CVSS: 9.8EPSS: 1%CPEs: 8EXPL: 1CVE-2018-12547 – JDK: buffer overflow in jio_snprintf() and jio_vsnprintf()
https://notcve.org/view.php?id=CVE-2018-12547
In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code. En Eclipse OpenJ9, en versiones anteriores a la 0.12.0, los métodos nativos jio_snprintf() y jio_vsnprintf() ignoraban el parámetro length. Esto afecta a las API existentes que llamaban a las funciones para sobrepasar el búfer asignado. • https://access.redhat.com/errata/RHSA-2019:0469 https://access.redhat.com/errata/RHSA-2019:0472 https://access.redhat.com/errata/RHSA-2019:0473 https://access.redhat.com/errata/RHSA-2019:0474 https://access.redhat.com/errata/RHSA-2019:0640 https://access.redhat.com/errata/RHSA-2019:1238 https://bugs.eclipse.org/bugs/show_bug.cgi?id=543659 https://access.redhat.com/security/cve/CVE-2018-12547 https://bugzilla.redhat.com/show_bug.cgi?id=1685611 • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12548
https://notcve.org/view.php?id=CVE-2018-12548
In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code. En OpenJDK + Eclipse OpenJ9 en versiones con build 0.11.0, la clase pública jdk.crypto.jniprovider.NativeCrypto contiene nativos de estado públicos que aceptan valores de puntero que se desreferencian en el código nativo. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=543792 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-822: Untrusted Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20227
https://notcve.org/view.php?id=CVE-2018-20227
RDF4J 2.4.2 allows Directory Traversal via ../ in an entry in a ZIP archive. RDF4J 2.4.2 permite el salto de directorio mediante ../ en una entrada en un archivo ZIP. • https://github.com/eclipse/rdf4j/issues/1210 https://github.com/eclipse/rdf4j/pull/1211/commits/df15a4d7a8f2789c043b27c9eafe1b30316cfa79 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20145
https://notcve.org/view.php?id=CVE-2018-20145
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored. Eclipse Mosquitto en versiones 1.5.x anteriores a la 1.5.5 permite la omisión de las listas de control de acceso: si la opción per_listener_settings está establecida como True, el escuchador por defecto se está empleando y el escuchador por defecto especifica un acl_file, el archivo acl se ignora. • https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt https://github.com/eclipse/mosquitto/commit/9097577b49b7fdcf45d30975976dd93808ccc0c4 https://github.com/eclipse/mosquitto/issues/1073 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 5%CPEs: 1EXPL: 0CVE-2018-12543
https://notcve.org/view.php?id=CVE-2018-12543
In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit. En Eclipse Mosquitto, de la versión 1.5 a la 1.5.2 inclusive, si se publica un mensaje en Mosquitto con un tema que empieza por $, pero que no es $SYS, e.g. $test/test, se desencadena una aserción que, de otra forma, no debería ser alcanzable y Mosquitto se cerrará. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=539295 • CWE-20: Improper Input Validation CWE-617: Reachable Assertion •