CVSS: 5.9EPSS: 65%CPEs: 213EXPL: 10CVE-2021-45105 – Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
https://notcve.org/view.php?id=CVE-2021-45105
18 Dec 2021 — Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1. Apache Log4j2 versiones 2.0-alpha1 hasta 2.16.0 (excluyendo las versiones 2.12.3 y 2.3.1) no protegían de la recursión no controlada de las búsquedas autorreferenciales.... • https://github.com/thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832 • CWE-20: Improper Input Validation CWE-674: Uncontrolled Recursion •
CVSS: 8.3EPSS: 1%CPEs: 248EXPL: 6CVE-2021-2351 – Oracle Database Weak NNE Integrity Key Derivation
https://notcve.org/view.php?id=CVE-2021-2351
20 Jul 2021 — Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful atta... • https://packetstorm.news/files/id/165258 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-384: Session Fixation •
CVSS: 7.5EPSS: 0%CPEs: 72EXPL: 0CVE-2021-36090 – Apache Commons Compress 1.0 to 1.20 denial of service vulnerability
https://notcve.org/view.php?id=CVE-2021-36090
13 Jul 2021 — When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. Al leer un archivo ZIP especialmente diseñado, Compress puede asignar grandes cantidades de memoria que finalmente conllevan a un error de falta de memoria incluso para entradas muy pequeñas. Esto podría ser usado para montar un ata... • http://www.openwall.com/lists/oss-security/2021/07/13/4 • CWE-130: Improper Handling of Length Parameter Inconsistency CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 34EXPL: 0CVE-2021-21348 – XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)
https://notcve.org/view.php?id=CVE-2021-21348
22 Mar 2021 — XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. XStream es un... • http://x-stream.github.io/changes.html#1.4.16 • CWE-400: Uncontrolled Resource Consumption CWE-502: Deserialization of Untrusted Data •
CVSS: 8.6EPSS: 4%CPEs: 37EXPL: 2CVE-2021-21349 – A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
https://notcve.org/view.php?id=CVE-2021-21349
22 Mar 2021 — XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will ha... • https://github.com/s-index/CVE-2021-21349 • CWE-502: Deserialization of Untrusted Data CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 17%CPEs: 37EXPL: 1CVE-2021-21350 – XStream is vulnerable to an Arbitrary Code Execution attack
https://notcve.org/view.php?id=CVE-2021-21350
22 Mar 2021 — XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. XStream es ... • http://x-stream.github.io/changes.html#1.4.16 • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •
CVSS: 9.1EPSS: 91%CPEs: 34EXPL: 1CVE-2021-21351 – XStream is vulnerable to an Arbitrary Code Execution attack
https://notcve.org/view.php?id=CVE-2021-21351
22 Mar 2021 — XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least versi... • http://x-stream.github.io/changes.html#1.4.16 • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 14%CPEs: 29EXPL: 3CVE-2021-21341 – XStream can cause a Denial of Service
https://notcve.org/view.php?id=CVE-2021-21341
22 Mar 2021 — XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on... • https://github.com/s-index/CVE-2021-21341 • CWE-400: Uncontrolled Resource Consumption CWE-502: Deserialization of Untrusted Data •
CVSS: 9.1EPSS: 3%CPEs: 33EXPL: 1CVE-2021-21342 – A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
https://notcve.org/view.php?id=CVE-2021-21342
22 Mar 2021 — XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup ... • http://x-stream.github.io/changes.html#1.4.16 • CWE-502: Deserialization of Untrusted Data CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 2%CPEs: 33EXPL: 1CVE-2021-21343 – XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights
https://notcve.org/view.php?id=CVE-2021-21343
22 Mar 2021 — XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendatio... • http://x-stream.github.io/changes.html#1.4.16 • CWE-73: External Control of File Name or Path CWE-502: Deserialization of Untrusted Data CWE-552: Files or Directories Accessible to External Parties •