CVSS: 5.9EPSS: 0%CPEs: 75EXPL: 1CVE-2020-1971 – EDIPARTYNAME NULL pointer dereference
https://notcve.org/view.php?id=CVE-2020-1971
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. • https://github.com/MBHudson/CVE-2020-1971 http://www.openwall.com/lists/oss-security/2021/09/14/2 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920 https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676 https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b7 • CWE-476: NULL Pointer Dereference •
CVSS: 5.3EPSS: 0%CPEs: 42EXPL: 0CVE-2020-14621 – OpenJDK: XML validation manipulation due to incomplete application of the use-grammar-pool-only feature (JAXP, 8242136)
https://notcve.org/view.php?id=CVE-2020-14621
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html https://kc.mcafee.com/corporate/index?page=content&id=SB10332 https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103%40%3Cj-users.xerces.apache.org%3E https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html https://lists.fedoraproject.org/archives& • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 131EXPL: 0CVE-2020-2830 – OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)
https://notcve.org/view.php?id=CVE-2020-2830
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html https://kc.mcafee.com/corporate/index?page=content&id=SB10318 https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ https://lists.fedoraproject.org/archives& • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.3EPSS: 0%CPEs: 127EXPL: 0CVE-2020-2803 – OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)
https://notcve.org/view.php?id=CVE-2020-2803
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCW • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.3EPSS: 0%CPEs: 127EXPL: 0CVE-2020-2805 – OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274)
https://notcve.org/view.php?id=CVE-2020-2805
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCW • CWE-20: Improper Input Validation •