CVSS: 4.3EPSS: 0%CPEs: 39EXPL: 0CVE-2019-2978 – OpenJDK: Incorrect handling of nested jar: URLs in Jar URL handler (Networking, 8223892)
https://notcve.org/view.php?id=CVE-2019-2978
16 Oct 2019 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. No... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html •
CVSS: 4.3EPSS: 0%CPEs: 37EXPL: 0CVE-2019-2981 – OpenJDK: Unexpected exception thrown by XPath processing crafted XPath expression (JAXP, 8224532)
https://notcve.org/view.php?id=CVE-2019-2981
16 Oct 2019 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Th... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html • CWE-248: Uncaught Exception •
CVSS: 4.3EPSS: 0%CPEs: 37EXPL: 0CVE-2019-2983 – OpenJDK: Unexpected exception thrown during Font object deserialization (Serialization, 8224915)
https://notcve.org/view.php?id=CVE-2019-2983
16 Oct 2019 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html • CWE-248: Uncaught Exception •
CVSS: 4.3EPSS: 0%CPEs: 37EXPL: 0CVE-2019-2988 – OpenJDK: Integer overflow in bounds check in SunGraphics2D (2D, 8225292)
https://notcve.org/view.php?id=CVE-2019-2988
16 Oct 2019 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html • CWE-190: Integer Overflow or Wraparound •
CVSS: 4.3EPSS: 0%CPEs: 37EXPL: 0CVE-2019-2992 – OpenJDK: Excessive memory allocation in CMap when reading TrueType font (2D, 8225597)
https://notcve.org/view.php?id=CVE-2019-2992
16 Oct 2019 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.7EPSS: 1%CPEs: 37EXPL: 0CVE-2019-2999 – OpenJDK: Insufficient filtering of HTML event attributes in Javadoc (Javadoc, 8226765)
https://notcve.org/view.php?id=CVE-2019-2999
16 Oct 2019 — Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability ca... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 36EXPL: 0CVE-2019-2964 – OpenJDK: Unexpected exception thrown by Pattern processing crafted regular expression (Concurrency, 8222684)
https://notcve.org/view.php?id=CVE-2019-2964
16 Oct 2019 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. N... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html • CWE-248: Uncaught Exception •
CVSS: 9.0EPSS: 85%CPEs: 47EXPL: 31CVE-2019-14287 – sudo 1.8.27 - Security Bypass
https://notcve.org/view.php?id=CVE-2019-14287
15 Oct 2019 — In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command. En Sudo anteriores a 1.8.28, un atacante con acceso a una cuenta Runas ALL sudoer puede omitir ciertas listas negras de políticas y módulos PAM de sesión, y puede causar un registro... • https://www.exploit-db.com/exploits/47502 • CWE-267: Privilege Defined With Unsafe Actions CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 0CVE-2019-14846 – ansible: secrets disclosed on logs when no_log enabled
https://notcve.org/view.php?id=CVE-2019-14846
08 Oct 2019 — In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process. En Ansible, todas las versiones de Ansible Engine hasta ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, se registraban en el nivel DEBUG, lo que ... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.8EPSS: 1%CPEs: 62EXPL: 0CVE-2019-16943 – jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource
https://notcve.org/view.php?id=CVE-2019-16943
01 Oct 2019 — A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. Se descubrió un problema de escritura poli... • https://access.redhat.com/errata/RHSA-2020:0159 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •