CVE-2019-2983 – OpenJDK: Unexpected exception thrown during Font object deserialization (Serialization, 8224915)
https://notcve.org/view.php?id=CVE-2019-2983
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https://access.redhat.com/errata/RHSA-2019:3134 https://access.redhat.com/errata/RHSA-2019:3135 https://access.redhat.com/errata/RHSA-2019:3136 https://access.redhat.com/errata/RHSA-2019:3157 https • CWE-248: Uncaught Exception •
CVE-2019-10198 – foreman: authorization bypasses in foreman-tasks leading to information disclosure
https://notcve.org/view.php?id=CVE-2019-10198
An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view the details of a task through the web UI or API, if they can discover or guess the UUID of the task. Se descubrió una vulnerabilidad de identificación de bypass en foreman-tasks anterior a 0.15.7. anteriormente las tareas de confirmación fueron buscadas a través de find_resoruce, la cual realizó verificaciones de autorización. Después de cambiar a foreman, un usuario no identificado poder visualizar los detalles de una tarea a través de la web UI o API, si pueden descubrir o adivinar la tarea. • https://access.redhat.com/errata/RHSA-2019:3172 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10198 https://projects.theforeman.org/issues/27275 https://access.redhat.com/security/cve/CVE-2019-10198 https://bugzilla.redhat.com/show_bug.cgi?id=1729130 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function CWE-592: DEPRECATED: Authentication Bypass Issues •
CVE-2019-11775 – JDK: Failure to privatize a value pulled out of the loop by versioning
https://notcve.org/view.php?id=CVE-2019-11775
All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of that field in the modified copy of the loop allowing the test to see one value of the field and subsequently the loop to see a modified field value without retesting the condition moved out of the loop. This can lead to a variety of different issues but read out of array bounds is one major consequence of these problems. Todas las compilaciones de OpenJ9 de Eclipse anteriores a versión 0.15, contienen un bug donde el versionador de bucle puede fallar al privatizar un valor que se extrae del bucle mediante el versionado – por ejemplo, si hay una condición que es movida fuera del bucle que lee un campo no podemos privatizar el valor de ese campo en la copia modificada del bucle permitiendo a la prueba visualizar un valor del campo y posteriormente el bucle para visualizar un valor del campo modificado sin volver a probar la condición movida fuera del bucle. Esto puede conllevar a una variedad de problemas diferentes, pero la lectura fuera de límites de la matriz es una consecuencia importante de estos problemas. • https://access.redhat.com/errata/RHSA-2019:2494 https://access.redhat.com/errata/RHSA-2019:2495 https://access.redhat.com/errata/RHSA-2019:2585 https://access.redhat.com/errata/RHSA-2019:2590 https://access.redhat.com/errata/RHSA-2019:2592 https://access.redhat.com/errata/RHSA-2019:2737 https://bugs.eclipse.org/bugs/show_bug.cgi?id=549601 https://access.redhat.com/security/cve/CVE-2019-11775 https://bugzilla.redhat.com/show_bug.cgi?id=1738549 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2019-2816 – OpenJDK: Missing URL format validation (Networking, 8221518)
https://notcve.org/view.php?id=CVE-2019-2816
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://access.redhat.com/errata/RHSA-2019:2494 https://access.redhat.com/errata/RHSA-2019:2495 https://access.redhat.com/errata/RHSA-2019:2585 https://access.redhat.com/errata/RHSA-2019:2590 https://access.redhat.com/errata/RHSA-2019:2592 https://access.redhat.com • CWE-20: Improper Input Validation •
CVE-2019-2769 – OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432)
https://notcve.org/view.php?id=CVE-2019-2769
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://access.redhat.com/errata/RHSA-2019:2494 https://access.redhat.com/errata/RHSA-2019:2495 https://access.redhat.com/errata/RHSA-2019:2585 https://access.redhat.com/errata/RHSA-2019:2590 https://access.redhat.com/errata/RHSA-2019:2592 https://access.redhat.com • CWE-770: Allocation of Resources Without Limits or Throttling •