CVSS: 9.1EPSS: 0%CPEs: 14EXPL: 1CVE-2019-20445 – netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
https://notcve.org/view.php?id=CVE-2019-20445
29 Jan 2020 — HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. "El archivo HttpObjectDecoder.java en Netty versiones anteriores a 4.1.44, permite que un encabezado Content-Length esté acompañado por un segundo encabezado Content-Length o por un encabezado Transfer-Encoding." A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Enco... • https://access.redhat.com/errata/RHSA-2020:0497 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.8EPSS: 70%CPEs: 17EXPL: 3CVE-2019-17570 – xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response
https://notcve.org/view.php?id=CVE-2019-17570
23 Jan 2020 — An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed. Se detectó una deserialización no confiable en el método org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult de la biblioteca Apache XML-RPC (también se conoce como ws-xmlrpc). Un servidor... • https://github.com/r00t4dm/CVE-2019-17570 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 5%CPEs: 17EXPL: 0CVE-2019-14907 – samba: Crash after failed character conversion at log level 3 or above
https://notcve.org/view.php?id=CVE-2019-14907
21 Jan 2020 — All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client a... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00055.html • CWE-125: Out-of-bounds Read •
CVSS: 6.1EPSS: 4%CPEs: 12EXPL: 1CVE-2020-7106 – Gentoo Linux Security Advisory 202003-40
https://notcve.org/view.php?id=CVE-2020-7106
16 Jan 2020 — Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS). Cacti versión 1.2.8, tiene un vulnerabilidad de tipo XSS almacenado en los archivos data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php,... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 75EXPL: 0CVE-2020-2654 – OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037)
https://notcve.org/view.php?id=CVE-2020-2654
15 Jan 2020 — Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability can only be exploited by supplying data to APIs in th... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00050.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.8EPSS: 3%CPEs: 9EXPL: 1CVE-2020-2655 – OpenJDK: Incorrect handling of unexpected CertificateVerify TLS handshake messages (JSSE, 8231780)
https://notcve.org/view.php?id=CVE-2020-2655
15 Jan 2020 — Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Ja... • https://github.com/RUB-NDS/CVE-2020-2655-DemoServer • CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 4.3EPSS: 0%CPEs: 52EXPL: 0CVE-2020-2659 – OpenJDK: Incomplete enforcement of maxDatagramSockets limit in DatagramChannelImpl (Networking, 8231795)
https://notcve.org/view.php?id=CVE-2020-2659
15 Jan 2020 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241 and 8u231; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vul... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00060.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 2%CPEs: 68EXPL: 0CVE-2020-2604 – OpenJDK: Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422)
https://notcve.org/view.php?id=CVE-2020-2604
15 Jan 2020 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typi... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00050.html • CWE-471: Modification of Assumed-Immutable Data (MAID) CWE-502: Deserialization of Untrusted Data •
CVSS: 4.3EPSS: 0%CPEs: 75EXPL: 0CVE-2020-2583 – OpenJDK: Incorrect exception processing during deserialization in BeanContextSupport (Serialization, 8224909)
https://notcve.org/view.php?id=CVE-2020-2583
15 Jan 2020 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embed... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00050.html • CWE-755: Improper Handling of Exceptional Conditions CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.3EPSS: 0%CPEs: 75EXPL: 0CVE-2020-2590 – OpenJDK: Improper checks of SASL message properties in GssKrb5Base (Security, 8226352)
https://notcve.org/view.php?id=CVE-2020-2590
15 Jan 2020 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vu... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00050.html • CWE-20: Improper Input Validation •