CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2019-2897
https://notcve.org/view.php?id=CVE-2019-2897
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. While the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. • http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https://www.oracle.com/security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuoct2020.html •
CVSS: 9.8EPSS: 1%CPEs: 18EXPL: 0CVE-2019-17195 – nimbus-jose-jwt: Uncaught exceptions while parsing a JWT
https://notcve.org/view.php?id=CVE-2019-17195
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. Connect2id Nimbus JOSE+JWT versiones anteriores a v7.9, puede arrojar varias excepciones no captadas al analizar un JWT, lo que podría resultar en un bloqueo de la aplicación (potencial divulgación de información) o una posible omisión de autenticación. A flaw was found in Connect2id Nimbus JOSE+JWT prior to version 7.9. While processing JSON web tokens (JWT), nimbus-jose-jwt can throw various uncaught exceptions resulting in an application crash, information disclosure, or authentication bypass. The highest threat from this vulnerability is to data confidentiality and system availability. • https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt https://connect2id.com/blog/nimbus-jose-jwt-7-9 https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d%40%3Ccommon-dev.hadoop.apache.org%3E https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41%40%3Ccommon-issues.hadoop.apache.org%3E https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.ht • CWE-248: Uncaught Exception CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 9.8EPSS: 0%CPEs: 180EXPL: 0CVE-2019-13990 – libquartz: XXE attacks via job description
https://notcve.org/view.php?id=CVE-2019-13990
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. La función initDocumentParser en el archivo xml/XMLSchedulingDataProcessor.java en Quartz Scheduler de Terracotta hasta la versión 2.3.0, permite ataques de tipo XXE por medio de una descripción del trabajo. The Terracotta Quartz Scheduler is susceptible to an XML external entity attack (XXE) through a job description. This issue stems from inadequate handling of XML external entity (XXE) declarations in the initDocumentParser function within xml/XMLSchedulingDataProcessor.java. By enticing a victim to access a maliciously crafted job description (containing XML content), a remote attacker could exploit this vulnerability to execute an XXE attack on the targeted system. • https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html https://github.com/quartz-scheduler/quartz/issues/467 https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E https://lists.apache.org/thread.html/6b6e3480b19856365fb5e • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2019-0188
https://notcve.org/view.php?id=CVE-2019-0188
Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed. Apache Camel en versiones anteriores a la 2.24.0 contiene una vulnerabilidad de XML external entity injection (XXE) (CWE-611) debido al uso de una biblioteca JSON-lib obsoleta y vulnerable. Esto afecta solo al componente Camel-xmljson, que se eliminó. • http://jvn.jp/en/jp/JVN71498764/index.html http://www.openwall.com/lists/oss-security/2019/05/24/2 http://www.securityfocus.com/bid/108422 https://github.com/apache/camel/blob/master/docs/user-manual/en/security-advisories/CVE-2019-0188.txt.asc https://lists.apache.org/thread.html/00118387610522b107cbdcec5369ddd512b576ff0236a02bfca12f44%40%3Cusers.camel.apache.org%3E https://lists.apache.org/thread.html/45349f8bd98c1c13a84beddede18fe79b8619ebab99d90f1fb43d7ab%40%3Cdev.tamaya.apache.org%3E https://lists.apache.or • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 3%CPEs: 19EXPL: 1CVE-2019-5427 – c3p0: loading XML configuration leads to denial of service
https://notcve.org/view.php?id=CVE-2019-5427
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration. En c3p0 versiones <0.9.5.4, puede ser explotada por un ataque de tipo a billion laughs al cargar la configuración XML producto de la falta de protecciones faltantes contra la expansión recursiva de la entidad al cargar la configuración. • https://hackerone.com/reports/509315 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4 https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle. • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •