CVSS: 9.8EPSS: 21%CPEs: 48EXPL: 0CVE-2019-2904 – Oracle ADF Faces Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-2904
16 Oct 2019 — Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle JDeveloper and ADF. Successful attacks of this vulnerability can result in takeover of Oracle JDeveloper and ADF. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). • http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html •
CVSS: 9.8EPSS: 12%CPEs: 18EXPL: 1CVE-2019-17195 – nimbus-jose-jwt: Uncaught exceptions while parsing a JWT
https://notcve.org/view.php?id=CVE-2019-17195
15 Oct 2019 — Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. Connect2id Nimbus JOSE+JWT versiones anteriores a v7.9, puede arrojar varias excepciones no captadas al analizar un JWT, lo que podría resultar en un bloqueo de la aplicación (potencial divulgación de información) o una posible omisión de autenticación. A flaw was found in Connect2id Nimbus JOSE+J... • https://github.com/somatrasss/weblogic2021 • CWE-248: Uncaught Exception CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 6.1EPSS: 11%CPEs: 40EXPL: 2CVE-2019-17091
https://notcve.org/view.php?id=CVE-2019-17091
02 Oct 2019 — faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled. El archivo faces/context/PartialViewContextImpl.java en Eclipse Mojarra, como es usado en Mojarra para Eclipse EE4J versiones anteriores a 2.3.10 y Mojarra JavaServer Faces versiones anteriores a 2.2.20, permite un ataque de tipo XSS Reflejado porque un campo client window es manejado inap... • https://bugs.eclipse.org/bugs/show_bug.cgi?id=548244 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 110EXPL: 0CVE-2019-10086 – apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
https://notcve.org/view.php?id=CVE-2019-10086
20 Aug 2019 — In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. En Apache Commons Beanutils 1.9.2, se agregó una clase especial BeanIntrospector que permite suprimir la capacidad de un atacante para acceder al cargador de clases a través de la propiedad de clase disponible en todo... • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 2%CPEs: 7EXPL: 0CVE-2019-0188
https://notcve.org/view.php?id=CVE-2019-0188
28 May 2019 — Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed. Apache Camel en versiones anteriores a la 2.24.0 contiene una vulnerabilidad de XML external entity injection (XXE) (CWE-611) debido al uso de una biblioteca JSON-lib obsoleta y vulnerable. Esto afecta solo al componente Camel-xmljson, que se eliminó. • http://jvn.jp/en/jp/JVN71498764/index.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 11%CPEs: 13EXPL: 0CVE-2019-0222 – activemq: Corrupt MQTT frame can cause broker shutdown
https://notcve.org/view.php?id=CVE-2019-0222
28 Mar 2019 — In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive. En Apache ActiveMQ, desde la versión 5.0.0 hasta la 5.15.8, la deserialización de una trama MQTT corrupta puede conducir a una excepción de bróker fuera de memoria, haciendo que no responda. AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protoc... • http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt •
CVSS: 7.5EPSS: 2%CPEs: 19EXPL: 0CVE-2018-3246
https://notcve.org/view.php?id=CVE-2018-3246
17 Oct 2018 — Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services). Supported versions that are affected are 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.5 (Confidentiality... • http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html •
CVSS: 7.4EPSS: 0%CPEs: 7EXPL: 0CVE-2018-11775 – activemq: ActiveMQ Client Missing TLS Hostname Verification
https://notcve.org/view.php?id=CVE-2018-11775
10 Sep 2018 — TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default. Falta la verificación de nombres de host TLS al emplear Apache ActiveMQ Client en versiones anteriores a la 5.15.6, lo que podría hacer que el cliente sea vulnerable a un ataque Man-in-the-Middle (MitM) entre una aplicación Java que emplea el cliente Activ... • http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 4%CPEs: 47EXPL: 0CVE-2018-1000613
https://notcve.org/view.php?id=CVE-2018-1000613
09 Jul 2018 — Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be pic... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 7.5EPSS: 0%CPEs: 31EXPL: 0CVE-2018-1000180 – bouncycastle: flaw in the low-level interface to RSA key pair generator
https://notcve.org/view.php?id=CVE-2018-1000180
05 Jun 2018 — Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 y anteriores tiene un vulnerabilidad en la interfaz de bajo nivel del generador de claves RSA; específicamente, los par... • http://www.securityfocus.com/bid/106567 • CWE-325: Missing Cryptographic Step CWE-327: Use of a Broken or Risky Cryptographic Algorithm •