }, { "name": "1038292", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038292" }, { "name": "77539", "refsource": "BID", "url": "http://www.securityfocus.com/bid/77539" }, { "name": "http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html" }, { "name": "[oss-security] 20151117 Re: Assign CVE for common-collections remote code execution on deserialisation flaw", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/11/17/19" }, { "name": "42806", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/42806/" }, { "name": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", "refsource": "MISC", "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/" }, { "name": "http://packetstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html" }, { "name": "46628", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46628/" } ] } } } }, "cveMetadata": { "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2015-4852", "datePublished": "2015-11-18T15:00:00", "dateReserved": "2015-06-24T00:00:00", "dateUpdated": "2024-08-06T06:25:21.906Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2015-6420
Vulnerability from cvelistv5
Published
2015-12-15 02:00
Modified
2024-08-06 07:22
Severity ?
EPSS score ?
Summary
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
References
▼ | URL | Tags |
---|---|---|
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html | x_refsource_CONFIRM | |
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917 | x_refsource_CONFIRM | |
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization | vendor-advisory, x_refsource_CISCO | |
http://www.securityfocus.com/bid/78872 | vdb-entry, x_refsource_BID | |
https://www.tenable.com/security/research/tra-2017-23 | x_refsource_MISC | |
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 | x_refsource_CONFIRM | |
https://www.kb.cert.org/vuls/id/581311 | third-party-advisory, x_refsource_CERT-VN | |
https://www.tenable.com/security/research/tra-2017-14 | x_refsource_MISC | |
https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E | mailing-list, x_refsource_MLIST |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T07:22:21.504Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917" }, { "name": "20151209 Vulnerability in Java Deserialization Affecting Cisco Products", "tags": [ "vendor-advisory", "x_refsource_CISCO", "x_transferred" ], "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization" }, { "name": "78872", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/78872" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.tenable.com/security/research/tra-2017-23" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" }, { "name": "VU#581311", "tags": [ "third-party-advisory", "x_refsource_CERT-VN", "x_transferred" ], "url": "https://www.kb.cert.org/vuls/id/581311" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.tenable.com/security/research/tra-2017-14" }, { "name": "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-12-09T00:00:00", "descriptions": [ { "lang": "en", "value": "Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-03-10T15:06:27", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917" }, { "name": "20151209 Vulnerability in Java Deserialization Affecting Cisco Products", "tags": [ "vendor-advisory", "x_refsource_CISCO" ], "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization" }, { "name": "78872", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/78872" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.tenable.com/security/research/tra-2017-23" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" }, { "name": "VU#581311", "tags": [ "third-party-advisory", "x_refsource_CERT-VN" ], "url": "https://www.kb.cert.org/vuls/id/581311" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.tenable.com/security/research/tra-2017-14" }, { "name": "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "psirt@cisco.com", "ID": "CVE-2015-6420", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917", "refsource": "CONFIRM", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917" }, { "name": "20151209 Vulnerability in Java Deserialization Affecting Cisco Products", "refsource": "CISCO", "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization" }, { "name": "78872", "refsource": "BID", "url": "http://www.securityfocus.com/bid/78872" }, { "name": "https://www.tenable.com/security/research/tra-2017-23", "refsource": "MISC", "url": "https://www.tenable.com/security/research/tra-2017-23" }, { "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722", "refsource": "CONFIRM", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" }, { "name": "VU#581311", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/581311" }, { "name": "https://www.tenable.com/security/research/tra-2017-14", "refsource": "MISC", "url": "https://www.tenable.com/security/research/tra-2017-14" }, { "name": "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E" } ] } } } }, "cveMetadata": { "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2015-6420", "datePublished": "2015-12-15T02:00:00", "dateReserved": "2015-08-17T00:00:00", "dateUpdated": "2024-08-06T07:22:21.504Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2012-0881
Vulnerability from cvelistv5
Published
2017-10-30 16:00
Modified
2024-08-06 18:38
Severity ?
EPSS score ?
Summary
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T18:38:15.063Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "[j-users] 20180503 [ANNOUNCEMENT]: Apache Xerces-J 2.12.0 now available", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E" }, { "name": "[oss-security] 20140708 Summer bug cleaning - some Hash DoS stuff", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2014/07/08/11" }, { "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" }, { "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E" }, { "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" }, { "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" }, { "name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://issues.apache.org/jira/browse/XERCESJ-1685" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=787104" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "name": "[hadoop-common-issues] 20210928 [GitHub] [hadoop] warrenzhu25 opened a new pull request #3496: HADOOP-17941. Update xerces to 2.12", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rea7b831dceeb2a2fa817be6f63b08722042e3647fb2d47c144370a56%40%3Ccommon-issues.hadoop.apache.org%3E" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2014-07-08T00:00:00", "descriptions": [ { "lang": "en", "value": "Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-09-28T19:06:16", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "[j-users] 20180503 [ANNOUNCEMENT]: Apache Xerces-J 2.12.0 now available", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E" }, { "name": "[oss-security] 20140708 Summer bug cleaning - some Hash DoS stuff", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2014/07/08/11" }, { "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" }, { "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E" }, { "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" }, { "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" }, { "name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://issues.apache.org/jira/browse/XERCESJ-1685" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=787104" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "name": "[hadoop-common-issues] 20210928 [GitHub] [hadoop] warrenzhu25 opened a new pull request #3496: HADOOP-17941. Update xerces to 2.12", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rea7b831dceeb2a2fa817be6f63b08722042e3647fb2d47c144370a56%40%3Ccommon-issues.hadoop.apache.org%3E" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-0881", "datePublished": "2017-10-30T16:00:00", "dateReserved": "2012-01-19T00:00:00", "dateUpdated": "2024-08-06T18:38:15.063Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2013-4002
Vulnerability from cvelistv5
Published
2013-07-23 10:00
Modified
2024-08-06 16:30
Severity ?
