CVE-2018-16881 – rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled
https://notcve.org/view.php?id=CVE-2018-16881
A denial of service vulnerability was found in rsyslog in the imptcp module. An attacker could send a specially crafted message to the imptcp socket, which would cause rsyslog to crash. Versions before 8.27.0 are vulnerable. Se ha detectado una vulnerabilidad de denegación de servicio (DoS) en rsyslog en el módulo imptcp. Un atacante podría enviar un mensaje especialmente manipulado al socket imptcp, lo que conduciría al cierre forzado de rsyslog. • https://access.redhat.com/errata/RHBA-2019:2501 https://access.redhat.com/errata/RHSA-2019:2110 https://access.redhat.com/errata/RHSA-2019:2437 https://access.redhat.com/errata/RHSA-2019:2439 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16881 https://lists.debian.org/debian-lts-announce/2022/05/msg00028.html https://access.redhat.com/security/cve/CVE-2018-16881 https://bugzilla.redhat.com/show_bug.cgi?id=1658366 • CWE-190: Integer Overflow or Wraparound •
CVE-2018-14720 – jackson-databind: exfiltration/XXE in some JDK classes
https://notcve.org/view.php?id=CVE-2018-14720
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes realizar ataques de tipo XML External Entity Injection (XXE) aprovechando su incapacidad de bloquear clases JDK no especificadas de deserialización polimórfica. • https://access.redhat.com/errata/RHBA-2019:0959 https://access.redhat.com/errata/RHSA-2019:0782 https://access.redhat.com/errata/RHSA-2019:1106 https://access.redhat.com/errata/RHSA-2019:1107 https://access.redhat.com/errata/RHSA-2019:1108 https://access.redhat.com/errata/RHSA-2019:1140 https://access.redhat.com/errata/RHSA-2019:1822 https://access.redhat.com/errata/RHSA-2019:1823 https://access.redhat.com/errata/RHSA-2019:2858 https://access.redhat.com/errata/RHSA • CWE-502: Deserialization of Untrusted Data CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2018-14721 – jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
https://notcve.org/view.php?id=CVE-2018-14721
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos realizar ataques de SSRF (Server-Side Request Forgery) aprovechando un fallo para bloquear la clase axis2-ext de deserialización polimórfica. • https://access.redhat.com/errata/RHBA-2019:0959 https://access.redhat.com/errata/RHSA-2019:0782 https://access.redhat.com/errata/RHSA-2019:1106 https://access.redhat.com/errata/RHSA-2019:1107 https://access.redhat.com/errata/RHSA-2019:1108 https://access.redhat.com/errata/RHSA-2019:1140 https://access.redhat.com/errata/RHSA-2019:1822 https://access.redhat.com/errata/RHSA-2019:1823 https://access.redhat.com/errata/RHSA-2019:2858 https://access.redhat.com/errata/RHSA • CWE-352: Cross-Site Request Forgery (CSRF) CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2018-14718 – jackson-databind: arbitrary code execution in slf4j-ext class
https://notcve.org/view.php?id=CVE-2018-14718
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos ejecutar código arbitrario aprovechando un fallo para bloquear la clase slf4j-ext de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code. • http://www.securityfocus.com/bid/106601 https://access.redhat.com/errata/RHBA-2019:0959 https://access.redhat.com/errata/RHSA-2019:0782 https://access.redhat.com/errata/RHSA-2019:0877 https://access.redhat.com/errata/RHSA-2019:1782 https://access.redhat.com/errata/RHSA-2019:1797 https://access.redhat.com/errata/RHSA-2019:1822 https://access.redhat.com/errata/RHSA-2019:1823 https://access.redhat.com/errata/RHSA-2019:2804 https://access.redhat.com/errata/RHSA-2019:2858& • CWE-502: Deserialization of Untrusted Data •
CVE-2018-14719 – jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
https://notcve.org/view.php?id=CVE-2018-14719
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.7 podrían permitir a los atacantes remotos ejecutar código arbitrario aprovechando un fallo para bloquear las clases blaze-ds-opt y blaze-ds-core de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code. • https://access.redhat.com/errata/RHBA-2019:0959 https://access.redhat.com/errata/RHSA-2019:0782 https://access.redhat.com/errata/RHSA-2019:0877 https://access.redhat.com/errata/RHSA-2019:1782 https://access.redhat.com/errata/RHSA-2019:1797 https://access.redhat.com/errata/RHSA-2019:1822 https://access.redhat.com/errata/RHSA-2019:1823 https://access.redhat.com/errata/RHSA-2019:2804 https://access.redhat.com/errata/RHSA-2019:2858 https://access.redhat.com/errata/RHSA • CWE-502: Deserialization of Untrusted Data •