CVSS: 5.9EPSS: 65%CPEs: 213EXPL: 10CVE-2021-45105 – Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
https://notcve.org/view.php?id=CVE-2021-45105
18 Dec 2021 — Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1. Apache Log4j2 versiones 2.0-alpha1 hasta 2.16.0 (excluyendo las versiones 2.12.3 y 2.3.1) no protegían de la recursión no controlada de las búsquedas autorreferenciales.... • https://github.com/thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832 • CWE-20: Improper Input Validation CWE-674: Uncontrolled Recursion •
CVSS: 8.3EPSS: 1%CPEs: 248EXPL: 6CVE-2021-2351 – Oracle Database Weak NNE Integrity Key Derivation
https://notcve.org/view.php?id=CVE-2021-2351
20 Jul 2021 — Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful atta... • https://packetstorm.news/files/id/165258 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-384: Session Fixation •
CVSS: 7.5EPSS: 0%CPEs: 71EXPL: 0CVE-2020-11979 – ant: insecure temporary file
https://notcve.org/view.php?id=CVE-2020-11979
01 Oct 2020 — As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process. Como mitigación para CVE-2020-1945, Apache Ant versión 1.10.8, cambió los permisos de los archivos temporales que creó ... • https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm • CWE-377: Insecure Temporary File CWE-379: Creation of Temporary File in Directory with Insecure Permissions •
CVSS: 6.3EPSS: 0%CPEs: 117EXPL: 0CVE-2020-1945 – ant: insecure temporary file vulnerability
https://notcve.org/view.php?id=CVE-2020-1945
14 May 2020 — Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. Apache Ant versiones 1.1 hasta 1.9.14 y versiones 1.10.0 hasta 1.10.7, utiliza el directorio temporal por defecto identificado por la... • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00053.html • CWE-377: Insecure Temporary File CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 9.8EPSS: 2%CPEs: 79EXPL: 0CVE-2020-10683 – dom4j: XML External Entity vulnerability in default SAX parser
https://notcve.org/view.php?id=CVE-2020-10683
01 May 2020 — dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. dom4j versiones anteriores a 2.0.3 y versiones 2.1.x anteriores a 2.1.3, permite DTDs y External Entities por defecto, lo que podría permitir ataques de tipo XXE. Sin embargo, existe una documentación externa popular de OWASP que mues... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 0%CPEs: 101EXPL: 0CVE-2020-9488 – log4j: improper validation of certificate with host mismatch in SMTP appender
https://notcve.org/view.php?id=CVE-2020-9488
27 Apr 2020 — Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 Validación incorrecta del certificado con desajuste de host en el apéndice SMTP de Apache Log4j. Esto podría permitir que una conexión SMTPS fuera interceptada por un ataque de tipo man-in-the-middle que podría filtrar cualquier mensaje de ... • https://issues.apache.org/jira/browse/LOG4J2-2819 • CWE-295: Improper Certificate Validation •