EPSS score ?
Summary
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T16:30:49.315Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "IC98015", "tags": [ "vendor-advisory", "x_refsource_AIXAPAR", "x_transferred" ], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015" }, { "name": "RHSA-2013:1060", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1060.html" }, { "name": "RHSA-2014:0414", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2014:0414" }, { "name": "GLSA-201406-32", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "http://security.gentoo.org/glsa/glsa-201406-32.xml" }, { "name": "RHSA-2013:1447", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1447.html" }, { "name": "RHSA-2015:0765", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html" }, { "name": "RHSA-2013:1440", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1440.html" }, { "name": "RHSA-2015:0675", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" }, { "name": "61310", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/61310" }, { "name": "RHSA-2015:0773", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0773.html" }, { "name": "RHSA-2015:0720", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" }, { "name": "SUSE-SU-2013:1257", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html" }, { "name": "USN-2033-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2033-1" }, { "name": "USN-2089-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2089-1" }, { "name": "SUSE-SU-2013:1256", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html" }, { "name": "HPSBUX02944", "tags": [ "vendor-advisory", "x_refsource_HP", "x_transferred" ], "url": "http://marc.info/?l=bugtraq\u0026m=138674073720143\u0026w=2" }, { "name": "RHSA-2013:1505", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1505.html" }, { "name": "HPSBUX02943", "tags": [ "vendor-advisory", "x_refsource_HP", "x_transferred" ], "url": "http://marc.info/?l=bugtraq\u0026m=138674031212883\u0026w=2" }, { "name": "RHSA-2014:1822", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1822.html" }, { "name": "56257", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/56257" }, { "name": "SUSE-SU-2013:1263", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html" }, { "name": "RHSA-2013:1059", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1059.html" }, { "name": "RHSA-2014:1823", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1823.html" }, { "name": "openSUSE-SU-2013:1663", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html" }, { "name": "SUSE-SU-2013:1666", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html" }, { "name": "APPLE-SA-2013-10-15-1", "tags": [ "vendor-advisory", "x_refsource_APPLE", "x_transferred" ], "url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html" }, { "name": "SUSE-SU-2013:1293", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html" }, { "name": "RHSA-2013:1081", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1081.html" }, { "name": "[j-users] 20180503 [ANNOUNCEMENT]: Apache Xerces-J 2.12.0 now available", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E" }, { "name": "SUSE-SU-2013:1255", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html" }, { "name": "RHSA-2013:1451", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1451.html" }, { "name": "RHSA-2014:1818", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1818.html" }, { "name": "RHSA-2014:1821", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1821.html" }, { "name": "SUSE-SU-2013:1305", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html" }, { "name": "ibm-java-cve20134002-dos(85260)", "tags": [ "vdb-entry", "x_refsource_XF", "x_transferred" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85260" }, { "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" }, { "name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.ibm.com/support/docview.wss?uid=swg21648172" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21657539" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://issues.apache.org/jira/browse/XERCESJ-1679" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250\u0026r2=1499506\u0026view=patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644197" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21653371" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://support.apple.com/kb/HT5982" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2013-07-18T00:00:00", "descriptions": [ { "lang": "en", "value": "XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:19:06", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm" }, "references": [ { "name": "IC98015", "tags": [ "vendor-advisory", "x_refsource_AIXAPAR" ], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015" }, { "name": "RHSA-2013:1060", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1060.html" }, { "name": "RHSA-2014:0414", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2014:0414" }, { "name": "GLSA-201406-32", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "http://security.gentoo.org/glsa/glsa-201406-32.xml" }, { "name": "RHSA-2013:1447", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1447.html" }, { "name": "RHSA-2015:0765", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html" }, { "name": "RHSA-2013:1440", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1440.html" }, { "name": "RHSA-2015:0675", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" }, { "name": "61310", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/61310" }, { "name": "RHSA-2015:0773", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0773.html" }, { "name": "RHSA-2015:0720", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" }, { "name": "SUSE-SU-2013:1257", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html" }, { "name": "USN-2033-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2033-1" }, { "name": "USN-2089-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2089-1" }, { "name": "SUSE-SU-2013:1256", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html" }, { "name": "HPSBUX02944", "tags": [ "vendor-advisory", "x_refsource_HP" ], "url": "http://marc.info/?l=bugtraq\u0026m=138674073720143\u0026w=2" }, { "name": "RHSA-2013:1505", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1505.html" }, { "name": "HPSBUX02943", "tags": [ "vendor-advisory", "x_refsource_HP" ], "url": "http://marc.info/?l=bugtraq\u0026m=138674031212883\u0026w=2" }, { "name": "RHSA-2014:1822", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1822.html" }, { "name": "56257", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/56257" }, { "name": "SUSE-SU-2013:1263", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html" }, { "name": "RHSA-2013:1059", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1059.html" }, { "name": "RHSA-2014:1823", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1823.html" }, { "name": "openSUSE-SU-2013:1663", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html" }, { "name": "SUSE-SU-2013:1666", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html" }, { "name": "APPLE-SA-2013-10-15-1", "tags": [ "vendor-advisory", "x_refsource_APPLE" ], "url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html" }, { "name": "SUSE-SU-2013:1293", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html" }, { "name": "RHSA-2013:1081", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1081.html" }, { "name": "[j-users] 20180503 [ANNOUNCEMENT]: Apache Xerces-J 2.12.0 now available", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E" }, { "name": "SUSE-SU-2013:1255", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html" }, { "name": "RHSA-2013:1451", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1451.html" }, { "name": "RHSA-2014:1818", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1818.html" }, { "name": "RHSA-2014:1821", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1821.html" }, { "name": "SUSE-SU-2013:1305", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html" }, { "name": "ibm-java-cve20134002-dos(85260)", "tags": [ "vdb-entry", "x_refsource_XF" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85260" }, { "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" }, { "name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.ibm.com/support/docview.wss?uid=swg21648172" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21657539" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://issues.apache.org/jira/browse/XERCESJ-1679" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250\u0026r2=1499506\u0026view=patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644197" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21653371" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://support.apple.com/kb/HT5982" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "psirt@us.ibm.com", "ID": "CVE-2013-4002", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "IC98015", "refsource": "AIXAPAR", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015" }, { "name": "RHSA-2013:1060", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-1060.html" }, { "name": "RHSA-2014:0414", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2014:0414" }, { "name": "GLSA-201406-32", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-201406-32.xml" }, { "name": "RHSA-2013:1447", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-1447.html" }, { "name": "RHSA-2015:0765", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html" }, { "name": "RHSA-2013:1440", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-1440.html" }, { "name": "RHSA-2015:0675", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" }, { "name": "61310", "refsource": "BID", "url": "http://www.securityfocus.com/bid/61310" }, { "name": "RHSA-2015:0773", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0773.html" }, { "name": "RHSA-2015:0720", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" }, { "name": "SUSE-SU-2013:1257", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html" }, { "name": "USN-2033-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2033-1" }, { "name": "USN-2089-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2089-1" }, { "name": "SUSE-SU-2013:1256", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html" }, { "name": "HPSBUX02944", "refsource": "HP", "url": "http://marc.info/?l=bugtraq\u0026m=138674073720143\u0026w=2" }, { "name": "RHSA-2013:1505", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-1505.html" }, { "name": "HPSBUX02943", "refsource": "HP", "url": "http://marc.info/?l=bugtraq\u0026m=138674031212883\u0026w=2" }, { "name": "RHSA-2014:1822", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1822.html" }, { "name": "56257", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/56257" }, { "name": "SUSE-SU-2013:1263", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html" }, { "name": "RHSA-2013:1059", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-1059.html" }, { "name": "RHSA-2014:1823", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1823.html" }, { "name": "openSUSE-SU-2013:1663", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html" }, { "name": "SUSE-SU-2013:1666", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html" }, { "name": "APPLE-SA-2013-10-15-1", "refsource": "APPLE", "url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html" }, { "name": "SUSE-SU-2013:1293", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html" }, { "name": "RHSA-2013:1081", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-1081.html" }, { "name": "[j-users] 20180503 [ANNOUNCEMENT]: Apache Xerces-J 2.12.0 now available", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@%3Cj-users.xerces.apache.org%3E" }, { "name": "SUSE-SU-2013:1255", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html" }, { "name": "RHSA-2013:1451", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-1451.html" }, { "name": "RHSA-2014:1818", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1818.html" }, { "name": "RHSA-2014:1821", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1821.html" }, { "name": "SUSE-SU-2013:1305", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html" }, { "name": "ibm-java-cve20134002-dos(85260)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85260" }, { "name": "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" }, { "name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "http://www.ibm.com/support/docview.wss?uid=swg21648172", "refsource": "CONFIRM", "url": "http://www.ibm.com/support/docview.wss?uid=swg21648172" }, { "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21657539", "refsource": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21657539" }, { "name": "https://issues.apache.org/jira/browse/XERCESJ-1679", "refsource": "CONFIRM", "url": "https://issues.apache.org/jira/browse/XERCESJ-1679" }, { "name": "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250\u0026r2=1499506\u0026view=patch", "refsource": "CONFIRM", "url": "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250\u0026r2=1499506\u0026view=patch" }, { "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21644197", "refsource": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644197" }, { "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21653371", "refsource": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21653371" }, { "name": "http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013", "refsource": "MISC", "url": "http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013" }, { "name": "http://support.apple.com/kb/HT5982", "refsource": "CONFIRM", "url": "http://support.apple.com/kb/HT5982" }, { "name": "https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html", "refsource": "CONFIRM", "url": "https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html" }, { "name": "http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002", "refsource": "CONFIRM", "url": "http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002" }, { "name": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html", "refsource": "CONFIRM", "url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2013-4002", "datePublished": "2013-07-23T10:00:00", "dateReserved": "2013-06-07T00:00:00", "dateUpdated": "2024-08-06T16:30:49.315Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-40235
Vulnerability from cvelistv5
Published
2022-11-03 00:00
Modified
2024-08-03 12:14
Severity ?
