CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-25633 – resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling
https://notcve.org/view.php?id=CVE-2020-25633
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality. Se encontró un fallo en el cliente RESTEasy en todas las versiones de RESTEasy hasta 4.5.6.Final. Puede permitir a usuarios del cliente obtener información potencialmente confidencial del servidor cuando el servidor obtuvo una WebApplicationException de la llamada del cliente RESTEasy. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633 https://access.redhat.com/security/cve/CVE-2020-25633 https://bugzilla.redhat.com/show_bug.cgi?id=1879042 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.7EPSS: 1%CPEs: 6EXPL: 0CVE-2020-13692 – postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
https://notcve.org/view.php?id=CVE-2020-13692
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. PostgreSQL JDBC Driver (también se conoce como PgJDBC) versiones anteriores a 42.2.13, permite un ataque de tipo XXE A flaw was found in PostgreSQL JDBC in versions prior to 42.2.13. An XML External Entity (XXE) weakness was found in PostgreSQL JDBC. The highest threat from this vulnerability is to data confidentiality and system availability. • https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65 https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13 https://lists.apache.org/thread.html/r00bcc6b2da972e0d6332a4ebc7807e17305d8b8e7fb2ae63d2a3cbfb%40%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/r01ae1b3d981cf2e563e9b5b0a6ea54fb3cac8e9a0512ee5269e3420e%40%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/r0478a1aa9ae0dbd79d8f7b38d0d93fa933ac232e2b430b6f31a103c0%40%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/ • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2020-1714 – keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-1714
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution. Se detectó un fallo en Keycloak versiones anteriores a 11.0.0, donde la base de código contiene usos de la función ObjectInputStream sin ningún tipo de comprobaciones. Este fallo permite a un atacante inyectar Objetos Java serializados arbitrariamente, que luego se deserializarán en un contexto privilegiado y conlleva potencialmente a una ejecución de código remota. A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714 https://github.com/keycloak/keycloak/pull/7053 https://access.redhat.com/security/cve/CVE-2020-1714 https://bugzilla.redhat.com/show_bug.cgi?id=1705975 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 27EXPL: 0CVE-2019-14900 – hibernate: SQL injection issue in Hibernate ORM
https://notcve.org/view.php?id=CVE-2019-14900
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. Se encontró un fallo en Hibernate ORM en versiones anteriores a 5.3.18, 5.4.18 y 5.5.0.Beta1. Una inyección SQL en la implementación de la API JPA Criteria puede permitir literales no saneados cuando es usado un literal en las partes de la consulta SELECT o GROUP BY. • https://bugzilla.redhat.com/show_bug.cgi?id=1666499 https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E https://security.netapp.com/advisory/ntap-20220210-0020 https://access.redhat.com/security/cve/CVE-2019-14900 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 13EXPL: 0CVE-2020-10693 – hibernate-validator: Improper input validation in the interpolation of constraint error messages
https://notcve.org/view.php?id=CVE-2020-10693
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages. Se encontró un fallo en Hibernate Validator versión 6.1.2.Final. Un error en el procesador de interpolación de mensajes permite evaluar expresiones EL no válidas como si fueran válidas. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693 https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-202 • CWE-20: Improper Input Validation •