Page 4 of 43 results (0.005 seconds)

CVSS: 5.5EPSS: 0%CPEs: 79EXPL: 0

CVE-2021-36374 – Apache Ant ZIP, and ZIP based, archive denial of service vulerability

https://notcve.org/view.php?id=CVE-2021-36374

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected. Cuando se lee un archivo ZIP especialmente diseñado, o un formato derivado, se puede hacer que una compilación de Apache Ant asigne grandes cantidades de memoria que conlleva a un error de falta de memoria, incluso para entradas pequeñas. • https://ant.apache.org/security.html https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E https://lists.apache.org/thre • CWE-130: Improper Handling of Length Parameter Inconsistency •

CVSS: 5.5EPSS: 0%CPEs: 73EXPL: 0

CVE-2021-36373 – Apache Ant TAR archive denial of service vulnerability

https://notcve.org/view.php?id=CVE-2021-36373

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected. Cuando se lee un archivo TAR especialmente diseñado, se puede hacer que una compilación de Apache Ant asigne grandes cantidades de memoria que finalmente conlleva a un error de falta de memoria, incluso para entradas pequeñas. Esto puede ser usado para interrumpir las compilaciones usando Apache Ant. • https://ant.apache.org/security.html https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E https://lists.apache.org/thre • CWE-130: Improper Handling of Length Parameter Inconsistency CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 8.8EPSS: 4%CPEs: 40EXPL: 1

CVE-2021-29505 – XStream is vulnerable to a Remote Command Execution attack

https://notcve.org/view.php?id=CVE-2021-29505

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17. XStream es un software para serializar objetos Java a XML y viceversa. • https://github.com/MyBlackManba/CVE-2021-29505 https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP https://lists.f • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •

CVSS: 7.8EPSS: 2%CPEs: 34EXPL: 0

CVE-2021-21348 – XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)

https://notcve.org/view.php?id=CVE-2021-21348

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. XStream es una biblioteca de Java para serializar objetos a XML y viceversa. • http://x-stream.github.io/changes.html#1.4.16 https://github.com/x-stream/xstream/security/advisories/GHSA-56p8-3fh9-4cvq https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message&#x • CWE-400: Uncontrolled Resource Consumption CWE-502: Deserialization of Untrusted Data •

CVSS: 8.6EPSS: 1%CPEs: 37EXPL: 2

CVE-2021-21349 – A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host

https://notcve.org/view.php?id=CVE-2021-21349

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. XStream es una biblioteca de Java para serializar objetos a XML y viceversa. • https://github.com/s-index/CVE-2021-21349 http://x-stream.github.io/changes.html#1.4.16 https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0%40%3Cdev.jmeter.apache.org%3E https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html https://lists.fedoraproject.org/archives • CWE-502: Deserialization of Untrusted Data CWE-918: Server-Side Request Forgery (SSRF) •