CVSS: 9.8EPSS: 94%CPEs: 97EXPL: 82CVE-2022-22965 – Spring Framework JDK 9+ Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-22965
01 Apr 2022 — A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Una aplicación Spring MVC o Spring WebFlux que es ejecutada en JDK 9+ puede ser ... • https://packetstorm.news/files/id/167011 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 1%CPEs: 14EXPL: 0CVE-2021-41973 – Apache MINA HTTP listener DOS
https://notcve.org/view.php?id=CVE-2021-41973
01 Nov 2021 — In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater. En Apache MINA, una petición HTTP específicamente diseñada y malformada puede causar que el decodificador de encabezados HTTP haga un bucle indefinido. El decodificador asume que el encabezado HTTP comienza al principio del buf... • http://www.openwall.com/lists/oss-security/2021/11/01/2 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2021-30129 – DoS/OOM leak vulnerability in Apache Mina SSHD Server
https://notcve.org/view.php?id=CVE-2021-30129
12 Jul 2021 — A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0 Una vulnerabilidad en sshd-core de Apache Mina SSHD, permite a un atacante desbordar el servidor causando un error de tipo OutOfMemory. Este problema afecta a las funcionalidades SFTP y port forwarding de Apache Mina SSHD versión 2.0.0 y... • http://www.openwall.com/lists/oss-security/2021/07/12/1 • CWE-400: Uncontrolled Resource Consumption CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-14731
https://notcve.org/view.php?id=CVE-2020-14731
21 Oct 2020 — Vulnerability in the Oracle Retail Customer Management and Segmentation Foundation product of Oracle Retail Applications (component: Segment). Supported versions that are affected are 18.0 and 19.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Customer Management and Segmentation Foundation. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Retail Customer Management and Segmenta... • https://www.oracle.com/security-alerts/cpuoct2020.html •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-14708
https://notcve.org/view.php?id=CVE-2020-14708
15 Jul 2020 — Vulnerability in the Customer Management and Segmentation Foundation product of Oracle Retail Applications (component: Segment). Supported versions that are affected are 16.0, 17.0 and 18.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Customer Management and Segmentation Foundation. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Customer Management and Segmentation Foundation access... • https://www.oracle.com/security-alerts/cpujul2020.html •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-14709
https://notcve.org/view.php?id=CVE-2020-14709
15 Jul 2020 — Vulnerability in the Customer Management and Segmentation Foundation product of Oracle Retail Applications (component: Card). Supported versions that are affected are 16.0, 17.0 and 18.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Customer Management and Segmentation Foundation. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Customer Management and Segmentati... • https://www.oracle.com/security-alerts/cpujul2020.html •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-14710
https://notcve.org/view.php?id=CVE-2020-14710
15 Jul 2020 — Vulnerability in the Customer Management and Segmentation Foundation product of Oracle Retail Applications (component: Security). Supported versions that are affected are 16.0, 17.0 and 18.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Customer Management and Segmentation Foundation. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Customer Management and Segmentation Foundation acces... • https://www.oracle.com/security-alerts/cpujul2020.html •
CVSS: 9.8EPSS: 2%CPEs: 79EXPL: 0CVE-2020-10683 – dom4j: XML External Entity vulnerability in default SAX parser
https://notcve.org/view.php?id=CVE-2020-10683
01 May 2020 — dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. dom4j versiones anteriores a 2.0.3 y versiones 2.1.x anteriores a 2.1.3, permite DTDs y External Entities por defecto, lo que podría permitir ataques de tipo XXE. Sin embargo, existe una documentación externa popular de OWASP que mues... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 0%CPEs: 101EXPL: 0CVE-2020-9488 – log4j: improper validation of certificate with host mismatch in SMTP appender
https://notcve.org/view.php?id=CVE-2020-9488
27 Apr 2020 — Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 Validación incorrecta del certificado con desajuste de host en el apéndice SMTP de Apache Log4j. Esto podría permitir que una conexión SMTPS fuera interceptada por un ataque de tipo man-in-the-middle que podría filtrar cualquier mensaje de ... • https://issues.apache.org/jira/browse/LOG4J2-2819 • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2020-2953
https://notcve.org/view.php?id=CVE-2020-2953
15 Apr 2020 — Vulnerability in the Oracle Retail Customer Management and Segmentation Foundation product of Oracle Retail Applications (component: Promotions). The supported version that is affected is 18.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Customer Management and Segmentation Foundation. Successful attacks of this vulnerability can result in takeover of Oracle Retail Customer Management and Segmentation Foundation. CVSS 3.0 Base Sco... • https://www.oracle.com/security-alerts/cpuapr2020.html •