EPSS score ?
Summary
"IBM InfoSphere Information Server 11.7 could allow a user to cause a denial of service by removing the ability to run jobs due to improper input validation. IBM X-Force ID: 235725."
References
Impacted products
▼ | Vendor | Product |
---|---|---|
n/a | IBM InfoSphere Information Server |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:14:40.072Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.ibm.com/support/pages/node/6829369" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "IBM InfoSphere Information Server", "vendor": "n/a", "versions": [ { "status": "affected", "version": "11.7" } ] } ], "descriptions": [ { "lang": "en", "value": "\"IBM InfoSphere Information Server 11.7 could allow a user to cause a denial of service by removing the ability to run jobs due to improper input validation. IBM X-Force ID: 235725.\"" } ], "problemTypes": [ { "descriptions": [ { "description": "Denial of Service", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-03T00:00:00", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm" }, "references": [ { "url": "https://www.ibm.com/support/pages/node/6829369" } ] } }, "cveMetadata": { "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2022-40235", "datePublished": "2022-11-03T00:00:00", "dateReserved": "2022-09-08T00:00:00", "dateUpdated": "2024-08-03T12:14:40.072Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-23437
Vulnerability from cvelistv5
Published
2022-01-24 00:00
Modified
2024-08-03 03:43
Severity ?
EPSS score ?
Summary
Infinite loop within Apache XercesJ xml parser
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Apache Software Foundation | Apache Xerces |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T03:43:45.690Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl" }, { "name": "[oss-security] 20220124 CVE-2022-23437: Infinite loop within Apache XercesJ xml parser", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/01/24/3" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20221028-0005/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache Xerces", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "2.12.1", "status": "affected", "version": "Apache XercesJ", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "This issue was discovered by Sergey Temnikov and Ziyi Luo, from Amazon Corretto/JDK Team" } ], "descriptions": [ { "lang": "en", "value": "There\u0027s a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions." } ], "metrics": [ { "other": { "content": { "other": "high" }, "type": "unknown" } } ], "problemTypes": [ { "descriptions": [ { "description": "Infinite loop within Apache XercesJ xml parser", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-10-28T00:00:00", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "url": "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl" }, { "name": "[oss-security] 20220124 CVE-2022-23437: Infinite loop within Apache XercesJ xml parser", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/01/24/3" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "url": "https://security.netapp.com/advisory/ntap-20221028-0005/" } ], "source": { "discovery": "UNKNOWN" }, "title": "Infinite loop within Apache XercesJ xml parser", "workarounds": [ { "lang": "en", "value": "Apache XercesJ users, should migrate to version 2.12.2" } ], "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-23437", "datePublished": "2022-01-24T00:00:00", "dateReserved": "2022-01-19T00:00:00", "dateUpdated": "2024-08-03T03:43:45.690Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-30615
Vulnerability from cvelistv5
Published
2022-11-03 00:00
Modified
2024-08-03 06:56
Severity ?
EPSS score ?
Summary
"IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227592.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
n/a | IBM InfoSphere Information Server |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T06:56:12.988Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.ibm.com/support/pages/node/6829311" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "IBM InfoSphere Information Server", "vendor": "n/a", "versions": [ { "status": "affected", "version": "11.7" } ] } ], "descriptions": [ { "lang": "en", "value": "\"IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227592." } ], "problemTypes": [ { "descriptions": [ { "description": "Cross-Site Scripting", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-03T00:00:00", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm" }, "references": [ { "url": "https://www.ibm.com/support/pages/node/6829311" } ] } }, "cveMetadata": { "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2022-30615", "datePublished": "2022-11-03T00:00:00", "dateReserved": "2022-05-12T00:00:00", "dateUpdated": "2024-08-03T06:56:12.988Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-36374
Vulnerability from cvelistv5
Published
2021-07-14 06:20
Modified
2024-08-04 00:54
Severity ?
EPSS score ?
