Filtered by vendor Oracle
Subscribe
Filtered by product Jd Edwards Enterpriseone Orchestrator
Subscribe
Total
42 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-11620 | 4 Debian, Fasterxml, Netapp and 1 more | 18 Debian Linux, Jackson-databind, Active Iq Unified Manager and 15 more | 2023-11-07 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). | |||||
| CVE-2020-11619 | 4 Debian, Fasterxml, Netapp and 1 more | 21 Debian Linux, Jackson-databind, Active Iq Unified Manager and 18 more | 2023-11-07 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). | |||||
| CVE-2020-11023 | 7 Debian, Drupal, Fedoraproject and 4 more | 55 Debian Linux, Drupal, Fedora and 52 more | 2023-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | |||||
| CVE-2019-20330 | 4 Debian, Fasterxml, Netapp and 1 more | 30 Debian Linux, Jackson-databind, Active Iq Unified Manager and 27 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. | |||||
| CVE-2019-17531 | 5 Debian, Fasterxml, Netapp and 2 more | 23 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 20 more | 2023-11-07 | 6.8 MEDIUM | 9.8 CRITICAL |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. | |||||
| CVE-2019-17195 | 3 Apache, Connect2id, Oracle | 15 Hadoop, Nimbus Jose\+jwt, Communications Cloud Native Core Security Edge Protection Proxy and 12 more | 2023-11-07 | 6.8 MEDIUM | 9.8 CRITICAL |
| Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. | |||||
| CVE-2019-16943 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 27 Debian Linux, Jackson-databind, Fedora and 24 more | 2023-11-07 | 6.8 MEDIUM | 9.8 CRITICAL |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. | |||||
| CVE-2019-16942 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 29 Debian Linux, Jackson-databind, Fedora and 26 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. | |||||
| CVE-2019-14439 | 6 Apache, Debian, Fasterxml and 3 more | 18 Drill, Debian Linux, Jackson-databind and 15 more | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. | |||||
| CVE-2019-14379 | 7 Apple, Debian, Fasterxml and 4 more | 25 Xcode, Debian Linux, Jackson-databind and 22 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. | |||||
| CVE-2019-10219 | 3 Netapp, Oracle, Redhat | 195 Active Iq Unified Manager, Element, Management Services For Element Software And Netapp Hci and 192 more | 2023-11-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. | |||||
| CVE-2019-10086 | 6 Apache, Debian, Fedoraproject and 3 more | 60 Commons Beanutils, Nifi, Debian Linux and 57 more | 2023-11-07 | 7.5 HIGH | 7.3 HIGH |
| In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. | |||||
| CVE-2018-14718 | 5 Debian, Fasterxml, Netapp and 2 more | 26 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 23 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. | |||||
| CVE-2020-36189 | 4 Debian, Fasterxml, Netapp and 1 more | 40 Debian Linux, Jackson-databind, Cloud Backup and 37 more | 2023-09-13 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. | |||||
| CVE-2020-36188 | 4 Debian, Fasterxml, Netapp and 1 more | 45 Debian Linux, Jackson-databind, Cloud Backup and 42 more | 2023-09-13 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. | |||||
| CVE-2020-36187 | 4 Debian, Fasterxml, Netapp and 1 more | 45 Debian Linux, Jackson-databind, Cloud Backup and 42 more | 2023-09-13 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. | |||||
| CVE-2020-36186 | 4 Debian, Fasterxml, Netapp and 1 more | 45 Debian Linux, Jackson-databind, Cloud Backup and 42 more | 2023-09-13 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. | |||||
| CVE-2020-36185 | 4 Debian, Fasterxml, Netapp and 1 more | 45 Debian Linux, Jackson-databind, Cloud Backup and 42 more | 2023-09-13 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. | |||||
| CVE-2020-36183 | 4 Debian, Fasterxml, Netapp and 1 more | 45 Debian Linux, Jackson-databind, Cloud Backup and 42 more | 2023-09-13 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. | |||||
| CVE-2023-22050 | 1 Oracle | 1 Jd Edwards Enterpriseone Orchestrator | 2023-07-27 | N/A | 5.4 MEDIUM |
| Vulnerability in the JD Edwards EnterpriseOne Orchestrator product of Oracle JD Edwards (component: E1 IOT Orchestrator Security). Supported versions that are affected are Prior to 9.2.7.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Orchestrator. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Orchestrator accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Orchestrator accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | |||||