Filtered by vendor Oracle Subscriptions
Filtered by product Communications Session Route Manager Subscriptions
Total 74 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-23437 4 Apache, Netapp, Oracle and 1 more 31 Xerces-j, Active Iq Unified Manager, Agile Engineering Data Management and 28 more 2024-11-21 6.5 Medium
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
CVE-2021-45105 6 Apache, Debian, Netapp and 3 more 131 Log4j, Debian Linux, Cloud Manager and 128 more 2024-11-21 5.9 Medium
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
CVE-2021-44790 8 Apache, Apple, Debian and 5 more 20 Http Server, Mac Os X, Macos and 17 more 2024-11-21 9.8 Critical
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
CVE-2021-44224 7 Apache, Apple, Debian and 4 more 15 Http Server, Mac Os X, Macos and 12 more 2024-11-21 8.2 High
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
CVE-2021-36090 4 Apache, Netapp, Oracle and 1 more 36 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 33 more 2024-11-21 7.5 High
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
CVE-2021-35517 4 Apache, Netapp, Oracle and 1 more 29 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 26 more 2024-11-21 7.5 High
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CVE-2021-35516 4 Apache, Netapp, Oracle and 1 more 26 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 23 more 2024-11-21 7.5 High
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVE-2021-35515 4 Apache, Netapp, Oracle and 1 more 28 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 25 more 2024-11-21 7.5 High
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVE-2021-34428 5 Debian, Eclipse, Netapp and 2 more 21 Debian Linux, Jetty, Active Iq Unified Manager and 18 more 2024-11-21 2.9 Low
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CVE-2021-33037 5 Apache, Debian, Mcafee and 2 more 25 Tomcat, Tomee, Debian Linux and 22 more 2024-11-21 5.3 Medium
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
CVE-2021-2351 1 Oracle 111 Advanced Networking Option, Agile Engineering Data Management, Agile Plm and 108 more 2024-11-21 8.3 High
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Advanced Networking Option. Note: The July 2021 Critical Patch Update introduces a number of Native Network Encryption changes to deal with vulnerability CVE-2021-2351 and prevent the use of weaker ciphers. Customers should review: "Changes in Native Network Encryption with the July 2021 Critical Patch Update" (Doc ID 2791571.1). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
CVE-2021-28165 5 Eclipse, Jenkins, Netapp and 2 more 28 Jetty, Jenkins, Cloud Manager and 25 more 2024-11-21 7.5 High
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVE-2021-28164 4 Eclipse, Netapp, Oracle and 1 more 23 Jetty, Cloud Manager, E-series Performance Analyzer and 20 more 2024-11-21 5.3 Medium
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-28163 6 Apache, Eclipse, Fedoraproject and 3 more 30 Ignite, Solr, Jetty and 27 more 2024-11-21 2.7 Low
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
CVE-2021-26117 5 Apache, Debian, Netapp and 2 more 10 Activemq, Activemq Artemis, Debian Linux and 7 more 2024-11-21 7.5 High
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.
CVE-2021-22696 3 Apache, Oracle, Redhat 8 Cxf, Business Intelligence, Communications Diameter Intelligence Hub and 5 more 2024-11-21 7.5 High
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.
CVE-2021-22118 4 Netapp, Oracle, Redhat and 1 more 34 Hci, Management Services For Element Software, Commerce Guided Search and 31 more 2024-11-21 7.8 High
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
CVE-2020-9548 5 Debian, Fasterxml, Netapp and 2 more 35 Debian Linux, Jackson-databind, Active Iq Unified Manager and 32 more 2024-11-21 9.8 Critical
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
CVE-2020-9546 5 Debian, Fasterxml, Netapp and 2 more 41 Debian Linux, Jackson-databind, Active Iq Unified Manager and 38 more 2024-11-21 9.8 Critical
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
CVE-2020-9490 7 Apache, Canonical, Debian and 4 more 28 Http Server, Ubuntu Linux, Debian Linux and 25 more 2024-11-21 7.5 High
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.