CVE-2021-3450 – CA certificate check bypass with X509_V_FLAG_X509_STRICT
https://notcve.org/view.php?id=CVE-2021-3450
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. • http://www.openwall.com/lists/oss-security/2021/03/27/1 http://www.openwall.com/lists/oss-security/2021/03/27/2 http://www.openwall.com/lists/oss-security/2021/03/28/3 http://www.openwall.com/lists/oss-security/2021/03/28/4 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845 https://kc.mc • CWE-295: Improper Certificate Validation •
CVE-2020-14805
https://notcve.org/view.php?id=CVE-2020-14805
Vulnerability in the Oracle E-Business Suite Secure Enterprise Search product of Oracle E-Business Suite (component: Search Integration Engine). Supported versions that are affected are 12.1.3 and 12.2.3 - 12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite Secure Enterprise Search. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle E-Business Suite Secure Enterprise Search accessible data as well as unauthorized access to critical data or complete access to all Oracle E-Business Suite Secure Enterprise Search accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). • https://www.oracle.com/security-alerts/cpuoct2020.html •
CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0445 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219 https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba0911 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-3549
https://notcve.org/view.php?id=CVE-2016-3549
Unspecified vulnerability in the Oracle E-Business Suite Secure Enterprise Search component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect confidentiality via vectors related to Search Integration Engine. Vulnerabilidad no especificada en el componente Oracle E-Business Suite Secure Enterprise Search en Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4 y 12.2.5 permite a atacantes remotos afectar la confidencialidad a través de vectores relacionados con Search Integration Engine. • http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html http://www.securityfocus.com/bid/91787 http://www.securityfocus.com/bid/91886 http://www.securitytracker.com/id/1036403 •
CVE-2007-3854
https://notcve.org/view.php?id=CVE-2007-3854
Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5+, 9.2.0.7, and 10.1.0.5 allow remote authenticated users to have unknown impact via (1) SYS.DBMS_PRVTAQIS in the Advanced Queuing component (DB02) and (2) MDSYS.MD in the Spatial component (DB12). NOTE: Oracle has not disputed reliable researcher claims that DB02 is for SQL injection and DB12 is for a buffer overflow. Múltiples vulnerabilidades no especificadas en Oracle Database versiones 9.0.1.5+, 9.2.0.7 y 10.1.0.5, permiten a usuarios autenticados remotoss tener un impacto desconocido por medio de (1) SYS.DBMS_PRVTAQIS en el componente Advanced Queuing (DB02) y (2) MDSYS.MD en el componente Spatial (DB12). NOTA: Oracle no ha cuestionado las afirmaciones de investigadores confiables de que DB02 es para una inyección SQL y DB12 para un desbordamiento de búfer. • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c00727143 http://secunia.com/advisories/26114 http://secunia.com/advisories/26166 http://www.integrigy.com/security-resources/analysis/Integrigy_Oracle_CPU_July_2007_Analysis.pdf http://www.oracle.com/technetwork/topics/security/cpujul2007-087014.html http://www.red-database-security.com/advisory/oracle_cpu_jul_2007.html http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_prvtaqis.html http://w •