CVSS: 9.8EPSS: 87%CPEs: 174EXPL: 1CVE-2017-5645 – log4j: Socket receiver deserialization vulnerability
https://notcve.org/view.php?id=CVE-2017-5645
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. En Apache Log4j 2.x en versiones anteriores a 2.8.2, cuando se utiliza el servidor de socket TCP o el servidor de socket UDP para recibir sucesos de registro serializados de otra aplicación, puede enviarse una carga binaria especialmente diseñada que, cuando se deserializa, puede ejecutar código arbitrario. It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. • https://github.com/pimps/CVE-2017-5645 http://www.openwall.com/lists/oss-security/2019/12/19/2 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/97702 http://www.securitytracker.com/id/1040200 http://www.securit • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2017-3296
https://notcve.org/view.php?id=CVE-2017-3296
Vulnerability in the Oracle Commerce Platform component of Oracle Commerce (subcomponent: Dynamo Application Framework). Supported versions that are affected are 10.0.3.5, 10.2.0.5 and 11.2.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Platform. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Commerce Platform accessible data. • http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2015-2607
https://notcve.org/view.php?id=CVE-2015-2607
Unspecified vulnerability in the Oracle Commerce Guided Search / Oracle Commerce Experience Manager component in Oracle Commerce Platform 3.0.2, 3.1.1, 3.1.2, 11.0, and 11.1 allows remote attackers to affect confidentiality via unknown vectors related to Content Acquisition System. Vulnerabilidad no especificada en el componente Oracle Commerce Guided Search / Oracle Commerce Experience Manager en Oracle Commerce Platform 3.0.2, 3.1.1, 3.1.2, 11.0 y 11.1, permite a atacantes remotos afectar la confidencialidad a través de vectores desconocidos relacionados con Content Acquisition System. • http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2015-2653
https://notcve.org/view.php?id=CVE-2015-2653
Unspecified vulnerability in the Oracle Commerce Guided Search / Oracle Commerce Experience Manager component in Oracle Commerce Platform 3.1.1, 3.1.2, 11.0, and 11.1 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Content Acquisition System. Vulnerabilidad no especificada en el componente Oracle Commerce Guided Search / Oracle Commerce Experience Manager en Oracle Commerce Platform 3.1.1, 3.1.2, 11.0 y 11.1, permite a atacantes remotos afectar la confidencialidad e integridad a través de vectores desconocidos relacionados con Content Acquisition System. • http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2015-0510
https://notcve.org/view.php?id=CVE-2015-0510
Unspecified vulnerability in the Oracle Commerce Platform component in Oracle Commerce Platform 9.4, 10.0, and 10.2 allows remote attackers to affect integrity via vectors related to Dynamo Application Framework - HTML Admin User Interface. Vulnerabilidad no especificada en el componente Oracle Commerce Platform en Oracle Commerce Platform 9.4, 10.0, y 10.2 permite a atacantes remotos afectar la integridad a través de vectores relacionados con Dynamo Application Framework - HTML Admin User Interface. • http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html •