CVSS: 4.3EPSS: 0%CPEs: 15EXPL: 0CVE-2019-2987 – OpenJDK: Missing glyph bitmap image dimension check in FreetypeFontScaler (2D, 8225286)
https://notcve.org/view.php?id=CVE-2019-2987
16 Oct 2019 — Vulnerability in the Java SE product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web S... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 37EXPL: 0CVE-2019-2988 – OpenJDK: Integer overflow in bounds check in SunGraphics2D (2D, 8225292)
https://notcve.org/view.php?id=CVE-2019-2988
16 Oct 2019 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html • CWE-190: Integer Overflow or Wraparound •
CVSS: 6.8EPSS: 1%CPEs: 19EXPL: 0CVE-2019-2989 – OpenJDK: Incorrect handling of HTTP proxy responses in HttpURLConnection (Networking, 8225298)
https://notcve.org/view.php?id=CVE-2019-2989
16 Oct 2019 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can res... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 37EXPL: 0CVE-2019-2992 – OpenJDK: Excessive memory allocation in CMap when reading TrueType font (2D, 8225597)
https://notcve.org/view.php?id=CVE-2019-2992
16 Oct 2019 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.7EPSS: 1%CPEs: 37EXPL: 0CVE-2019-2999 – OpenJDK: Insufficient filtering of HTML event attributes in Javadoc (Javadoc, 8226765)
https://notcve.org/view.php?id=CVE-2019-2999
16 Oct 2019 — Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability ca... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.1EPSS: 0%CPEs: 37EXPL: 0CVE-2019-2945 – OpenJDK: Missing restrictions on use of custom SocketImpl (Networking, 8218573)
https://notcve.org/view.php?id=CVE-2019-2945
16 Oct 2019 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html •
CVSS: 6.8EPSS: 0%CPEs: 36EXPL: 0CVE-2019-2949 – OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302)
https://notcve.org/view.php?id=CVE-2019-2949
16 Oct 2019 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Kerberos). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unaut... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 0%CPEs: 31EXPL: 0CVE-2019-11068 – libxslt: xsltCheckRead and xsltCheckWrite routines security bypass by crafted URL
https://notcve.org/view.php?id=CVE-2019-11068
10 Apr 2019 — libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. libxslt hasta la versión 1.1.33 permite omitir los mecanismos de protección debido a que los callers xsltCheckRead y xsltCheckWrite permiten acceso incluso después de recibir el código de error -1. xsltCheckRead puede devolver -1 para una URL ... • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 12EXPL: 0CVE-2018-12538
https://notcve.org/view.php?id=CVE-2018-12538
22 Jun 2018 — In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore. En Eclipse Jetty, desde la versión 9.4.0 hasta la 9.4.8, al emplear el FileSessionDataStore opcional provisto por Jetty para el almacenamiento persistente de detalles HttpSession, e... • http://www.securitytracker.com/id/1041194 • CWE-6: J2EE Misconfiguration: Insufficient Session-ID Length CWE-384: Session Fixation •
CVSS: 8.1EPSS: 2%CPEs: 17EXPL: 0CVE-2018-5968 – jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485)
https://notcve.org/view.php?id=CVE-2018-5968
22 Jan 2018 — FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. FasterXML jackson-databind, hasta la versión 2.8.11 y las versiones 2.9.x hasta la 2.9.3, permite la ejecución remota de código sin autenticar debido a una solución incompleta para los errores de deserialización CVE-2017-7525 y CVE-2017-... • https://access.redhat.com/errata/RHSA-2018:0478 • CWE-184: Incomplete List of Disallowed Inputs CWE-502: Deserialization of Untrusted Data •