Search
Search Results (49 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-12419 | 3 Apache, Oracle, Redhat | 8 Cxf, Commerce Guided Search, Enterprise Manager Base Platform and 5 more | 2024-11-21 | 9.8 Critical |
| Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client. | ||||
| CVE-2019-12415 | 3 Apache, Oracle, Redhat | 28 Poi, Application Testing Suite, Banking Enterprise Originations and 25 more | 2024-11-21 | 5.5 Medium |
| In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing. | ||||
| CVE-2019-12406 | 3 Apache, Oracle, Redhat | 8 Cxf, Commerce Guided Search, Flexcube Private Banking and 5 more | 2024-11-21 | 6.5 Medium |
| Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count". | ||||
| CVE-2019-12402 | 4 Apache, Fedoraproject, Oracle and 1 more | 20 Commons Compress, Fedora, Banking Payments and 17 more | 2024-11-21 | 7.5 High |
| The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. | ||||
| CVE-2019-12399 | 3 Apache, Oracle, Redhat | 14 Kafka, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 11 more | 2024-11-21 | 7.5 High |
| When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables. | ||||
| CVE-2019-10241 | 5 Apache, Debian, Eclipse and 2 more | 9 Activemq, Drill, Debian Linux and 6 more | 2024-11-21 | 6.1 Medium |
| In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. | ||||
| CVE-2019-10086 | 6 Apache, Debian, Fedoraproject and 3 more | 73 Commons Beanutils, Nifi, Debian Linux and 70 more | 2024-11-21 | 7.3 High |
| In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. | ||||
| CVE-2019-0188 | 2 Apache, Oracle | 5 Camel, Enterprise Data Quality, Enterprise Manager Base Platform and 2 more | 2024-11-21 | 7.5 High |
| Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed. | ||||
| CVE-2018-11775 | 3 Apache, Oracle, Redhat | 4 Activemq, Enterprise Repository, Flexcube Private Banking and 1 more | 2024-11-21 | N/A |
| TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default. | ||||