CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-2659
https://notcve.org/view.php?id=CVE-2018-2659
18 Jan 2018 — Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracle JD Edwards Products (subcomponent: Web Runtime SEC). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional product... • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html •
CVSS: 6.2EPSS: 2%CPEs: 20EXPL: 0CVE-2017-15707
https://notcve.org/view.php?id=CVE-2017-15707
01 Dec 2017 — In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. El plugin REST en Apache Struts desde la versión 2.5 hasta la 2.5.14 emplea una librería JSON-lib desactualizada vulnerable y que permite llevar a cabo un ataque de denegación de servicio utilizando una petición maliciosa con una carga útil JSON especialmente manipulada. • http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 8%CPEs: 58EXPL: 0CVE-2017-15095 – jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)
https://notcve.org/view.php?id=CVE-2017-15095
13 Nov 2017 — A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. Se ha descubierto un error de deserialización en jackson-databind, en versiones anteriores a la 2.8.10 y a la 2.9.1, que podría permitir que un usu... • http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html • CWE-184: Incomplete List of Disallowed Inputs CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-3517
https://notcve.org/view.php?id=CVE-2017-3517
24 Apr 2017 — Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracle JD Edwards Products (subcomponent: Web Runtime SEC). The supported version that is affected is 9.2. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data and unauthorized ability to cause a partial denial of se... • http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html •
CVSS: 9.8EPSS: 94%CPEs: 174EXPL: 2CVE-2017-5645 – log4j: Socket receiver deserialization vulnerability
https://notcve.org/view.php?id=CVE-2017-5645
17 Apr 2017 — In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. En Apache Log4j 2.x en versiones anteriores a 2.8.2, cuando se utiliza el servidor de socket TCP o el servidor de socket UDP para recibir sucesos de registro serializados de otra aplicación, puede enviarse una carga binaria especialmente diseñada que, cuando se des... • https://github.com/pimps/CVE-2017-5645 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 69%CPEs: 87EXPL: 1CVE-2016-8610 – SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS
https://notcve.org/view.php?id=CVE-2016-8610
30 Jan 2017 — A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. Se ha encontrado un fallo de denegación de servicio en OpenSSL en las versiones 0.9.8, 1.0.1, 1.0.2 hasta la 1.0.2h y la 1.1.0 en la forma en la que el protocolo TLS/SSL de... • https://github.com/cujanovic/CVE-2016-8610-PoC • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 60%CPEs: 18EXPL: 4CVE-2017-3730 – Bad (EC)DHE parameters cause a client crash
https://notcve.org/view.php?id=CVE-2017-3730
26 Jan 2017 — In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack. En OpenSSL versión 1.1.0 anterior a 1.1.0d, si un servidor malicioso suministra parámetros incorrectos para un intercambio de claves DHE o ECDHE, entonces esto puede resultar en que el cliente intente desreferenciar un puntero NULL que conduce ... • https://packetstorm.news/files/id/140804 • CWE-476: NULL Pointer Dereference •
CVSS: 6.5EPSS: 85%CPEs: 10EXPL: 3CVE-2015-1793 – OpenSSL - Alternative Chains Certificate Forgery
https://notcve.org/view.php?id=CVE-2015-1793
09 Jul 2015 — The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate. La función de verificación de certificado X509 en crypto/x509/x509_vfy.c en OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, y 1.0.2c no procesa correctamente lo... • https://packetstorm.news/files/id/134250 • CWE-254: 7PK - Security Features CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-6565
https://notcve.org/view.php?id=CVE-2014-6565
21 Jan 2015 — Unspecified vulnerability in the JD Edwards EnterpriseOne Tools component in Oracle JD Edwards Products 9.1.5 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Portal SEC. Vulnerabilidad no especificada en el componente JD Edwards EnterpriseOne Tools en Oracle JD Edwards Products 9.1.5 permite a atacantes remotos afectar la confidencialidad, integridad, y disponibilidad a través de vectores relacionados con Portal SEC. • http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2011-2317
https://notcve.org/view.php?id=CVE-2011-2317
18 Jan 2012 — Unspecified vulnerability in the EnterpriseOne Tools component in Oracle JD Edwards 8.98 SP 24 allows remote authenticated users to affect integrity, related to Enterprise Infrastucture SEC (JDNET). Vulnerabilidad no especificada en el componente EnterpriseOne Tools en Oracle JD Edwards 8.98 SP 24 permite a usuarios autenticados remotos afectar a la integridad, relacionado con Enterprise Infrastucture SEC (JDNET). • http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html •