Page 6 of 29 results (0.014 seconds)

CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0

CVE-2018-1131 – infinispan: deserialization of data in XML and JSON transcoders

https://notcve.org/view.php?id=CVE-2018-1131

Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected. Infinispan permite la deserialización incorrecta de datos fiables mediante transcodificadores XML y JSON en ciertas configuraciones del servidor. Un usuario con acceso autenticado al servidor podría enviar un objeto malicioso a una caché configurada para aceptar ciertos tipos de objetos, logrando la ejecución de código y, posiblemente, más ataques. • http://www.securityfocus.com/bid/104218 https://access.redhat.com/errata/RHSA-2018:1833 https://access.redhat.com/errata/RHSA-2019:3892 https://bugzilla.redhat.com/show_bug.cgi?id=1576492 https://access.redhat.com/security/cve/CVE-2018-1131 • CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data CWE-502: Deserialization of Untrusted Data •

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

CVE-2017-2638 – infinispan: auth bypass in REST api

https://notcve.org/view.php?id=CVE-2017-2638

It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name. Se ha descubierto que la API REST en Infinispan en versiones anteriores a la 9.0.0 no aplicaba correctamente las restricciones auth. Un atacante podría emplear esta vulnerabilidad para leer o modificar datos en la caché por defecto o un nombre de caché conocido. It was found that the REST API in infinispan did not properly enforce auth constraints. • http://rhn.redhat.com/errata/RHSA-2017-1097.html http://www.securityfocus.com/bid/97964 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638 https://github.com/infinispan/infinispan/pull/4936/commits https://issues.jboss.org/browse/ISPN-7485 https://access.redhat.com/security/cve/CVE-2017-2638 https://bugzilla.redhat.com/show_bug.cgi?id=1428564 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •

CVSS: 7.8EPSS: 1%CPEs: 5EXPL: 0

CVE-2016-4970 – netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl

https://notcve.org/view.php?id=CVE-2016-4970

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop). handler/ssl/OpenSslEngine.java en Netty 4.0.x en versiones anteriores a 4.0.37.Final y 4.1.x en versiones anteriores a 4.1.1.Final permite a los atacantes remotos provocar una denegación de servicio (bucle infinito). • http://netty.io/news/2016/06/07/4-0-37-Final.html http://netty.io/news/2016/06/07/4-1-1-Final.html http://rhn.redhat.com/errata/RHSA-2017-0179.html http://rhn.redhat.com/errata/RHSA-2017-1097.html http://www.securityfocus.com/bid/96540 https://bugzilla.redhat.com/show_bug.cgi?id=1343616 https://github.com/netty/netty/pull/5364 https://lists.apache.org/thread.html/afaa5860e3a6d327eb96c3d82cbd2f5996de815a16854ed1ad310144%40%3Ccommits.cassandra.apache.org%3E https://wiki • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •

CVSS: 10.0EPSS: 1%CPEs: 19EXPL: 1

CVE-2015-7501 – apache-commons-collections: InvokerTransformer code execution during deserialisation

https://notcve.org/view.php?id=CVE-2015-7501

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x y 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x y 5.x; Enterprise Application Platform 6.x, 5.x y 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x y Red Hat Subscription Asset Manager 1.3 permiten que atacantes remotos ejecuten comandos arbitrarios mediante un objeto Java serializado manipulado. Esto está relacionado con la librería ACC (Apache Commons Collections). It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. • https://github.com/ianxtianxt/CVE-2015-7501 http://rhn.redhat.com/errata/RHSA-2015-2500.html http://rhn.redhat.com/errata/RHSA-2015-2501.html http://rhn.redhat.com/errata/RHSA-2015-2502.html http://rhn.redhat.com/errata/RHSA-2015-2514.html http://rhn.redhat.com/errata/RHSA-2015-2516.html http://rhn.redhat.com/errata/RHSA-2015-2517.html http://rhn.redhat.com/errata/RHSA-2015-2521.html http://rhn.redhat.com/errata/RHSA-2015-2522.html http://rhn.redhat. • CWE-284: Improper Access Control CWE-502: Deserialization of Untrusted Data •