CVSS: 9.8EPSS: 0%CPEs: 25EXPL: 0CVE-2018-19361 – jackson-databind: improper polymorphic deserialization in openjpa class
https://notcve.org/view.php?id=CVE-2018-19361
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.8 podrían permitir a los atacantes remotos tener un impacto no especificado aprovechando un fallo para bloquear la clase openjpa de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code. • http://www.securityfocus.com/bid/107985 https://access.redhat.com/errata/RHBA-2019:0959 https://access.redhat.com/errata/RHSA-2019:0782 https://access.redhat.com/errata/RHSA-2019:0877 https://access.redhat.com/errata/RHSA-2019:1782 https://access.redhat.com/errata/RHSA-2019:1797 https://access.redhat.com/errata/RHSA-2019:1822 https://access.redhat.com/errata/RHSA-2019:1823 https://access.redhat.com/errata/RHSA-2019:2804 https://access.redhat.com/errata/RHSA-2019:2858& • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 24EXPL: 0CVE-2018-19362 – jackson-databind: improper polymorphic deserialization in jboss-common-core class
https://notcve.org/view.php?id=CVE-2018-19362
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. Las versiones 2.x de FasterXML jackson-databind anteriores a la 2.9.8 podrían permitir a los atacantes remotos tener un impacto no especificado aprovechando un fallo para bloquear la clase jboss-common-core de deserialización polimórfica. A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code. • http://www.securityfocus.com/bid/107985 https://access.redhat.com/errata/RHBA-2019:0959 https://access.redhat.com/errata/RHSA-2019:0782 https://access.redhat.com/errata/RHSA-2019:0877 https://access.redhat.com/errata/RHSA-2019:1782 https://access.redhat.com/errata/RHSA-2019:1797 https://access.redhat.com/errata/RHSA-2019:1822 https://access.redhat.com/errata/RHSA-2019:1823 https://access.redhat.com/errata/RHSA-2019:2804 https://access.redhat.com/errata/RHSA-2019:2858& • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-5401
https://notcve.org/view.php?id=CVE-2016-5401
Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page. Vulnerabilidad CSRF en Red Hat JBoss BRMS y BPMS 6 permite atacantes remotos secuestrar la autenticación de los usuarios para las solicitudes que modifican instancias a través de una página web manipulada. • https://bugzilla.redhat.com/show_bug.cgi?id=1357731 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2016-7041 – Workbench: Path traversal vulnerability
https://notcve.org/view.php?id=CVE-2016-7041
Drools Workbench contains a path traversal vulnerability. The vulnerability allows a remote, authenticated attacker to bypass the directory restrictions and retrieve arbitrary files from the affected host. Drools Workbench contiene una vulnerabilidad de salto de directorio. La vulnerabilidad permite que un atacante autenticado remoto omita las restricciones del directorio y recupere archivos arbitrarios desde el host afectado Drools Workbench contains the path traversal vulnerability. The vulnerability allows a remote, authenticated attacker to bypass the directory restrictions and retrieve arbitrary files from the affected host. • http://rhn.redhat.com/errata/RHSA-2016-2822.html http://rhn.redhat.com/errata/RHSA-2016-2823.html http://rhn.redhat.com/errata/RHSA-2016-2937.html http://rhn.redhat.com/errata/RHSA-2016-2938.html http://www.securityfocus.com/bid/94566 http://www.securitytracker.com/id/1037406 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7041 https://access.redhat.com/security/cve/CVE-2016-7041 https://bugzilla.redhat.com/show_bug.cgi?id=1375757 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 14EXPL: 0CVE-2016-4999 – Dashbuilder: SQL Injection on data set lookup filters
https://notcve.org/view.php?id=CVE-2016-4999
SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder before 0.6.0.Beta1 allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set Authoring or (2) Displayer editor UI. Vulnerabilidad de inyección SQL en el método getStringParameterSQL en main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java en Dashbuilder en versiones anteriores a 0.6.0.Beta1 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de un filtro de búsqueda de conjunto de datos en (1) Data Set Authoring o (2) Displayer editor UI. A security flaw was found in the way Dashbuilder performed SQL datasets lookup requests in the Data Set Authoring UI or the Displayer editor UI. A remote attacker could use this flaw to conduct SQL injection attacks via specially-crafted string filter parameter. • http://www.securityfocus.com/bid/91795 https://access.redhat.com/errata/RHSA-2016:1428 https://access.redhat.com/errata/RHSA-2016:1429 https://bugzilla.redhat.com/show_bug.cgi?id=1349990 https://github.com/dashbuilder/dashbuilder/commit/8574899e3b6455547b534f570b2330ff772e524b https://issues.jboss.org/browse/DASHBUILDE-113 https://access.redhat.com/security/cve/CVE-2016-4999 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •