Product:

Communications_brm_\-_elastic_charging_engine

(Oracle)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 14
Date Id Summary Products Score Patch Annotated
2020-01-17 CVE-2020-5397 Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome... Application_testing_suite, Communications_brm_\-_elastic_charging_engine, Communications_diameter_signaling_router, Communications_element_manager, Communications_policy_management, Communications_session_route_manager, Enterprise_manager_base_platform, Financial_services_regulatory_reporting_with_agilereporter, Flexcube_private_banking, Healthcare_master_person_index, Insurance_calculation_engine, Insurance_policy_administration_j2ee, Insurance_rules_palette, Mysql_enterprise_monitor, Rapid_planning, Retail_assortment_planning, Retail_back_office, Retail_central_office, Retail_financial_integration, Retail_integration_bus, Retail_order_broker, Retail_point\-Of\-Service, Retail_predictive_application_server, Retail_returns_management, Retail_service_backbone, Weblogic_server, Spring_framework 5.3
2020-12-07 CVE-2020-17521 Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and... Atlas, Groovy, Snapcenter, Agile_engineering_data_management, Agile_plm, Agile_plm_mcad_connector, Business_process_management_suite, Communications_brm_\-_elastic_charging_engine, Communications_diameter_signaling_router, Communications_evolved_communications_application_server, Communications_services_gatekeeper, Healthcare_data_repository, Hospitality_opera_5, Ilearning, Insurance_policy_administration, Jd_edwards_enterpriseone_orchestrator, Primavera_gateway, Primavera_unifier, Retail_bulk_data_integration, Retail_merchandising_system, Retail_store_inventory_management 5.5
2021-02-08 CVE-2021-21290 Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary... Debian_linux, Active_iq_unified_manager, Cloud_secure_agent, Snapcenter, Netty, Banking_corporate_lending_process_management, Banking_credit_facilities_process_management, Banking_trade_finance_process_management, Communications_brm_\-_elastic_charging_engine, Communications_design_studio, Communications_messaging_server, Nosql_database, Quarkus 5.5
2021-03-23 CVE-2021-21342 XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the... Debian_linux, Fedora, Banking_enterprise_default_management, Banking_platform, Banking_virtual_account_management, Business_activity_monitoring, Communications_brm_\-_elastic_charging_engine, Communications_policy_management, Communications_unified_inventory_management, Retail_xstore_point_of_service, Webcenter_portal, Xstream 9.1
2021-03-30 CVE-2021-21409 Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a... Debian_linux, Oncommand_api_services, Oncommand_workflow_automation, Netty, Banking_corporate_lending_process_management, Banking_credit_facilities_process_management, Banking_trade_finance_process_management, Coherence, Communications_brm_\-_elastic_charging_engine, Communications_cloud_native_core_console, Communications_cloud_native_core_policy, Communications_design_studio, Communications_messaging_server, Helidon, Jd_edwards_enterpriseone_tools, Nosql_database, Primavera_gateway, Quarkus 5.9
2021-05-27 CVE-2021-22118 In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data. Hci, Management_services_for_element_software, Commerce_guided_search, Communications_brm_\-_elastic_charging_engine, Communications_cloud_native_core_binding_support_function, Communications_cloud_native_core_policy, Communications_cloud_native_core_security_edge_protection_proxy, Communications_cloud_native_core_service_communication_proxy, Communications_cloud_native_core_unified_data_repository, Communications_diameter_intelligence_hub, Communications_element_manager, Communications_interactive_session_recorder, Communications_network_integrity, Communications_session_report_manager, Communications_session_route_manager, Communications_unified_inventory_management, Documaker, Enterprise_data_quality, Financial_services_analytical_applications_infrastructure, Healthcare_data_repository, Insurance_policy_administration, Insurance_rules_palette, Mysql_enterprise_monitor, Retail_assortment_planning, Retail_customer_management_and_segmentation_foundation, Retail_financial_integration, Retail_integration_bus, Retail_merchandising_system, Retail_order_broker, Retail_predictive_application_server, Utilities_testing_accelerator, Spring_framework 7.8
2021-05-28 CVE-2021-29505 XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17. Debian_linux, Fedora, Snapmanager, Banking_cash_management, Banking_corporate_lending_process_management, Banking_credit_facilities_process_management, Banking_supply_chain_finance, Banking_trade_finance_process_management, Business_activity_monitoring, Communications_brm_\-_elastic_charging_engine, Communications_unified_inventory_management, Enterprise_manager_ops_center, Retail_xstore_point_of_service, Webcenter_portal, Webcenter_sites, Xstream 8.8
2021-09-22 CVE-2021-38153 Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0. Kafka, Communications_brm_\-_elastic_charging_engine, Communications_cloud_native_core_policy, Financial_services_analytical_applications_infrastructure, Financial_services_behavior_detection_platform, Financial_services_enterprise_case_management, Primavera_unifier, Quarkus 5.9
2021-10-19 CVE-2021-37136 The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack Debian_linux, Oncommand_insight, Netty, Banking_apis, Banking_digital_experience, Coherence, Commerce_guided_search, Communications_brm_\-_elastic_charging_engine, Communications_cloud_native_core_binding_support_function, Communications_cloud_native_core_network_slice_selection_function, Communications_cloud_native_core_policy, Communications_cloud_native_core_security_edge_protection_proxy, Communications_cloud_native_core_unified_data_repository, Communications_diameter_signaling_router, Communications_instant_messaging_server, Helidon, Peoplesoft_enterprise_peopletools, Webcenter_portal, Quarkus 7.5
2021-10-19 CVE-2021-37137 The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. Debian_linux, Oncommand_insight, Netty, Banking_apis, Banking_digital_experience, Commerce_guided_search, Communications_brm_\-_elastic_charging_engine, Communications_cloud_native_core_binding_support_function, Communications_diameter_signaling_router, Peoplesoft_enterprise_peopletools, Webcenter_portal, Quarkus 7.5