CVE-2021-35515 – Apache Commons Compress 1.6 to 1.20 denial of service vulnerability
https://notcve.org/view.php?id=CVE-2021-35515
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Cuando se lee un archivo 7Z especialmente diseñado, la construcción de la lista de códecs que descomprimen una entrada puede resultar en un bucle infinito. Esto podría ser usado para montar un ataque de denegación de servicio contra los servicios que usan el paquete sevenz de Compress A flaw was found in apache-commons-compress. When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. • http://www.openwall.com/lists/oss-security/2021/07/13/1 https://commons.apache.org/proper/commons-compress/security-reports.html https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E https://lists.apache.org/thread.html/rab29 • CWE-834: Excessive Iteration CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2021-30468 – Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter
https://notcve.org/view.php?id=CVE-2021-30468
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11. Una vulnerabilidad en la función JsonMapObjectReaderWriter de Apache CXF permite a un atacante enviar un JSON malformado hacia un servicio web, lo que hace que el subproceso se quede atascado en un bucle infinito, consumiendo CPU indefinidamente. Este problema afecta a Apache CXF versiones anteriores a 3.4.4 y Apache CXF versiones anteriores a 3.3.11 • http://cxf.apache.org/security-advisories.data/CVE-2021-30468.txt.asc http://www.openwall.com/lists/oss-security/2021/06/16/2 https://lists.apache.org/thread.html/r3f46ae38e4a6e80c069cdb320e0ce831b0a21a12ef0cc92c0943f34a%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r4771084730c4cf6e59eda60b4407122c86f174eb750b24f610ba9ff4%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r4a4b6bc0520b69c18d2a59daa6af84ae49f0c22164dccb8538794459%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/r4a4b6bc0520b6 • CWE-400: Uncontrolled Resource Consumption CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2021-2225
https://notcve.org/view.php?id=CVE-2021-2225
Vulnerability in the Oracle E-Business Intelligence product of Oracle E-Business Suite (component: DBI Setups). Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle E-Business Intelligence. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle E-Business Intelligence accessible data as well as unauthorized access to critical data or complete access to all Oracle E-Business Intelligence accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). • https://www.oracle.com/security-alerts/cpuapr2021.html •
CVE-2021-2191
https://notcve.org/view.php?id=CVE-2021-2191
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions). Supported versions that are affected are 5.5.0.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. • https://www.oracle.com/security-alerts/cpuapr2021.html •
CVE-2021-2152
https://notcve.org/view.php?id=CVE-2021-2152
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Web General). Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. • https://www.oracle.com/security-alerts/cpuapr2021.html •