CVSS: 6.1EPSS: 0%CPEs: 46EXPL: 1CVE-2021-22947 – curl: Server responses received before STARTTLS processed after TLS handshake
https://notcve.org/view.php?id=CVE-2021-22947
15 Sep 2021 — When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-thro... • http://seclists.org/fulldisclosure/2022/Mar/29 • CWE-310: Cryptographic Issues CWE-319: Cleartext Transmission of Sensitive Information CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.5EPSS: 0%CPEs: 49EXPL: 1CVE-2021-22946 – curl: Requirement to use TLS not properly enforced for IMAP, POP3, and FTP protocols
https://notcve.org/view.php?id=CVE-2021-22946
15 Sep 2021 — A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitiv... • http://seclists.org/fulldisclosure/2022/Mar/29 • CWE-319: Cleartext Transmission of Sensitive Information CWE-325: Missing Cryptographic Step •
CVSS: 8.5EPSS: 0%CPEs: 36EXPL: 1CVE-2021-39150 – A Server-Side Forgery Request vulnerability in XStream via PriorityQueue unmarshaling
https://notcve.org/view.php?id=CVE-2021-39150
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framewor... • https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp • CWE-502: Deserialization of Untrusted Data CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.5EPSS: 52%CPEs: 36EXPL: 1CVE-2021-39152 – A Server-Side Forgery Request vulnerability in XStream via HashMap unmarshaling
https://notcve.org/view.php?id=CVE-2021-39152
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framewor... • https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2 • CWE-502: Deserialization of Untrusted Data CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 36EXPL: 1CVE-2021-39140 – XStream can cause a Denial of Service
https://notcve.org/view.php?id=CVE-2021-39140
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a bl... • https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc • CWE-502: Deserialization of Untrusted Data CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 8.5EPSS: 0%CPEs: 36EXPL: 1CVE-2021-39149 – XStream is vulnerable to an Arbitrary Code Execution attack
https://notcve.org/view.php?id=CVE-2021-39149
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. XStream es una bibli... • https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •
CVSS: 8.5EPSS: 0%CPEs: 36EXPL: 1CVE-2021-39148 – XStream is vulnerable to an Arbitrary Code Execution attack
https://notcve.org/view.php?id=CVE-2021-39148
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. XStream es una bibli... • https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2 • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •
CVSS: 8.5EPSS: 0%CPEs: 36EXPL: 1CVE-2021-39147 – XStream is vulnerable to an Arbitrary Code Execution attack
https://notcve.org/view.php?id=CVE-2021-39147
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. XStream es una bibli... • https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •
CVSS: 8.5EPSS: 43%CPEs: 36EXPL: 0CVE-2021-39146 – XStream is vulnerable to an Arbitrary Code Execution attack
https://notcve.org/view.php?id=CVE-2021-39146
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. XStream es una bibli... • https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •
CVSS: 8.5EPSS: 0%CPEs: 36EXPL: 0CVE-2021-39145 – XStream is vulnerable to an Arbitrary Code Execution attack
https://notcve.org/view.php?id=CVE-2021-39145
23 Aug 2021 — XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. XStream es una bibli... • https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •