CVSS: 10.0EPSS: 94%CPEs: 12EXPL: 30CVE-2023-46604 – Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
https://notcve.org/view.php?id=CVE-2023-46604
27 Oct 2023 — The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this is... • https://packetstorm.news/files/id/175676 • CWE-502: Deserialization of Untrusted Data •
CVSS: 3.7EPSS: 0%CPEs: 26EXPL: 0CVE-2022-39399 – OpenJDK: missing SNI caching in HTTP/2 (Networking, 8289366)
https://notcve.org/view.php?id=CVE-2022-39399
18 Oct 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37QDWJBGEPP65X43NXQTXQ7KASLUHON6 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 3.7EPSS: 0%CPEs: 33EXPL: 0CVE-2022-21619 – OpenJDK: improper handling of long NTLM client hostnames (Security, 8286526)
https://notcve.org/view.php?id=CVE-2022-21619
18 Oct 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37QDWJBGEPP65X43NXQTXQ7KASLUHON6 • CWE-192: Integer Coercion Error •
CVSS: 3.7EPSS: 0%CPEs: 33EXPL: 0CVE-2022-21624 – OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)
https://notcve.org/view.php?id=CVE-2022-21624
18 Oct 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in una... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37QDWJBGEPP65X43NXQTXQ7KASLUHON6 • CWE-330: Use of Insufficiently Random Values •
CVSS: 5.3EPSS: 0%CPEs: 27EXPL: 0CVE-2022-21626 – OpenJDK: excessive memory allocation in X.509 certificate parsing (Security, 8286533)
https://notcve.org/view.php?id=CVE-2022-21626
18 Oct 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to caus... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ARF4QF4N3X5GSFHXUBWARGLISGKJ33R • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 33EXPL: 0CVE-2022-21628 – OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server, 8286918)
https://notcve.org/view.php?id=CVE-2022-21628
18 Oct 2022 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in ... • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37QDWJBGEPP65X43NXQTXQ7KASLUHON6 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 93%CPEs: 22EXPL: 4CVE-2021-34429 – Eclipse Jetty 11.0.5 - Sensitive File Disclosure
https://notcve.org/view.php?id=CVE-2021-34429
15 Jul 2021 — For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5. Para Eclipse Jetty versiones 9.4.37-9.4.42, 10.0.1-10.0.5 y 11.0.1-11.0.5, los URIs pueden ser diseñados usando algunos caracteres codificados para acceder al contenido del directorio WEB-INF y/o omitir algunas r... • https://packetstorm.news/files/id/180705 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization •
CVSS: 7.8EPSS: 13%CPEs: 24EXPL: 3CVE-2021-28165 – jetty: Resource exhaustion when receiving an invalid large TLS frame
https://notcve.org/view.php?id=CVE-2021-28165
01 Apr 2021 — In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. En Eclipse Jetty versiones 7.2.2 hasta 9.4.38, versiones 10.0.0.alpha0 hasta 10.0.1 y versiones 11.0.0.alpha0 hasta 11.0.1, el uso de CPU puede alcanzar el 100% al recibir una gran trama TLS no válida. When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is i... • https://github.com/uthrasri/CVE-2021-28165 • CWE-400: Uncontrolled Resource Consumption CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 5.3EPSS: 0%CPEs: 30EXPL: 0CVE-2020-14803 – OpenJDK: Race condition in NIO Buffer boundary checks (Libraries, 8244136)
https://notcve.org/view.php?id=CVE-2020-14803
21 Oct 2020 — Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applicati... • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 4.3EPSS: 0%CPEs: 22EXPL: 0CVE-2020-14781 – OpenJDK: Credentials sent over unencrypted LDAP connection (JNDI, 8237990)
https://notcve.org/view.php?id=CVE-2020-14781
21 Oct 2020 — Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and... • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html • CWE-319: Cleartext Transmission of Sensitive Information •