CVE-2019-14892 – jackson-databind: Serialization gadgets in classes of the commons-configuration package
https://notcve.org/view.php?id=CVE-2019-14892
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. Se detectó un fallo en jackson-databind en las versiones anteriores a 2.9.10, 2.8.11.5 y 2.6.7.3, donde permitiría una deserialización polimórfica de un objeto malicioso utilizando las clases JNDI de commons-configuration 1 y 2. Un atacante podría usar este fallo para ejecutar código arbitrario. • https://access.redhat.com/errata/RHSA-2020:0729 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892 https://github.com/FasterXML/jackson-databind/issues/2462 https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E https://security.netapp.com/advisory/ntap-20200904-0005 https://access.redhat.com/security/cve/CVE-2019-14892 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVE-2014-0169
https://notcve.org/view.php?id=CVE-2014-0169
In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to access protected resources in another application without proper authorization. Although this is an intended functionality, it was not clearly documented which can mislead users into thinking that a security domain cache is isolated to a single application. En JBoss EAP versión 6, un dominio de seguridad está configurado para usar una caché que es compartida entre todas las aplicaciones que están en el dominio de seguridad. Esto podría permitir a un usuario autenticado en una aplicación acceder a recursos protegidos en otra aplicación sin la autorización apropiada. • https://access.redhat.com/security/cve/cve-2014-0169 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0169 • CWE-863: Incorrect Authorization •
CVE-2012-2312
https://notcve.org/view.php?id=CVE-2012-2312
An Elevated Privileges issue exists in JBoss AS 7 Community Release due to the improper implementation in the security context propagation, A threat gets reused from the thread pool that still retains the security context from the process last used, which lets a local user obtain elevated privileges. Se presenta un problema de privilegios elevados en JBoss AS 7 Community Release, debido a la implementación inapropiada en la propagación del contexto de seguridad. Se reutiliza una amenaza del grupo de hilos (subprocesos) que aún conserva el contexto de seguridad del último proceso utilizado, lo que permite a un usuario local obtener privilegios elevados. • https://access.redhat.com/security/cve/cve-2012-2312 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2312 https://security-tracker.debian.org/tracker/CVE-2012-2312 • CWE-269: Improper Privilege Management •
CVE-2013-6495 – Bayeux: Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2013-6495
JBossWeb Bayeux has reflected XSS JBossWeb Bayeux presenta una vulnerabilidad de tipo XSS. • https://access.redhat.com/security/cve/cve-2013-6495 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6495 https://access.redhat.com/security/cve/CVE-2013-6495 https://bugzilla.redhat.com/show_bug.cgi?id=1066794 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-10172 – jackson-mapper-asl: XML external entity similar to CVE-2016-3720
https://notcve.org/view.php?id=CVE-2019-10172
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes. Se detectó un fallo en las bibliotecas org.codehaus.jackson:jackson-mapper-asl:1.9.x. Las vulnerabilidades de tipo XML external entity similares a CVE-2016-3720, también afectan a las bibliotecas codehaus jackson-mapper-asl pero en diferentes clases. A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries such that an XML external entity (XXE) vulnerability affects codehaus's jackson-mapper-asl libraries. • https://github.com/rusakovichma/CVE-2019-10172 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10172 https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25%40%3Ccommits.cassandra.apache.org%3E https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8%40%3Ccommon-issues.hadoop.apache.org%3E https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c%40%3Ccommon-issues.hadoop.apache.org%3E https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5 • CWE-611: Improper Restriction of XML External Entity Reference •