Summary
Apache Ant ZIP, and ZIP based, archive denial of service vulerability
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Apache Software Foundation | Apache Ant |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T00:54:51.456Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://ant.apache.org/security.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E" }, { "name": "[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E" }, { "name": "[groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E" }, { "name": "[groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E" }, { "name": "[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210819-0007/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache Ant", "vendor": "Apache Software Foundation", "versions": [ { "lessThan": "Apache Ant*", "status": "affected", "version": "1.4", "versionType": "custom" }, { "lessThanOrEqual": "1.9.15", "status": "affected", "version": "Apache Ant 1.9.x", "versionType": "custom" }, { "lessThanOrEqual": "1.10.10", "status": "affected", "version": "Apache Ant 1.10.x", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "This issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090 present in Apache Commons Compress which has been detected by OSS Fuzz." } ], "descriptions": [ { "lang": "en", "value": "When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-130", "description": "CWE-130 Improper Handling of Length Parameter Inconsistency ", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-25T16:30:31", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://ant.apache.org/security.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E" }, { "name": "[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E" }, { "name": "[groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E" }, { "name": "[groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E" }, { "name": "[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210819-0007/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "Apache Ant ZIP, and ZIP based, archive denial of service vulerability", "workarounds": [ { "lang": "en", "value": "Apache Ant 1.9.x users should upgrade to 1.9.16 or later.\nApache Ant 1.10.x users should upgrade to 1.10.11 or later." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2021-36374", "STATE": "PUBLIC", "TITLE": "Apache Ant ZIP, and ZIP based, archive denial of service vulerability" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Ant", "version": { "version_data": [ { "version_affected": "\u003e=", "version_name": "Apache Ant", "version_value": "1.4" }, { "version_affected": "\u003c=", "version_name": "Apache Ant 1.9.x", "version_value": "1.9.15" }, { "version_affected": "\u003c=", "version_name": "Apache Ant 1.10.x", "version_value": "1.10.10" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "credit": [ { "lang": "eng", "value": "This issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090 present in Apache Commons Compress which has been detected by OSS Fuzz." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": [ {} ], "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-130 Improper Handling of Length Parameter Inconsistency " } ] } ] }, "references": { "reference_data": [ { "name": "https://ant.apache.org/security.html", "refsource": "MISC", "url": "https://ant.apache.org/security.html" }, { "name": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E" }, { "name": "[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a@%3Ccommits.groovy.apache.org%3E" }, { "name": "[groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d@%3Ccommits.groovy.apache.org%3E" }, { "name": "[groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a@%3Cnotifications.groovy.apache.org%3E" }, { "name": "[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6@%3Cdev.myfaces.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210819-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210819-0007/" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ] }, "source": { "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Apache Ant 1.9.x users should upgrade to 1.9.16 or later.\nApache Ant 1.10.x users should upgrade to 1.10.11 or later." } ] } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-36374", "datePublished": "2021-07-14T06:20:12", "dateReserved": "2021-07-12T00:00:00", "dateUpdated": "2024-08-04T00:54:51.456Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2013-2172
Vulnerability from cvelistv5
Published
2013-08-20 22:00
Modified
2024-08-06 15:27
Severity ?
EPSS score ?
Summary
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T15:27:41.140Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2013:1219", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1219.html" }, { "name": "54019", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/54019" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" }, { "name": "RHSA-2013:1218", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1218.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc" }, { "name": "RHSA-2013:1209", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1209.html" }, { "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded" }, { "name": "USN-2028-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2028-1" }, { "name": "RHSA-2013:1217", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1217.html" }, { "name": "RHSA-2013:1437", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1437.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h" }, { "name": "RHSA-2013:1207", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1207.html" }, { "name": "RHSA-2013:1375", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1375.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html" }, { "name": "RHSA-2014:0212", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html" }, { "name": "RHSA-2013:1853", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html" }, { "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", "tags": [ "mailing-list", "x_refsource_FULLDISC", "x_transferred" ], "url": "http://seclists.org/fulldisclosure/2014/Dec/23" }, { "name": "RHSA-2013:1208", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1208.html" }, { "name": "RHSA-2013:1220", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1220.html" }, { "name": "60846", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/60846" }, { "name": "94651", "tags": [ "vdb-entry", "x_refsource_OSVDB", "x_transferred" ], "url": "http://www.osvdb.org/94651" }, { "name": "DSA-3065", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2014/dsa-3065" }, { "name": "[santuario-commits] 20190823 svn commit: r1049214 - in /websites/production/santuario/content: cache/main.pageCache download.html index.html javaindex.html javareleasenotes.html secadv.data/CVE-2019-12400.asc secadv.html", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E" }, { "name": "[santuario-commits] 20210917 svn commit: r1076843 - in /websites/production/santuario/content: cache/main.pageCache index.html javaindex.html secadv.data/CVE-2021-40690.txt.asc secadv.html", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2013-06-25T00:00:00", "descriptions": [ { "lang": "en", "value": "jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak \"canonicalization algorithm to apply to the SignedInfo part of the Signature.\"" } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-09-17T10:06:19", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2013:1219", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1219.html" }, { "name": "54019", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/54019" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" }, { "name": "RHSA-2013:1218", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1218.