Total
27 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32647 | 1 Nsa | 1 Emissary | 2022-07-02 | 6.5 MEDIUM | 9.1 CRITICAL |
| Emissary is a P2P based data-driven workflow engine. Affected versions of Emissary are vulnerable to post-authentication Remote Code Execution (RCE). The [`CreatePlace`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/CreatePlaceAction.java#L36) REST endpoint accepts an `sppClassName` parameter which is used to load an arbitrary class. This class is later instantiated using a constructor with the following signature: `<constructor>(String, String, String)`. An attacker may find a gadget (class) in the application classpath that could be used to achieve Remote Code Execution (RCE) or disrupt the application. Even though the chances to find a gadget (class) that allow arbitrary code execution are low, an attacker can still find gadgets that could potentially crash the application or leak sensitive data. As a work around disable network access to Emissary from untrusted sources. | |||||
| CVE-2019-10174 | 3 Infinispan, Netapp, Redhat | 8 Infinispan, Active Iq Unified Manager, Enterprise Linux and 5 more | 2022-02-20 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application. | |||||
| CVE-2021-31522 | 1 Apache | 1 Kylin | 2022-01-12 | 7.5 HIGH | 9.8 CRITICAL |
| Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions. | |||||
| CVE-2020-7857 | 1 Tobesoft | 1 Xplatform | 2021-04-29 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability of XPlatform could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient validation of improper classes. This issue affects: Tobesoft XPlatform versions prior to 9.2.2.280. | |||||
| CVE-2019-20635 | 1 Intland | 1 Codebeamer | 2020-08-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| codeBeamer before 9.5.0-RC3 does not properly restrict the ability to execute custom Java code and access the Java class loader via computed fields. | |||||
| CVE-2019-3834 | 1 Redhat | 1 Jboss Operations Network | 2019-10-10 | 6.8 MEDIUM | 7.3 HIGH |
| It was found that the fix for CVE-2014-0114 had been reverted in JBoss Operations Network 3 (JON). This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. Exploits that have been published rely on ClassLoader properties that are exposed such as those in JON 3. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353. Note that while multiple products released patches for the original CVE-2014-0114 flaw, the reversion described by this CVE-2019-3834 flaw only occurred in JON 3. | |||||
| CVE-2018-5511 | 3 F5, Microsoft, Vmware | 17 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 14 more | 2019-10-03 | 6.5 MEDIUM | 7.2 HIGH |
| On F5 BIG-IP 13.1.0-13.1.0.3 or 13.0.0, when authenticated administrative users execute commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced. | |||||