CVSS: 8.1EPSS: 2%CPEs: 75EXPL: 1CVE-2020-36187 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource
https://notcve.org/view.php?id=CVE-2020-36187
06 Jan 2021 — FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource A flaw was found in jackson-databind. FasterXML mishandles the interaction between serializa... • https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 7%CPEs: 75EXPL: 2CVE-2020-36188 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource
https://notcve.org/view.php?id=CVE-2020-36188
06 Jan 2021 — FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8 maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource A flaw was found in jackson-databind. FasterXML mishandles the interaction betw... • https://github.com/Al1ex/CVE-2020-36188 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 6%CPEs: 74EXPL: 1CVE-2020-36181 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS
https://notcve.org/view.php?id=CVE-2020-36181
06 Jan 2021 — FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS A flaw was found in jackson-databind. FasterXML mishandles the interaction between serialization g... • https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 39%CPEs: 65EXPL: 1CVE-2020-35728 – jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool
https://notcve.org/view.php?id=CVE-2020-35728
27 Dec 2020 — FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.8, maneja inapropiadamente la interacción entre los dispositivos de serialización y la escritura, relacionada con com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (también se ... • https://github.com/Al1ex/CVE-2020-35728 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 7.0EPSS: 0%CPEs: 33EXPL: 2CVE-2020-27216 – jetty: local temporary directory hijacking vulnerability
https://notcve.org/view.php?id=CVE-2020-27216
23 Oct 2020 — In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack... • https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921 • CWE-377: Insecure Temporary File CWE-378: Creation of Temporary File With Insecure Permissions CWE-379: Creation of Temporary File in Directory with Insecure Permissions •
CVSS: 8.1EPSS: 2%CPEs: 37EXPL: 1CVE-2020-24750 – jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration
https://notcve.org/view.php?id=CVE-2020-24750
17 Sep 2020 — FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.6, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con com.pastdev.httpcomponents.configuration.JndiConfiguration A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.6. The interaction between ... • https://github.com/Al1ex/CVE-2020-24750 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 19%CPEs: 8EXPL: 0CVE-2020-11998
https://notcve.org/view.php?id=CVE-2020-11998
10 Sep 2020 — A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remo... • http://activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt •
CVSS: 8.1EPSS: 3%CPEs: 33EXPL: 1CVE-2020-24616
https://notcve.org/view.php?id=CVE-2020-24616
25 Aug 2020 — FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.6, maneja inapropiadamente la interacción entre los dispositivos de serialización y la escritura, relacionada con br.com.anteros.dbcp.AnterosDBCPDataSource (también se conoce como Anteros-DBCP) • https://github.com/0xkami/cve-2020-24616-poc • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 78%CPEs: 19EXPL: 1CVE-2020-11993 – httpd: mod_http2 concurrent pool usage
https://notcve.org/view.php?id=CVE-2020-11993
07 Aug 2020 — Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers. Apache HTTP Server versiones 2.4.20 hasta 2.4.43, cuando trace/debug fue habilitado para el módulo HTTP/2 y en determinados patrones de tráfico de borde, se hicieron declaracion... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html • CWE-400: Uncontrolled Resource Consumption CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.8EPSS: 48%CPEs: 20EXPL: 1CVE-2020-11984 – httpd: mod_proxy_uwsgi buffer overflow
https://notcve.org/view.php?id=CVE-2020-11984
07 Aug 2020 — Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE Apache HTTP server versiones 2.4.32 hasta 2.4.44, la función mod_proxy_uwsgi divulga información y posible RCE A flaw was found in Apache httpd in versions 2.4.32 to 2.4.46. The uwsgi protocol does not serialize more than 16K of HTTP header leading to resource exhaustion and denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Red Hat JBoss Co... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-400: Uncontrolled Resource Consumption •