Page 2 of 13 results (0.013 seconds)

CVSS: 8.1EPSS: 7%CPEs: 34EXPL: 0

CVE-2016-0376 – JDK: insecure deserialization in CORBA, incorrect CVE-2013-5456 fix

https://notcve.org/view.php?id=CVE-2016-0376

The com.ibm.rmi.io.SunSerializableFactory class in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) does not properly deserialize classes in an AccessController doPrivileged block, which allows remote attackers to bypass a sandbox protection mechanism and execute arbitrary code as demonstrated by the readValue method of the com.ibm.rmi.io.ValueHandlerPool.ValueHandlerSingleton class, which implements the javax.rmi.CORBA.ValueHandler interface. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-5456. La clase com.ibm.rmi.io.SunSerializableFactory en IBM SDK, Java Technology Edition 6 en versiones anteriores a SR16 FP25 (6.0.16.25), 6 R1 en versiones anteriores a SR8 FP25 (6.1.8.25), 7 en versiones anteriores a SR9 FP40 (7.0.9.40), 7 R1 en versiones anteriores a SR3 FP40 (7.1.3.40) y 8 en versiones anteriores a SR3 (8.0.3.0) no deserializa correctamente las clases en un bloque AccessController doPrivileged, lo que permite a atacantes remotos eludir un mecanismo de protección sandbox y ejecutar código arbitrario como se demuestra mediante el método readValue de la clase com.ibm.rmi.io.ValueHandlerPool.ValueHandlerSingleton, lo que implementa la interfaz javax.rmi.CORBA.ValueHandler. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2013-5456. • http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00039.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00040.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00058.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00059.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00061.html http://lists.opensuse.org/opensuse-security-announce/2016-05 •

CVSS: 9.1EPSS: 0%CPEs: 14EXPL: 0

CVE-2015-5041 – JDK: J9 JVM allows code to invoke non-public interface methods

https://notcve.org/view.php?id=CVE-2015-5041

The J9 JVM in IBM SDK, Java Technology Edition 6 before SR16 FP20, 6 R1 before SR8 FP20, 7 before SR9 FP30, and 7 R1 before SR3 FP30 allows remote attackers to obtain sensitive information or inject data by invoking non-public interface methods. El JVM J9 en IBM SDK, Java Technology Edition 6 en versiones anteriores a SR16 FP20, 6 R1 en versiones anteriores a SR8 FP20, 7 en versiones anteriores a SR9 FP30 y 7 R1 en versiones anteriores a SR3 FP30 permite a atacantes remotos obtener información sensible o inyectar datos invocando a métodos de interfaz no públicos. • http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00026.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00028.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00032.html http://www-01.ibm.com/support/docview.wss?uid=swg1IV72872 http://www-01.ibm.com/support/docview.wss?uid=swg21974194 http://www.securityfocus.com/bid/82451 https://access.redhat.com/errata/RHSA-201 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 2.1EPSS: 0%CPEs: 30EXPL: 0

CVE-2015-5006 – JDK: local disclosure of kerberos credentials cache

https://notcve.org/view.php?id=CVE-2015-5006

IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR2, 7 R1 before SR3 FP20, 7 before SR9 FP20, 6 R1 before SR8 FP15, and 6 before SR16 FP15 allow physically proximate attackers to obtain sensitive information by reading the Kerberos Credential Cache. IBM Java Security Components en IBM SDK, Java Technology Edition 8 en versiones anteriores a SR2, 7 R1 en versiones anteriores a SR3 FP20, 7 en versiones anteriores a SR9 FP20, 6 R1 en versiones anteriores a SR8 FP15 y 6 en versiones anteriores a SR16 FP15 permite a atacantes físicamente próximos obtener información sensible mediante la lectura del Kerberos Credential Cache. • http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2016-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.5EPSS: 0%CPEs: 30EXPL: 0

CVE-2015-1931 – JDK: plain text data stored in memory dumps

https://notcve.org/view.php?id=CVE-2015-1931

IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR1 FP10, 7 R1 before SR3 FP10, 7 before SR9 FP10, 6 R1 before SR8 FP7, 6 before SR16 FP7, and 5.0 before SR16 FP13 stores plaintext information in memory dumps, which allows local users to obtain sensitive information by reading a file. IBM Java Security Components en IBM SDK, Java Technology Edition 8 versiones anteriores a SR1 FP10, 7 R1 anteriores a SR3 FP10, 7 anteriores a SR9 FP10, 6 R1 anteriores a SR8 FP7, 6 anteriores a SR16 FP7, y 5.0 anteriores a SR16 FP13, almacena información de texto plano en volcados de memoria, lo que permite a usuarios locales obtener información confidencial al leer un archivo • http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00051.html http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00014.html http://rhn.redhat.com/errata/RHSA-2015-1485.html http://rhn.redhat.com/errata/RHSA-2015-1486.html http://rhn.redhat.com/errata/RHSA-2015-1488.html http://rhn.redhat.com/errata/RHSA-2015-1544.html http://rhn.redhat.com/errata/RHSA-2015-1604.html http://www-01.ibm.com/support/docview.wss?uid=swg1IV75182 http://www-01.ibm&# • CWE-312: Cleartext Storage of Sensitive Information •

CVSS: 10.0EPSS: 3%CPEs: 5EXPL: 0

CVE-2014-8891 – JDK: unspecified full Java sandbox bypass fixed in Feb 2015 update

https://notcve.org/view.php?id=CVE-2014-8891

Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors related to the security manager. Vulnerabilidad no especificada en Java Virtual Machine (JVM) en IBM SDK, Java Technology Edition 5.0 anterior a SR16-FP9, 6 anterior a SR16-FP3, 6R1 anterior a SR8-FP3, 7 anterior a SR8-FP10, y 7R1 anterior a SR2-FP10 permite a atacantes remotos escapar del sandbox de Java y ejecutar código arbitrario a través de vectores no especificados relacionados con el gestor de seguridad. • http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00022.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00026.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00027.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00033.html http://lists.opensuse.org/opensuse-security-announce/2015-02 •