Filtered by vendor Oracle
Subscribe
Total
9622 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-22883 | 5 Fedoraproject, Netapp, Nodejs and 2 more | 9 Fedora, E-series Performance Analyzer, Node.js and 6 more | 2023-11-07 | 7.8 HIGH | 7.5 HIGH |
| Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory. | |||||
| CVE-2021-22696 | 2 Apache, Oracle | 6 Cxf, Business Intelligence, Communications Diameter Intelligence Hub and 3 more | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10. | |||||
| CVE-2021-22570 | 5 Debian, Fedoraproject, Google and 2 more | 8 Debian Linux, Fedora, Protobuf and 5 more | 2023-11-07 | 2.1 LOW | 5.5 MEDIUM |
| Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. | |||||
| CVE-2021-22207 | 4 Debian, Fedoraproject, Oracle and 1 more | 4 Debian Linux, Fedora, Zfs Storage Appliance Kit and 1 more | 2023-11-07 | 5.0 MEDIUM | 6.5 MEDIUM |
| Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to 3.4.4 and 3.2.0 to 3.2.12 allows denial of service via packet injection or crafted capture file | |||||
| CVE-2021-22174 | 3 Fedoraproject, Oracle, Wireshark | 3 Fedora, Zfs Storage Appliance, Wireshark | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Crash in USB HID dissector in Wireshark 3.4.0 to 3.4.2 allows denial of service via packet injection or crafted capture file | |||||
| CVE-2021-22173 | 3 Fedoraproject, Oracle, Wireshark | 3 Fedora, Zfs Storage Appliance, Wireshark | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Memory leak in USB HID dissector in Wireshark 3.4.0 to 3.4.2 allows denial of service via packet injection or crafted capture file | |||||
| CVE-2021-22119 | 2 Oracle, Vmware | 2 Communications Cloud Native Core Policy, Spring Security | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions. | |||||
| CVE-2021-22112 | 3 Oracle, Pivotal Software, Vmware | 8 Communications Element Manager, Communications Interactive Session Recorder, Communications Unified Inventory Management and 5 more | 2023-11-07 | 9.0 HIGH | 8.8 HIGH |
| Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application. | |||||
| CVE-2021-21703 | 5 Debian, Fedoraproject, Netapp and 2 more | 5 Debian Linux, Fedora, Clustered Data Ontap and 2 more | 2023-11-07 | 6.9 MEDIUM | 7.0 HIGH |
| In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user. | |||||
| CVE-2021-21409 | 5 Debian, Netapp, Netty and 2 more | 18 Debian Linux, Oncommand Api Services, Oncommand Workflow Automation and 15 more | 2023-11-07 | 4.3 MEDIUM | 5.9 MEDIUM |
| Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. | |||||
| CVE-2021-21351 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2023-11-07 | 6.5 MEDIUM | 9.1 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21350 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21349 | 4 Debian, Fedoraproject, Oracle and 1 more | 14 Debian Linux, Fedora, Banking Enterprise Default Management and 11 more | 2023-11-07 | 5.0 MEDIUM | 8.6 HIGH |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21348 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2023-11-07 | 7.8 HIGH | 7.5 HIGH |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21347 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21346 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21345 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2023-11-07 | 6.5 MEDIUM | 9.9 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21344 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21343 | 4 Debian, Fedoraproject, Oracle and 1 more | 12 Debian Linux, Fedora, Banking Enterprise Default Management and 9 more | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21342 | 4 Debian, Fedoraproject, Oracle and 1 more | 12 Debian Linux, Fedora, Banking Enterprise Default Management and 9 more | 2023-11-07 | 5.8 MEDIUM | 9.1 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||