CVSS: 5.3EPSS: 0%CPEs: 54EXPL: 0CVE-2017-10348 – OpenJDK: multiple unbounded memory allocations in deserialization (Libraries, 8181432)
https://notcve.org/view.php?id=CVE-2017-10348
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.securityfocus.com/bid/101354 http://www.securitytracker.com/id/1039596 https://access.redhat.com/errata/RHSA-2017:2998 https://access.redhat.com/errata/RHSA-2017:2999 https://access.redhat.com/errata/RHSA-2017:3046 https://access.redhat.com/errata/RHSA-2017:3047 https://access.redhat.com/errata/RHSA-2017:3264 https://access.redhat.com/errata/RHSA-2017:3267 https://access.redhat.com/errata/ • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5164
https://notcve.org/view.php?id=CVE-2015-5164
The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code via a crafted message, related to a pickle processing problem in pulp. El servidor Qpid en Red Hat Satellite 6 no restringe correctamente los tipos de mensaje, lo que permite que usuarios autenticados remotos con acceso administrativo en un host de contenidos gestionado para ejecutar código arbitrario mediante un mensaje manipulado, relacionado con un problema de procesado pickle en pulp. • https://bugzilla.redhat.com/show_bug.cgi?id=1247732 https://pulp.plan.io/issues/23 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.0EPSS: 0%CPEs: 17EXPL: 0CVE-2017-7536 – hibernate-validator: Privilege escalation when running under the security manager
https://notcve.org/view.php?id=CVE-2017-7536
In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). En Hibernate Validator 5.2.x anteriores a 5.2.5 final, 5.3.x y 5.4.x, se ha detectado que cuando los permisos reflectivos del gestor de seguridad, el cual accede a los miembros privados de la clase, se conceden a Hibernate Validator, podría ocurrir un escalado de privilegios. Permitiendo que el código de llamada acceda a esos miembros privados sin ningún permiso, el atacante podría validar una instancia no válida y acceder al valor del miembro privado mediante ConstraintViolation#getInvalidValue(). It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. • http://www.securityfocus.com/bid/101048 http://www.securitytracker.com/id/1039744 https://access.redhat.com/errata/RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:3141 https://access.redhat.com/errata/RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3456 https: • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-592: DEPRECATED: Authentication Bypass Issues •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8168
https://notcve.org/view.php?id=CVE-2014-8168
Red Hat Satellite 6 allows local users to access mongod and delete pulp_database. Red Hat Satellite 6 permite que los usuarios locales accedan a mongod y borren pulp_database. • https://bugzilla.redhat.com/show_bug.cgi?id=1192249 • CWE-284: Improper Access Control •
CVSS: 8.1EPSS: 0%CPEs: 46EXPL: 0CVE-2017-10078 – OpenJDK: Nashorn incompletely blocking access to Java APIs (Scripting, 8171539)
https://notcve.org/view.php?id=CVE-2017-10078
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Scripting). The supported version that is affected is Java SE: 8u131. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data as well as unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. • http://www.debian.org/security/2017/dsa-3919 http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.securityfocus.com/bid/99752 http://www.securitytracker.com/id/1038931 https://access.redhat.com/errata/RHSA-2017:1789 https://access.redhat.com/errata/RHSA-2017:1790 https://access.redhat.com/errata/RHSA-2017:2469 https://access.redhat.com/errata/RHSA-2017:3453 https://cert.vde.com/en-us/advisories/vde-2017-002 https://security.gentoo.org/g •