CVSS: 5.5EPSS: 0%CPEs: 79EXPL: 0CVE-2021-36374 – Apache Ant ZIP, and ZIP based, archive denial of service vulerability
https://notcve.org/view.php?id=CVE-2021-36374
14 Jul 2021 — When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected. Cuando se lee un archivo ZIP especialmente diseñado, o un formato derivado, se puede hacer que una compilación... • https://ant.apache.org/security.html • CWE-130: Improper Handling of Length Parameter Inconsistency •
CVSS: 5.5EPSS: 0%CPEs: 73EXPL: 0CVE-2021-36373 – Apache Ant TAR archive denial of service vulnerability
https://notcve.org/view.php?id=CVE-2021-36373
14 Jul 2021 — When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected. Cuando se lee un archivo TAR especialmente diseñado, se puede hacer que una compilación de Apache Ant asigne grandes cantidades de memoria que finalmente conlleva a un error de falta de memoria, incluso para entradas pequeñ... • https://ant.apache.org/security.html • CWE-130: Improper Handling of Length Parameter Inconsistency CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.0EPSS: 10%CPEs: 28EXPL: 0CVE-2020-13936 – Velocity Sandbox Bypass
https://notcve.org/view.php?id=CVE-2020-13936
10 Mar 2021 — An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. Un atacante que es capaz de modificar las plantillas de Velocity puede ejecutar código Java arbitrario o ejecutar comandos de sistema arbitrarios con los mismos privilegios que la... • http://www.openwall.com/lists/oss-security/2021/03/10/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 1%CPEs: 429EXPL: 0CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
08 Nov 2019 — A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 110EXPL: 0CVE-2019-10086 – apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
https://notcve.org/view.php?id=CVE-2019-10086
20 Aug 2019 — In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. En Apache Commons Beanutils 1.9.2, se agregó una clase especial BeanIntrospector que permite suprimir la capacidad de un atacante para acceder al cargador de clases a través de la propiedad de clase disponible en todo... • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 10%CPEs: 180EXPL: 1CVE-2019-13990 – libquartz: XXE attacks via job description
https://notcve.org/view.php?id=CVE-2019-13990
26 Jul 2019 — initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. La función initDocumentParser en el archivo xml/XMLSchedulingDataProcessor.java en Quartz Scheduler de Terracotta hasta la versión 2.3.0, permite ataques de tipo XXE por medio de una descripción del trabajo. The Terracotta Quartz Scheduler is susceptible to an XML external entity attack (XXE) through a job description. This issue stems from inadequate handling of X... • https://github.com/epicosy/Quartz-1 • CWE-611: Improper Restriction of XML External Entity Reference •