Page 11 of 54 results (0.011 seconds)

CVSS: 9.8EPSS: 1%CPEs: 14EXPL: 0

CVE-2018-11307 – jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis

https://notcve.org/view.php?id=CVE-2018-11307

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. Se detectó un problema en jackson-databind versiones 2.0.0 hasta 2.9.5 de FasterXML. El uso de escritura predeterminada de Jackson junto con una clase de gadget de iBatis permite la exfiltración de contenido. • https://access.redhat.com/errata/RHSA-2019:0782 https://access.redhat.com/errata/RHSA-2019:1822 https://access.redhat.com/errata/RHSA-2019:1823 https://access.redhat.com/errata/RHSA-2019:2804 https://access.redhat.com/errata/RHSA-2019:2858 https://access.redhat.com/errata/RHSA-2019:3002 https://access.redhat.com/errata/RHSA-2019:3140 https://access.redhat.com/errata/RHSA-2019:3149 https://access.redhat.com/errata/RHSA-2019:3892 https://access.redhat.com/errata/RHSA • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0

CVE-2019-3772 – Spring Integration XML External Entity Injection (XXE)

https://notcve.org/view.php?id=CVE-2019-3772

Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources. Spring Integration (módulos spring-integration-xml y spring-integration-ws modules), en sus versiones 4.3.18, 5.0.10, 5.1.1 y anteriores no soportadas, era susceptible a inyecciones de XEE (XML External Entity) cuando recibía datos XML de fuentes no fiables. • http://www.securityfocus.com/bid/106749 https://pivotal.io/security/cve-2019-3772 https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 9.8EPSS: 3%CPEs: 58EXPL: 0

CVE-2018-14718 – jackson-databind: arbitrary code execution in slf4j-ext class

https://notcve.org/view.php?id=CVE-2018-14718

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos ejecutar código arbitrario aprovechando un fallo para bloquear la clase slf4j-ext de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code. • http://www.securityfocus.com/bid/106601 https://access.redhat.com/errata/RHBA-2019:0959 https://access.redhat.com/errata/RHSA-2019:0782 https://access.redhat.com/errata/RHSA-2019:0877 https://access.redhat.com/errata/RHSA-2019:1782 https://access.redhat.com/errata/RHSA-2019:1797 https://access.redhat.com/errata/RHSA-2019:1822 https://access.redhat.com/errata/RHSA-2019:1823 https://access.redhat.com/errata/RHSA-2019:2804 https://access.redhat.com/errata/RHSA-2019:2858& • CWE-502: Deserialization of Untrusted Data •

CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0

CVE-2018-3053

https://notcve.org/view.php?id=CVE-2018-3053

Vulnerability in the Oracle Retail Customer Management and Segmentation Foundation component of Oracle Retail Applications (subcomponent: Internal Operations). Supported versions that are affected are 16.x and 17.x. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Retail Customer Management and Segmentation Foundation. While the vulnerability is in Oracle Retail Customer Management and Segmentation Foundation, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Retail Customer Management and Segmentation Foundation accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Retail Customer Management and Segmentation Foundation. • http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.securityfocus.com/bid/104827 •