CVSS: 6.5EPSS: 0%CPEs: 429EXPL: 0CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0445 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219 https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba0911 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2017-3242
https://notcve.org/view.php?id=CVE-2017-3242
Vulnerability in the Oracle VM Server for Sparc component of Oracle Sun Systems Products Suite (subcomponent: LDOM Manager). Supported versions that are affected are 3.2 and 3.4. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM Server for Sparc executes to compromise Oracle VM Server for Sparc. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM Server for Sparc, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM Server for Sparc. • http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html http://www.securityfocus.com/bid/95541 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2016-7039 – kernel: remotely triggerable unbounded recursion in the vlan gro code leading to a kernel crash
https://notcve.org/view.php?id=CVE-2016-7039
The IP stack in the Linux kernel through 4.8.2 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for large crafted packets, as demonstrated by packets that contain only VLAN headers, a related issue to CVE-2016-8666. La pila IP en el kernel de Linux hasta la versión 4.8.2 permite a atacantes remotos provocar una denegación de servicio (consumo de pila y pánico) o tener otro posible impacto no especificado desencadenando uso de la ruta GRO para paquetes grandes manipulados, como se demuestra por los paquetes que contienen solo cabeceras VLAN, un problema relacionado con CVE-2016-8666. Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path, as an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel. • http://rhn.redhat.com/errata/RHSA-2016-2047.html http://rhn.redhat.com/errata/RHSA-2016-2107.html http://rhn.redhat.com/errata/RHSA-2016-2110.html http://www.openwall.com/lists/oss-security/2016/10/10/15 http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html http://www.securityfocus.com/bid/93476 https://access.redhat.com/errata/RHSA-2017:0372 https://bto.bluecoat.com/ • CWE-399: Resource Management Errors CWE-674: Uncontrolled Recursion •
CVSS: 7.8EPSS: 97%CPEs: 49EXPL: 2CVE-2016-2776 – ISC BIND 9 - Denial of Service
https://notcve.org/view.php?id=CVE-2016-2776
buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query. buffer.c en named en ISC BIND 9 en versiones anteriores a 9.9.9-P3, 9.10.x en versiones anteriores a 9.10.4-P3 y 9.11.x en versiones anteriores a 9.11.0rc3 no construye respuestas adecuadamente, lo que permite a atacantes remotos provocar una denegación de servicio (fallo de aserción y salida de demonio) a través de una consulta manipulada. A denial of service flaw was found in the way BIND constructed a response to a query that met certain criteria. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request packet. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isnt allowed to make queries. • https://www.exploit-db.com/exploits/40453 https://github.com/infobyte/CVE-2016-2776 http://rhn.redhat.com/errata/RHSA-2016-1944.html http://rhn.redhat.com/errata/RHSA-2016-1945.html http://rhn.redhat.com/errata/RHSA-2016-2099.html http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html http://www.securityf • CWE-20: Improper Input Validation CWE-617: Reachable Assertion •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2016-6197 – kernel: overlayfs: missing upper dentry verification before unlink and rename
https://notcve.org/view.php?id=CVE-2016-6197
fs/overlayfs/dir.c in the OverlayFS filesystem implementation in the Linux kernel before 4.6 does not properly verify the upper dentry before proceeding with unlink and rename system-call processing, which allows local users to cause a denial of service (system crash) via a rename system call that specifies a self-hardlink. fs/overlayfs/dir.c en la implementación del sistema de archivos OverlayFS en el kernel de Linux en versiones anteriores a 4.6 no verifica adecuadamente la dentry superior antes de proceder con el procesamiento de desconexión y cambio de nombre de llamadas al sistema, lo que permite a usuarios locales provocar una denegación del servicio (caída de sistema) a través de una llamada al sistema cambiada de nombre que especifica un self-hardlink. It was found that the unlink and rename functionality in overlayfs did not verify the upper dentry for staleness. A local, unprivileged user could use the rename syscall on overlayfs on top of xfs to panic or crash the system. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=11f3710417d026ea2f4fcf362d866342c5274185 http://rhn.redhat.com/errata/RHSA-2016-1847.html http://rhn.redhat.com/errata/RHSA-2016-1875.html http://www.openwall.com/lists/oss-security/2016/07/11/8 http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html http://www.securityfocus.com/bid/91709 http://www.securitytracker. • CWE-20: Improper Input Validation CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •