CVSS: 5.0EPSS: 17%CPEs: 56EXPL: 0CVE-2009-2625 – JDK: XML parsing Denial-Of-Service (6845701)
https://notcve.org/view.php?id=CVE-2009-2625
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. Apache Xerces2 Java, tal como se utiliza en Sun Java Runtime Environment (JRE) en JDK y JRE v6 anterior a la actualización 15 y el JDK y JRE v5.0 antes de la actualización 20, y en otros productos, permite a atacantes remotos provocar una denegación de servicio (bucle infinito y la cuelgue de aplicación) a través de una entrada XML malformada, como lo demuestra Codenomicon XML fuzzing framework. • http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html http://marc.info/?l=bugtraq&m=125787273209737&w=2 http://rhn.redhat.com/errata/RHSA-2012-1232.html http://rhn.redhat.co •
CVSS: 9.3EPSS: 3%CPEs: 15EXPL: 1CVE-2009-1837 – Firefox Race condition while accessing the private data of a NPObject JS wrapper class object
https://notcve.org/view.php?id=CVE-2009-1837
Race condition in the NPObjWrapper_NewResolve function in modules/plugin/base/src/nsJSNPRuntime.cpp in xul.dll in Mozilla Firefox 3 before 3.0.11 might allow remote attackers to execute arbitrary code via a page transition during Java applet loading, related to a use-after-free vulnerability for memory associated with a destroyed Java object. Condición de carrera en la función NPObjWrapper_NewResolve en modules/plugin/base/src/nsJSNPRuntime.cpp en xul.dll en Mozilla Firefox v3 anteriores a v3.0.11 podría permitir a atacantes remotos ejecutar código arbitrario a través de una pagina de transición durante la carga de un applet de Java, relacionado con una vulnerabilidad uso-después-de-liberación para asociar memoria con un objeto Java destrozado. • http://secunia.com/advisories/34241 http://secunia.com/advisories/35331 http://secunia.com/advisories/35415 http://secunia.com/advisories/35431 http://secunia.com/advisories/35468 http://secunia.com/secunia_research/2009-19 http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.372468 http://sunsolve.sun.com/search/document.do?assetkey=1-66-264308-1 http://www.debian.org/security/2009/dsa-1820 http://www.mozilla.org/security/announce/2009/mfs • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVSS: 7.5EPSS: 19%CPEs: 13EXPL: 1CVE-2009-1955 – Apache mod_dav / svn - Remote Denial of Service
https://notcve.org/view.php?id=CVE-2009-1955
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564. El parseador XML en el interfaz apr_xml_* en xml/apr_xml.c en Apache APR-util anteriores a v1.3.7 tal y como es utilizado en los módulos mod_dav y mod_dav_svn en el servidor HTTP de Apache, permite a atacantes remotos producir una denegación de servicio (agotamiento de memoria) a través de un documento XML manipulado que contiene un gran numero de referencias anidadas, como se demostró en la petición PROPFIND, una vulnerabilidad similar a CVE-2003-1564. • https://www.exploit-db.com/exploits/8842 http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html http://marc.info/?l=apr-dev&m=124396021826125&w=2 http://marc.info/?l=bugtraq&m=129190899612998&w=2 http://secunia.com/advisories/34724 http://secunia.com/advisories/35284 http://secunia.com/advisories/35360 http://secunia.com/advisories/35395 http://secunia.com/advisories/35444 http: • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 5.0EPSS: 3%CPEs: 3EXPL: 3CVE-2009-1902 – ModSecurity < 2.5.9 - Remote Denial of Service
https://notcve.org/view.php?id=CVE-2009-1902
The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference. El procesador multipart en ModSecurity anterior a v2.5.9, permite a atacantes remotos provocar una denegación de servicio (caída) a través de una petición multipart form datapost con un "part header name" perdido, lo que provoca una deferencia a puntero nulo (NULL). • https://www.exploit-db.com/exploits/8241 http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html http://secunia.com/advisories/34256 http://secunia.com/advisories/34311 http://secunia.com/advisories/35687 http://security.gentoo.org/glsa/glsa-200907-02.xml http://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846 http://www.osvdb.org/52553 http://www.securityfocus.com/archive/1/501968 http://www.securityfocus.com/bid/34096 http://www&# • CWE-476: NULL Pointer Dereference •
CVSS: 4.3EPSS: 1%CPEs: 3EXPL: 0CVE-2009-1903
https://notcve.org/view.php?id=CVE-2009-1903
The PDF XSS protection feature in ModSecurity before 2.5.8 allows remote attackers to cause a denial of service (Apache httpd crash) via a request for a PDF file that does not use the GET method. La funcionalidad de protección de PDF XSS en ModSecurity anterior a v2.5.8, permite a atacantes remotos provocar una denegación de servicio (caída del httpd Apacche) a través de una petición a un archivo PDF que no emplea el método GET. • http://secunia.com/advisories/34256 http://secunia.com/advisories/34311 http://secunia.com/advisories/35687 http://security.gentoo.org/glsa/glsa-200907-02.xml http://sourceforge.net/project/shownotes.php?release_id=667538 http://www.osvdb.org/52552 http://www.securityfocus.com/bid/34096 http://www.vupen.com/english/advisories/2009/0703 https://exchange.xforce.ibmcloud.com/vulnerabilities/49211 https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00487.html https:/ •