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc" }, { "name": "RHSA-2013:1209", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1209.html" }, { "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded" }, { "name": "USN-2028-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2028-1" }, { "name": "RHSA-2013:1217", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1217.html" }, { "name": "RHSA-2013:1437", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1437.html" }, { "tags": [ "x_refsource_MISC" ], "url": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h" }, { "name": "RHSA-2013:1207", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1207.html" }, { "name": "RHSA-2013:1375", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1375.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html" }, { "name": "RHSA-2014:0212", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html" }, { "name": "RHSA-2013:1853", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html" }, { "name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities", "tags": [ "mailing-list", "x_refsource_FULLDISC" ], "url": "http://seclists.org/fulldisclosure/2014/Dec/23" }, { "name": "RHSA-2013:1208", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1208.html" }, { "name": "RHSA-2013:1220", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-1220.html" }, { "name": "60846", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/60846" }, { "name": "94651", "tags": [ "vdb-entry", "x_refsource_OSVDB" ], "url": "http://www.osvdb.org/94651" }, { "name": "DSA-3065", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2014/dsa-3065" }, { "name": "[santuario-commits] 20190823 svn commit: r1049214 - in /websites/production/santuario/content: cache/main.pageCache download.html index.html javaindex.html javareleasenotes.html secadv.data/CVE-2019-12400.asc secadv.html", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E" }, { "name": "[santuario-commits] 20210917 svn commit: r1076843 - in /websites/production/santuario/content: cache/main.pageCache index.html javaindex.html secadv.data/CVE-2021-40690.txt.asc secadv.html", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-2172", "datePublished": "2013-08-20T22:00:00", "dateReserved": "2013-02-19T00:00:00", "dateUpdated": "2024-08-06T15:27:41.140Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-36109
Vulnerability from cvelistv5
Published
2022-09-09 17:20
Modified
2024-08-03 09:52
Severity ?
EPSS score ?
Summary
Moby vulnerability relating to supplementary group permissions
References
▼ | URL | Tags |
---|---|---|
https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4 | x_refsource_CONFIRM | |
https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32 | x_refsource_MISC | |
https://github.com/moby/moby/releases/tag/v20.10.18 | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/ | vendor-advisory, x_refsource_FEDORA |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T09:52:00.643Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/releases/tag/v20.10.18" }, { "name": "FEDORA-2022-b027a13a39", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/" }, { "name": "FEDORA-2022-8298607490", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003c 20.10.18" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `\"USER $USERNAME\"` Dockerfile instruction. Instead by calling `ENTRYPOINT [\"su\", \"-\", \"user\"]` the supplementary groups will be set up properly." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-09-16T01:06:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/releases/tag/v20.10.18" }, { "name": "FEDORA-2022-b027a13a39", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/" }, { "name": "FEDORA-2022-8298607490", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/" } ], "source": { "advisory": "GHSA-rc4r-wh2q-q6c4", "discovery": "UNKNOWN" }, "title": "Moby vulnerability relating to supplementary group permissions", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36109", "STATE": "PUBLIC", "TITLE": "Moby vulnerability relating to supplementary group permissions" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "moby", "version": { "version_data": [ { "version_value": "\u003c 20.10.18" } ] } } ] }, "vendor_name": "moby" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `\"USER $USERNAME\"` Dockerfile instruction. Instead by calling `ENTRYPOINT [\"su\", \"-\", \"user\"]` the supplementary groups will be set up properly." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-863: Incorrect Authorization" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4", "refsource": "CONFIRM", "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4" }, { "name": "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32", "refsource": "MISC", "url": "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32" }, { "name": "https://github.com/moby/moby/releases/tag/v20.10.18", "refsource": "MISC", "url": "https://github.com/moby/moby/releases/tag/v20.10.18" }, { "name": "FEDORA-2022-b027a13a39", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/" }, { "name": "FEDORA-2022-8298607490", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/" } ] }, "source": { "advisory": "GHSA-rc4r-wh2q-q6c4", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36109", "datePublished": "2022-09-09T17:20:11", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2024-08-03T09:52:00.643Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-41089
Vulnerability from cvelistv5
Published
2021-10-04 20:20
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
`docker cp` allows unexpected chmod of host files
References
▼ | URL | Tags |
---|---|---|
https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4 | x_refsource_CONFIRM | |
https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/ | vendor-advisory, x_refsource_FEDORA | |
https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T02:59:31.512Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a" }, { "name": "FEDORA-2021-df975338d4", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" }, { "name": "FEDORA-2021-b5a9a481a2", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003c 20.10.9" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host\u2019s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-281", "description": "CWE-281: Improper Preservation of Permissions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-14T10:06:38", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a" }, { "name": "FEDORA-2021-df975338d4", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" }, { "name": "FEDORA-2021-b5a9a481a2", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" } ], "source": { "advisory": "GHSA-v994-f8vw-g7j4", "discovery": "UNKNOWN" }, "title": "`docker cp` allows unexpected chmod of host files", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41089", "STATE": "PUBLIC", "TITLE": "`docker cp` allows unexpected chmod of host files" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "moby", "version": { "version_data": [ { "version_value": "\u003c 20.10.9" } ] } } ] }, "vendor_name": "moby" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host\u2019s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-281: Improper Preservation of Permissions" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4", "refsource": "CONFIRM", "url": "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4" }, { "name": "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a", "refsource": "MISC", "url": "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a" }, { "name": "FEDORA-2021-df975338d4", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" }, { "name": "FEDORA-2021-b5a9a481a2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" } ] }, "source": { "advisory": "GHSA-v994-f8vw-g7j4", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41089", "datePublished": "2021-10-04T20:20:15", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.512Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-22442
Vulnerability from cvelistv5
Published
2022-11-03 00:00
Modified
2024-08-03 03:14
Severity ?
EPSS score ?
Summary
"IBM InfoSphere Information Server 11.7 could allow an authenticated user to access information restricted to users with elevated privileges due to improper access controls. IBM X-Force ID: 224427."
References
Impacted products
▼ | Vendor | Product |
---|---|---|
n/a | IBM InfoSphere Information Server |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T03:14:55.133Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.ibm.com/support/pages/node/6829325" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "IBM InfoSphere Information Server", "vendor": "n/a", "versions": [ { "status": "affected", "version": "11.7" } ] } ], "descriptions": [ { "lang": "en", "value": "\"IBM InfoSphere Information Server 11.7 could allow an authenticated user to access information restricted to users with elevated privileges due to improper access controls. IBM X-Force ID: 224427.\"" } ], "problemTypes": [ { "descriptions": [ { "description": "Information Disclosure", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-03T00:00:00", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm" }, "references": [ { "url": "https://www.ibm.com/support/pages/node/6829325" } ] } }, "cveMetadata": { "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2022-22442", "datePublished": "2022-11-03T00:00:00", "dateReserved": "2022-01-03T00:00:00", "dateUpdated": "2024-08-03T03:14:55.133Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-31129
Vulnerability from cvelistv5
Published
2022-07-06 00:00
Modified
2024-08-03 07:11
Severity ?
EPSS score ?
Summary
Inefficient Regular Expression Complexity in moment
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T07:11:39.222Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g" }, { "tags": [ "x_transferred" ], "url": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973" }, { "tags": [ "x_transferred" ], "url": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3" }, { "tags": [ "x_transferred" ], "url": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/" }, { "name": "FEDORA-2022-85aa8e5706", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/" }, { "name": "FEDORA-2022-35b698150c", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/" }, { "name": "FEDORA-2022-b9ef7c3c3c", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/" }, { "name": "FEDORA-2022-798fd95813", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20221014-0003/" }, { "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moment", "vendor": "moment", "versions": [ { "status": "affected", "version": " \u003e= 2.18.0, \u003c 2.29.4" } ] } ], "descriptions": [ { "lang": "en", "value": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-01-31T00:00:00", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g" }, { "url": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973" }, { "url": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3" }, { "url": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/" }, { "name": "FEDORA-2022-85aa8e5706", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/" }, { "name": "FEDORA-2022-35b698150c", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/" }, { "name": "FEDORA-2022-b9ef7c3c3c", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/" }, { "name": "FEDORA-2022-798fd95813", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/" }, { "url": "https://security.netapp.com/advisory/ntap-20221014-0003/" }, { "name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3295-1] node-moment security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html" } ], "source": { "advisory": "GHSA-wc69-rhjr-hc9g", "discovery": "UNKNOWN" }, "title": "Inefficient Regular Expression Complexity in moment" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31129", "datePublished": "2022-07-06T00:00:00", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2024-08-03T07:11:39.222Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-35717
Vulnerability from cvelistv5
Published
2022-11-03 00:00
Modified
2024-08-03 09:44
Severity ?
EPSS score ?
Summary
"IBM InfoSphere Information Server 11.7 could allow a locally authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-"Force ID: 231361.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
n/a | IBM InfoSphere Information Server |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T09:44:21.680Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.ibm.com/support/pages/node/6829365" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "IBM InfoSphere Information Server", "vendor": "n/a", "versions": [ { "status": "affected", "version": "11.7" } ] } ], "descriptions": [ { "lang": "en", "value": "\"IBM InfoSphere Information Server 11.7 could allow a locally authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-\"Force ID: 231361." } ], "problemTypes": [ { "descriptions": [ { "description": "Command Execution", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-03T00:00:00", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm" }, "references": [ { "url": "https://www.ibm.com/support/pages/node/6829365" } ] } }, "cveMetadata": { "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2022-35717", "datePublished": "2022-11-03T00:00:00", "dateReserved": "2022-07-12T00:00:00", "dateUpdated": "2024-08-03T09:44:21.680Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-41091
Vulnerability from cvelistv5
Published
2021-10-04 20:20
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
Insufficiently restricted permissions on data directory in Docker Engine
References
▼ | URL | Tags |
---|---|---|
https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558 | x_refsource_CONFIRM | |
https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64 | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/ | vendor-advisory, x_refsource_FEDORA | |
https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T02:59:31.575Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64" }, { "name": "FEDORA-2021-df975338d4", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" }, { "name": "FEDORA-2021-b5a9a481a2", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003c 20.10.9" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-281", "description": "CWE-281: Improper Preservation of Permissions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-14T10:06:37", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64" }, { "name": "FEDORA-2021-df975338d4", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" }, { "name": "FEDORA-2021-b5a9a481a2", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" } ], "source": { "advisory": "GHSA-3fwx-pjgw-3558", "discovery": "UNKNOWN" }, "title": "Insufficiently restricted permissions on data directory in Docker Engine", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41091", "STATE": "PUBLIC", "TITLE": "Insufficiently restricted permissions on data directory in Docker Engine" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "moby", "version": { "version_data": [ { "version_value": "\u003c 20.10.9" } ] } } ] }, "vendor_name": "moby" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-281: Improper Preservation of Permissions" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558", "refsource": "CONFIRM", "url": "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558" }, { "name": "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64", "refsource": "MISC", "url": "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64" }, { "name": "FEDORA-2021-df975338d4", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" }, { "name": "FEDORA-2021-b5a9a481a2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" } ] }, "source": { "advisory": "GHSA-3fwx-pjgw-3558", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41091", "datePublished": "2021-10-04T20:20:09", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.575Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2012-2098
Vulnerability from cvelistv5
Published
2012-06-29 00:00
Modified
2024-08-06 19:26
Severity ?
