CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2015-0470 – OpenJDK: incorrect handling of default methods (Hotspot, 8065366)
https://notcve.org/view.php?id=CVE-2015-0470
An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. • http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00017.html http://rhn.redhat.com/errata/RHSA-2015-0809.html http://rhn.redhat.com/errata/RHSA-2015-0854.html http://www.debian.org/security/2015/dsa-3234 http://www.debian.org/security/2015/dsa-3235 http://www.debian.org/security/2015/dsa-3316 http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.securityfocus.com/bid/74149 http://www.securitytracker.com/id/1032120 https://s •
CVSS: 10.0EPSS: 8%CPEs: 8EXPL: 0CVE-2015-0469 – ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
https://notcve.org/view.php?id=CVE-2015-0469
A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. • http://advisories.mageia.org/MGASA-2015-0158.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00017.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00018.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00022.html http:/ • CWE-122: Heap-based Buffer Overflow •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 0CVE-2015-0477 – OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
https://notcve.org/view.php?id=CVE-2015-0477
An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. • http://advisories.mageia.org/MGASA-2015-0158.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00017.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00018.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00022.html http:/ •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2015-1115
https://notcve.org/view.php?id=CVE-2015-1115
The Telephony component in Apple iOS before 8.3 allows attackers to bypass a sandbox protection mechanism and access unintended telephone capabilities via a crafted app. El componente Telephony en Apple iOS anterior a 8.3 permite a atacantes evadir un mecanismo de protección de sandbox y acceder a capacidades de teléfono a través de una aplicación manipulada. • http://lists.apple.com/archives/security-announce/2015/Apr/msg00002.html http://www.securityfocus.com/bid/73978 http://www.securitytracker.com/id/1032050 https://support.apple.com/HT204661 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 97%CPEs: 5EXPL: 7CVE-2015-1427 – Elasticsearch Groovy Scripting Engine Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2015-1427
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. El motor de secuencias de comandos Groovy en Elasticsearch anterior a 1.3.8 y 1.4.x anterior a 1.4.3 permite a atacantes remotos evadir el mecanismo de protección de sandbox y ejecutar comandos de shell arbitrarios a través de una secuencia de comandos manipulada. ... The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. The Groovy scripting engine in Elasticsearch allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands. • https://www.exploit-db.com/exploits/36415 https://www.exploit-db.com/exploits/36337 https://github.com/t0kx/exploit-CVE-2015-1427 https://github.com/xpgdgit/CVE-2015-1427 https://github.com/cyberharsh/Groovy-scripting-engine-CVE-2015-1427 http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html http://packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.html http://www.elasticsearch.com/blog/elasticsear • CWE-284: Improper Access Control •