Page 9 of 139 results (0.016 seconds)

CVSS: 5.3EPSS: 0%CPEs: 24EXPL: 0

CVE-2021-35556 – OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167)

https://notcve.org/view.php?id=CVE-2021-35556

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2021/11/msg00008.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6EUURAQOIJYFZHQ7DFZCO6IKDPIAWTNK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WTVCIVHTX3XONYOEGUMLKCM4QEC6INT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DJILEHYV2U37HKMGFEQ7CAVOV4DUWW2O https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTYZWIXDFUV2H57YQZJWPOD3 • CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 7.1EPSS: 0%CPEs: 22EXPL: 0

CVE-2021-35550 – OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210)

https://notcve.org/view.php?id=CVE-2021-35550

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2021/11/msg00008.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6EUURAQOIJYFZHQ7DFZCO6IKDPIAWTNK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WTVCIVHTX3XONYOEGUMLKCM4QEC6INT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DJILEHYV2U37HKMGFEQ7CAVOV4DUWW2O https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GTYZWIXDFUV2H57YQZJWPOD3 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •

CVSS: 5.3EPSS: 44%CPEs: 22EXPL: 3

CVE-2021-34429 – Eclipse Jetty 11.0.5 - Sensitive File Disclosure

https://notcve.org/view.php?id=CVE-2021-34429

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5. Para Eclipse Jetty versiones 9.4.37-9.4.42, 10.0.1-10.0.5 y 11.0.1-11.0.5, los URIs pueden ser diseñados usando algunos caracteres codificados para acceder al contenido del directorio WEB-INF y/o omitir algunas restricciones de seguridad. Esta es una variación de la vulnerabilidad reportada en CVE-2021-28164/GHSA-v7ff-8wcx-gmc5 • https://www.exploit-db.com/exploits/50478 https://github.com/ColdFusionX/CVE-2021-34429 https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm https://lists.apache.org/thread.html/r029c0c6833c8bb6acb094733fd7b75029d633f47a92f1c9d14391fc0%40%3Cnotifications.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r02f940c27e997a277ff14e79e84551382e1081e8978b417e0c2b0857%40%3Ccommits.kafka.apache.org%3E https://lists.apache.org/thread.html/r0626f279ebf65506110a897e3a57ccd4072803ee5434b2503e070398%40%3Ccommits.zookeeper.apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization •

CVSS: 3.6EPSS: 0%CPEs: 19EXPL: 0

CVE-2021-34428 – jetty: SessionListener can prevent a session from being invalidated breaking logout

https://notcve.org/view.php?id=CVE-2021-34428

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. Para Eclipse Jetty versiones anteriores a 9.4.40 incluyéndola, versiones anteriores a 10.0.2 incluyéndola, versiones anteriores a 11.0.2 incluyéndola, si es lanzada una excepción desde el método SessionListener#sessionDestroyed(), el ID de sesión no es invalidado en el administrador de ID de sesión. En despliegues con sesiones agrupadas y múltiples contextos esto puede resultar en que una sesión no sea invalidada. • https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6 https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zo • CWE-613: Insufficient Session Expiration •

CVSS: 8.6EPSS: 1%CPEs: 34EXPL: 0

CVE-2021-3517 – libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c

https://notcve.org/view.php?id=CVE-2021-3517

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. Se presenta un fallo en la funcionalidad xml entity encoding de libxml2 en versiones anteriores a 2.9.11.&#xa0;Un atacante que sea capaz de proporcionar un archivo diseñado para que sea procesado por una aplicación vinculada con la funcionalidad afectada de libxml2 podría desencadenar una lectura fuera de los límites. • https://bugzilla.redhat.com/show_bug.cgi?id=1954232 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6 https://lists.fedoraproject.org/archives/list/pack • CWE-787: Out-of-bounds Write •