EPSS score ?
Summary
Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T19:26:07.686Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "FEDORA-2013-5548", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html" }, { "name": "apache-commons-ant-bzip2-dos(75857)", "tags": [ "vdb-entry", "x_transferred" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75857" }, { "name": "FEDORA-2012-8428", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081697.html" }, { "name": "20120523 [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability", "tags": [ "mailing-list", "x_transferred" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-05/0130.html" }, { "name": "82161", "tags": [ "vdb-entry", "x_transferred" ], "url": "http://osvdb.org/82161" }, { "name": "53676", "tags": [ "vdb-entry", "x_transferred" ], "url": "http://www.securityfocus.com/bid/53676" }, { "name": "1027096", "tags": [ "vdb-entry", "x_transferred" ], "url": "http://www.securitytracker.com/id?1027096" }, { "name": "49255", "tags": [ "third-party-advisory", "x_transferred" ], "url": "http://secunia.com/advisories/49255" }, { "name": "FEDORA-2012-8465", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081746.html" }, { "name": "49286", "tags": [ "third-party-advisory", "x_transferred" ], "url": "http://secunia.com/advisories/49286" }, { "name": "FEDORA-2013-5546", "tags": [ "vendor-advisory", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105049.html" }, { "name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" }, { "tags": [ "x_transferred" ], "url": "http://commons.apache.org/compress/security.html" }, { "tags": [ "x_transferred" ], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644047" }, { "tags": [ "x_transferred" ], "url": "http://packetstormsecurity.org/files/113014/Apache-Commons-Compress-Apache-Ant-Denial-Of-Service.html" }, { "tags": [ "x_transferred" ], "url": "http://ant.apache.org/security.html" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "name": "[oss-security] 20230913 CVE-2023-42503: Apache Commons Compress: Denial of service via CPU consumption for malformed TAR file", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/09/13/3" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2012-05-23T00:00:00", "descriptions": [ { "lang": "en", "value": "Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-09-13T23:06:11.753450", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "FEDORA-2013-5548", "tags": [ "vendor-advisory" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html" }, { "name": "apache-commons-ant-bzip2-dos(75857)", "tags": [ "vdb-entry" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75857" }, { "name": "FEDORA-2012-8428", "tags": [ "vendor-advisory" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081697.html" }, { "name": "20120523 [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability", "tags": [ "mailing-list" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-05/0130.html" }, { "name": "82161", "tags": [ "vdb-entry" ], "url": "http://osvdb.org/82161" }, { "name": "53676", "tags": [ "vdb-entry" ], "url": "http://www.securityfocus.com/bid/53676" }, { "name": "1027096", "tags": [ "vdb-entry" ], "url": "http://www.securitytracker.com/id?1027096" }, { "name": "49255", "tags": [ "third-party-advisory" ], "url": "http://secunia.com/advisories/49255" }, { "name": "FEDORA-2012-8465", "tags": [ "vendor-advisory" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081746.html" }, { "name": "49286", "tags": [ "third-party-advisory" ], "url": "http://secunia.com/advisories/49286" }, { "name": "FEDORA-2013-5546", "tags": [ "vendor-advisory" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105049.html" }, { "name": "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" }, { "url": "http://commons.apache.org/compress/security.html" }, { "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644047" }, { "url": "http://packetstormsecurity.org/files/113014/Apache-Commons-Compress-Apache-Ant-Denial-Of-Service.html" }, { "url": "http://ant.apache.org/security.html" }, { "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "name": "[oss-security] 20230913 CVE-2023-42503: Apache Commons Compress: Denial of service via CPU consumption for malformed TAR file", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/09/13/3" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-2098", "datePublished": "2012-06-29T00:00:00", "dateReserved": "2012-04-04T00:00:00", "dateUpdated": "2024-08-06T19:26:07.686Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.