CVSS: 9.8EPSS: 2%CPEs: 12EXPL: 1CVE-2017-15708
https://notcve.org/view.php?id=CVE-2017-15708
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. • https://github.com/HuSoul/CVE-2017-15708 http://www.securityfocus.com/bid/102154 https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9%40%3Cdev.synapse.apache.org%3E https://lists.apache.org/thread.html/r0fb289cd38c915b9a13a3376134f96222dd9100f1ef66b41631865c6%40%3Ccommits.doris.apache.org%3E https://security.gentoo.org/glsa/202107-37 https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujul2020.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-11652 – Razer Synapse 2.20 DLL Hijacking
https://notcve.org/view.php?id=CVE-2017-11652
Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the CrashReporter directory, which allows local users to gain privileges via a Trojan horse dbghelp.dll file. Razer Synapse 2.20.15.1104 y anteriores emplea permisos débiles para el directorio CrashReporter, lo que permite que usuarios locales obtengan privilegios mediante un archivo troyano dbghelp.dll. Razer Synapse versions 2.20.15.1104 and below suffer from multiple dll search order hijacking vulnerabilities. • http://packetstormsecurity.com/files/143516/Razer-Synapse-2.20-DLL-Hijacking.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-11653 – Razer Synapse 2.20 DLL Hijacking
https://notcve.org/view.php?id=CVE-2017-11653
Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the Devices directory, which allows local users to gain privileges via a Trojan horse (1) RazerConfigNative.dll or (2) RazerConfigNativeLOC.dll file. Razer Synapse 2.20.15.1104 y anteriores emplea permisos débiles para el directorio Devices, lo que permite que usuarios locales obtengan privilegios mediante un archivo troyano (1) RazerConfigNative.dll or (2) RazerConfigNativeLOC.dll. Razer Synapse versions 2.20.15.1104 and below suffer from multiple dll search order hijacking vulnerabilities. • http://packetstormsecurity.com/files/143516/Razer-Synapse-2.20-DLL-Hijacking.html • CWE-732: Incorrect Permission Assignment for Critical Resource •