CVSS: 5.5EPSS: 0%CPEs: 79EXPL: 0CVE-2021-36374 – Apache Ant ZIP, and ZIP based, archive denial of service vulerability
https://notcve.org/view.php?id=CVE-2021-36374
14 Jul 2021 — When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected. Cuando se lee un archivo ZIP especialmente diseñado, o un formato derivado, se puede hacer que una compilación... • https://ant.apache.org/security.html • CWE-130: Improper Handling of Length Parameter Inconsistency •
CVSS: 5.5EPSS: 0%CPEs: 73EXPL: 0CVE-2021-36373 – Apache Ant TAR archive denial of service vulnerability
https://notcve.org/view.php?id=CVE-2021-36373
14 Jul 2021 — When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected. Cuando se lee un archivo TAR especialmente diseñado, se puede hacer que una compilación de Apache Ant asigne grandes cantidades de memoria que finalmente conlleva a un error de falta de memoria, incluso para entradas pequeñ... • https://ant.apache.org/security.html • CWE-130: Improper Handling of Length Parameter Inconsistency CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2021-2245
https://notcve.org/view.php?id=CVE-2021-2245
22 Apr 2021 — Vulnerability in the Oracle Database - Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Audit Policy privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Editio... • https://www.oracle.com/security-alerts/cpuapr2021.html •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-2234
https://notcve.org/view.php?id=CVE-2021-2234
22 Apr 2021 — Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java VM accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). • https://www.oracle.com/security-alerts/cpuapr2021.html •
CVSS: 4.1EPSS: 0%CPEs: 4EXPL: 2CVE-2021-2173 – Oracle DB Broken PDB Isolation / Metadata Exposure
https://notcve.org/view.php?id=CVE-2021-2173
22 Apr 2021 — Vulnerability in the Recovery component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA Level Account privilege with network access via Oracle Net to compromise Recovery. While the vulnerability is in Recovery, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Recovery accessible dat... • https://packetstorm.news/files/id/171344 •
CVSS: 4.0EPSS: 0%CPEs: 4EXPL: 4CVE-2021-2175 – Oracle Database Vault Metadata Exposure
https://notcve.org/view.php?id=CVE-2021-2175
22 Apr 2021 — Vulnerability in the Database Vault component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any View, Select Any View privilege with network access via Oracle Net to compromise Database Vault. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Database Vault accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). • https://packetstorm.news/files/id/170373 •
CVSS: 2.3EPSS: 0%CPEs: 4EXPL: 1CVE-2021-2207 – Oracle RMAN Missing Auditing
https://notcve.org/view.php?id=CVE-2021-2207
22 Apr 2021 — Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having RMAN executable privilege with logon to the infrastructure where Oracle Database - Enterprise Edition executes to compromise Oracle Database - Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some ... • https://packetstorm.news/files/id/174448 •
CVSS: 5.9EPSS: 5%CPEs: 28EXPL: 0CVE-2021-21409 – Possible request smuggling in HTTP/2 due missing validation of content-length
https://notcve.org/view.php?id=CVE-2021-21409
30 Mar 2021 — Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and tr... • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.5EPSS: 2%CPEs: 55EXPL: 0CVE-2021-25122 – Apache Tomcat h2c request mix-up
https://notcve.org/view.php?id=CVE-2021-25122
01 Mar 2021 — When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. Cuando se responde a nuevas peticiones de conexión h2c, Apache Tomcat versiones 10.0.0-M1 hasta 10.0.0, versiones 9.0.0.M1 hasta 9.0.41 y versiones 8.5.0 hasta 8.5.61, podrían duplicar los encabezados de petici... • http://www.openwall.com/lists/oss-security/2021/03/01/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.0EPSS: 4%CPEs: 60EXPL: 0CVE-2021-25329 – Incomplete fix for CVE-2020-9484
https://notcve.org/view.php?id=CVE-2021-25329
01 Mar 2021 — The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. La corrección para el CVE-2020-9484 estaba incompleta. Cuando se usa Apache To... • http://www.openwall.com/lists/oss-security/2021/03/01/2 • CWE-502: Deserialization of Untrusted Data •