Filtered by vendor Oracle
Subscribe
Filtered by product Communications Unified Inventory Management
Subscribe
Total
72 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23632 | 2 Oracle, Traefik | 2 Communications Unified Inventory Management, Traefik | 2022-11-23 | 6.8 MEDIUM | 7.5 HIGH |
| Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.6.1, Traefik skips the router transport layer security (TLS) configuration when the host header is a fully qualified domain name (FQDN). For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. When sending a request using FQDN handled by a router configured with a dedicated TLS configuration, the TLS configuration falls back to the default configuration that might not correspond to the configured one. If the CNAME flattening is enabled, the selected TLS configuration is the SNI one and the routing uses the CNAME value, so this can skip the expected TLS configuration. Version 2.6.1 contains a patch for this issue. As a workaround, one may add the FDQN to the host rule. However, there is no workaround if the CNAME flattening is enabled. | |||||
| CVE-2021-22118 | 3 Netapp, Oracle, Vmware | 32 Hci, Management Services For Element Software, Commerce Guided Search and 29 more | 2022-10-25 | 4.6 MEDIUM | 7.8 HIGH |
| In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data. | |||||
| CVE-2021-45105 | 5 Apache, Debian, Netapp and 2 more | 121 Log4j, Debian Linux, Cloud Manager and 118 more | 2022-10-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1. | |||||
| CVE-2019-10173 | 2 Oracle, Xstream Project | 10 Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine and 7 more | 2022-10-05 | 7.5 HIGH | 9.8 CRITICAL |
| It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285) | |||||
| CVE-2020-35490 | 4 Debian, Fasterxml, Netapp and 1 more | 25 Debian Linux, Jackson-databind, Service Level Manager and 22 more | 2022-09-08 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. | |||||
| CVE-2020-35491 | 4 Debian, Fasterxml, Netapp and 1 more | 26 Debian Linux, Jackson-databind, Service Level Manager and 23 more | 2022-09-08 | 6.8 MEDIUM | 8.1 HIGH |
| FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. | |||||
| CVE-2018-1257 | 3 Oracle, Redhat, Vmware | 30 Agile Product Lifecycle Management, Application Testing Suite, Big Data Discovery and 27 more | 2022-06-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. | |||||
| CVE-2018-11040 | 3 Debian, Oracle, Vmware | 28 Debian Linux, Agile Product Lifecycle Management, Application Testing Suite and 25 more | 2022-06-23 | 4.3 MEDIUM | 7.5 HIGH |
| Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. | |||||
| CVE-2018-11039 | 3 Debian, Oracle, Vmware | 33 Debian Linux, Agile Plm, Application Testing Suite and 30 more | 2022-06-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. | |||||
| CVE-2019-17091 | 2 Eclipse, Oracle | 23 Mojarra, Application Testing Suite, Banking Enterprise Product Manufacturing and 20 more | 2022-04-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled. | |||||
| CVE-2018-2571 | 1 Oracle | 1 Communications Unified Inventory Management | 2019-10-03 | 5.5 MEDIUM | 5.4 MEDIUM |
| Vulnerability in the Oracle Communications Unified Inventory Management component of Oracle Communications Applications (subcomponent: Portal). Supported versions that are affected are 7.2.4.2.x and 7.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Unified Inventory Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Unified Inventory Management accessible data as well as unauthorized read access to a subset of Oracle Communications Unified Inventory Management accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | |||||
| CVE-2018-2570 | 1 Oracle | 1 Communications Unified Inventory Management | 2019-10-03 | 6.5 MEDIUM | 6.3 MEDIUM |
| Vulnerability in the Oracle Communications Unified Inventory Management component of Oracle Communications Applications (subcomponent: Portal). Supported versions that are affected are 7.2.4.2.x and 7.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Unified Inventory Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Unified Inventory Management accessible data as well as unauthorized read access to a subset of Oracle Communications Unified Inventory Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Communications Unified Inventory Management. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). | |||||