CVSS: 5.9EPSS: 0%CPEs: 9EXPL: 0CVE-2021-36221 – golang: net/http/httputil: panic due to racy read of persistConn after handler panic
https://notcve.org/view.php?id=CVE-2021-36221
08 Aug 2021 — Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. Go versiones anteriores a 1.15.15 y 1.16.x versiones anteriores a 1.16.7, presenta una condición de carrera que puede conllevar un pánico de net/http/httputil ReverseProxy al abortar ErrAbortHandler A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy cras... • https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 2CVE-2021-29923 – golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
https://notcve.org/view.php?id=CVE-2021-29923
07 Aug 2021 — Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. Go versiones anteriores a 1.17, no considera apropiadamente los caracteres cero extraños al principio de un octeto de dirección IP, lo que (en algunas situaciones) permite a atacantes omitir el control de acceso qu... • https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis • CWE-20: Improper Input Validation •
CVSS: 8.3EPSS: 2%CPEs: 248EXPL: 6CVE-2021-2351 – Oracle Database Weak NNE Integrity Key Derivation
https://notcve.org/view.php?id=CVE-2021-2351
20 Jul 2021 — Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful atta... • https://packetstorm.news/files/id/165258 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-384: Session Fixation •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 1CVE-2021-34558 – golang: crypto/tls: certificate of wrong type is causing TLS client to panic
https://notcve.org/view.php?id=CVE-2021-34558
15 Jul 2021 — The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. El paquete crypto/tls de Go versiones hasta 1.16.5, no afirma apropiadamente que el tipo de clave pública en un certificado X.509 coincida con el tipo esperado cuando se hace un intercambio de claves basado en RSA, permitiendo a un servidor TLS malicioso causar el... • https://github.com/alexzorin/cve-2021-34558 • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 3CVE-2020-7712 – Command Injection
https://notcve.org/view.php?id=CVE-2020-7712
30 Aug 2020 — This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function. Esto afecta al paquete json versiones anteriores a 10.0.0. Es posible inyectar comandos arbitrarios usando la función parseLookup • https://github.com/trentm/json/issues/144 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 1%CPEs: 429EXPL: 0CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
08 Nov 2019 — A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •