CVSS: 5.3EPSS: 0%CPEs: 55EXPL: 0CVE-2017-10281 – OpenJDK: multiple unbounded memory allocations in deserialization (Serialization, 8174109)
https://notcve.org/view.php?id=CVE-2017-10281
19 Oct 2017 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (part... • http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.6EPSS: 0%CPEs: 54EXPL: 0CVE-2017-10285 – OpenJDK: incorrect privilege use when handling unreferenced objects (RMI, 8174966)
https://notcve.org/view.php?id=CVE-2017-10285
19 Oct 2017 — Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significa... • http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html •
CVSS: 4.3EPSS: 0%CPEs: 55EXPL: 0CVE-2017-10295 – OpenJDK: HTTP client insufficient check for newline in URLs (Networking, 8176751)
https://notcve.org/view.php?id=CVE-2017-10295
19 Oct 2017 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful at... • http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.1EPSS: 1%CPEs: 38EXPL: 2CVE-2017-10309 – Oracle Java SE - Web Start jnlp XML External Entity Processing Information Disclosure
https://notcve.org/view.php?id=CVE-2017-10309
19 Oct 2017 — Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 8u144 and 9. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result i... • https://packetstorm.news/files/id/144859 •
CVSS: 6.2EPSS: 0%CPEs: 54EXPL: 0CVE-2017-10356 – OpenJDK: weak protection of key stores against brute forcing (Security, 8181692)
https://notcve.org/view.php?id=CVE-2017-10356
19 Oct 2017 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, Java SE Embedded, JRockit executes to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized access to criti... • http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 9.0EPSS: 1%CPEs: 2EXPL: 0CVE-2015-5164
https://notcve.org/view.php?id=CVE-2015-5164
18 Oct 2017 — The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code via a crafted message, related to a pickle processing problem in pulp. El servidor Qpid en Red Hat Satellite 6 no restringe correctamente los tipos de mensaje, lo que permite que usuarios autenticados remotos con acceso administrativo en un host de contenidos gestionado para ejecutar código arbitrario mediante ... • https://bugzilla.redhat.com/show_bug.cgi?id=1247732 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.0EPSS: 0%CPEs: 17EXPL: 0CVE-2017-7536 – hibernate-validator: Privilege escalation when running under the security manager
https://notcve.org/view.php?id=CVE-2017-7536
26 Sep 2017 — In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). En Hibernate Val... • http://www.securityfocus.com/bid/101048 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-592: DEPRECATED: Authentication Bypass Issues •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7538 – 5: organization name allows XSS
https://notcve.org/view.php?id=CVE-2017-7538
06 Sep 2017 — A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5, before 5.8. A user able to change an organization's name could exploit this flaw to perform XSS attacks against other Satellite users. Se ha detectado una vulnerabilidad Cross-Site Scripting (XSS) en la manera en la que se muestra un nombre de organización en Satellite 5 en versiones anteriores a la 5.8. Un usuario capaz de cambiar el nombre de una organización podría explotar esta vulnerabilidad para realiz... • http://www.securitytracker.com/id/1039267 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8163
https://notcve.org/view.php?id=CVE-2014-8163
28 Aug 2017 — Directory traversal vulnerability in the XMLRPC interface in Red Hat Satellite 5. Existe una vulnerabilidad de salto de directorio en la interfaz XMLRPC en Red Hat Satellite 5. • https://access.redhat.com/security/cve/cve-2014-8163 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8168
https://notcve.org/view.php?id=CVE-2014-8168
28 Aug 2017 — Red Hat Satellite 6 allows local users to access mongod and delete pulp_database. Red Hat Satellite 6 permite que los usuarios locales accedan a mongod y borren pulp_database. • https://bugzilla.redhat.com/show_bug.cgi?id=1192249 • CWE-284: Improper Access Control •