CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2018-2841
https://notcve.org/view.php?id=CVE-2018-2841
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2 and 12.2.0.1. Difficult to exploit vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM. • http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.securityfocus.com/bid/103839 http://www.securitytracker.com/id/1040691 •
CVSS: 2.1EPSS: 0%CPEs: 2EXPL: 0CVE-2018-2575
https://notcve.org/view.php?id=CVE-2018-2575
Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, and 12.2.0.1. Difficult to exploit vulnerability allows high privileged attacker having Local Logon privilege with network access via multiple protocols to compromise Core RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Core RDBMS accessible data. • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.securityfocus.com/bid/102547 http://www.securitytracker.com/id/1040196 •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-10282
https://notcve.org/view.php?id=CVE-2017-10282
Vulnerability in the Core RDBMS component of Oracle Database Server. Supported versions that are affected are 12.1.0.2 and 12.2.0.1. Easily exploitable vulnerability allows high privileged attacker having Create Session, Execute Catalog Role privilege with network access via Oracle Net to compromise Core RDBMS. While the vulnerability is in Core RDBMS, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Core RDBMS. • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.securityfocus.com/bid/102534 http://www.securitytracker.com/id/1040196 •
CVSS: 8.3EPSS: 0%CPEs: 3EXPL: 0CVE-2018-2680
https://notcve.org/view.php?id=CVE-2018-2680
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2 and 12.2.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java VM. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java VM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java VM. • http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html http://www.securityfocus.com/bid/102571 http://www.securitytracker.com/id/1040196 •
CVSS: 9.8EPSS: 2%CPEs: 58EXPL: 0CVE-2017-15095 – jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)
https://notcve.org/view.php?id=CVE-2017-15095
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. Se ha descubierto un error de deserialización en jackson-databind, en versiones anteriores a la 2.8.10 y a la 2.9.1, que podría permitir que un usuario no autenticado ejecute código enviando las entradas maliciosamente manipuladas al método readValue de ObjectMapper. Este problema amplía el error previo de CVE-2017-7525 metiendo en la lista negra más clases que podrían emplearse de forma maliciosa. A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. • http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/103880 http://www.securitytracker.com/id/1039769 https://access.redhat.com/errata/RHSA-2017:3189 https://access.redhat.com/errata/RHSA-2017:3190 https://access.redhat.com/errata/RHSA-2018:0342 https://access.redhat.com/errata/RHSA-2018: • CWE-184: Incomplete List of Disallowed Inputs CWE-502: Deserialization of Untrusted Data •