Communications_instant_messaging_server - Vulncode-DB

Note:

This project will be discontinued after December 13, 2021. [more]

Product:
Communications_instant_messaging_server
(Oracle)

Repositories	https://github.com/FasterXML/jackson-databind
#Vulnerabilities	57

Date	Id	Summary	Products	Score	Patch	Annotated
2021-01-07	CVE-2020-36182	FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.	Debian_linux, Jackson\-Databind, Cloud_backup, Service_level_manager, Agile_plm, Application_testing_suite, Autovue_for_agile_product_lifecycle_management, Banking_corporate_lending_process_management, Banking_credit_facilities_process_management, Banking_extensibility_workbench, Banking_supply_chain_finance, Banking_treasury_management, Banking_virtual_account_management, Blockchain_platform, Commerce_platform, Communications_billing_and_revenue_management, Communications_cloud_native_core_policy, Communications_cloud_native_core_unified_data_repository, Communications_convergent_charging_controller, Communications_diameter_signaling_route, Communications_element_manager, Communications_evolved_communications_application_server, Communications_instant_messaging_server, Communications_network_charging_and_control, Communications_offline_mediation_controller, Communications_policy_management, Communications_pricing_design_center, Communications_services_gatekeeper, Communications_session_report_manager, Communications_session_route_manager, Communications_unified_inventory_management, Data_integrator, Documaker, Goldengate_application_adapters, Insurance_policy_administration, Insurance_rules_palette, Jd_edwards_enterpriseone_orchestrator, Jd_edwards_enterpriseone_tools, Primavera_gateway, Primavera_unifier, Retail_customer_management_and_segmentation_foundation, Retail_merchandising_system, Retail_service_backbone, Retail_xstore_point_of_service, Webcenter_portal	8.1
2021-01-07	CVE-2020-36183	FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.	Debian_linux, Jackson\-Databind, Cloud_backup, Service_level_manager, Agile_plm, Application_testing_suite, Autovue_for_agile_product_lifecycle_management, Banking_corporate_lending_process_management, Banking_credit_facilities_process_management, Banking_extensibility_workbench, Banking_supply_chain_finance, Banking_treasury_management, Banking_virtual_account_management, Blockchain_platform, Commerce_platform, Communications_billing_and_revenue_management, Communications_cloud_native_core_policy, Communications_cloud_native_core_unified_data_repository, Communications_convergent_charging_controller, Communications_diameter_signaling_route, Communications_element_manager, Communications_evolved_communications_application_server, Communications_instant_messaging_server, Communications_network_charging_and_control, Communications_offline_mediation_controller, Communications_policy_management, Communications_pricing_design_center, Communications_services_gatekeeper, Communications_session_report_manager, Communications_session_route_manager, Communications_unified_inventory_management, Data_integrator, Documaker, Goldengate_application_adapters, Insurance_policy_administration, Insurance_rules_palette, Jd_edwards_enterpriseone_orchestrator, Jd_edwards_enterpriseone_tools, Primavera_gateway, Primavera_unifier, Retail_customer_management_and_segmentation_foundation, Retail_merchandising_system, Retail_service_backbone, Retail_xstore_point_of_service, Webcenter_portal	8.1
2021-03-01	CVE-2021-25122	When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.	Tomcat, Debian_linux, Agile_plm, Communications_cloud_native_core_policy, Communications_cloud_native_core_security_edge_protection_proxy, Communications_instant_messaging_server, Database, Graph_server_and_client, Instantis_enterprisetrack, Managed_file_transfer, Mysql_enterprise_monitor, Siebel_ui_framework	7.5
2021-03-01	CVE-2021-25329	The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.	Tomcat, Debian_linux, Agile_plm, Communications_cloud_native_core_policy, Communications_cloud_native_core_security_edge_protection_proxy, Communications_instant_messaging_server, Database, Graph_server_and_client, Instantis_enterprisetrack, Managed_file_transfer, Mysql_enterprise_monitor, Siebel_ui_framework	7.0
2021-07-12	CVE-2021-33037	Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the...	Tomcat, Tomee, Debian_linux, Epolicy_orchestrator, Agile_plm, Communications_cloud_native_core_policy, Communications_cloud_native_core_service_communication_proxy, Communications_diameter_signaling_router, Communications_instant_messaging_server, Communications_policy_management, Communications_pricing_design_center, Communications_session_report_manager, Communications_session_route_manager, Graph_server_and_client, Healthcare_translational_research, Hospitality_cruise_shipboard_property_management_system, Instantis_enterprisetrack, Managed_file_transfer, Mysql_enterprise_monitor, Sd\-Wan_edge, Secure_global_desktop, Utilities_testing_accelerator	5.3
2021-10-19	CVE-2021-37136	The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack	Debian_linux, Oncommand_insight, Netty, Banking_apis, Banking_digital_experience, Coherence, Commerce_guided_search, Communications_brm_\-_elastic_charging_engine, Communications_cloud_native_core_binding_support_function, Communications_cloud_native_core_network_slice_selection_function, Communications_cloud_native_core_policy, Communications_cloud_native_core_security_edge_protection_proxy, Communications_cloud_native_core_unified_data_repository, Communications_diameter_signaling_router, Communications_instant_messaging_server, Helidon, Peoplesoft_enterprise_peopletools, Webcenter_portal, Quarkus	7.5
2021-12-09	CVE-2021-43797	Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote...	Debian_linux, Oncommand_workflow_automation, Snapcenter, Netty, Banking_deposits_and_lines_of_credit_servicing, Banking_party_management, Banking_platform, Coherence, Communications_cloud_native_core_binding_support_function, Communications_cloud_native_core_network_slice_selection_function, Communications_cloud_native_core_policy, Communications_cloud_native_core_security_edge_protection_proxy, Communications_cloud_native_core_unified_data_repository, Communications_design_studio, Communications_instant_messaging_server, Helidon, Peoplesoft_enterprise_peopletools, Quarkus	6.5
2022-01-18	CVE-2022-23302	JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use...	Log4j, Brocade_sannav, Snapmanager, Advanced_supply_chain_planning, Business_intelligence, Business_process_management_suite, Communications_eagle_ftp_table_base_retrieval, Communications_instant_messaging_server, Communications_messaging_server, Communications_network_integrity, Communications_offline_mediation_controller, Communications_unified_inventory_management, E\-Business_suite_cloud_manager_and_cloud_backup_module, Enterprise_manager_base_platform, Financial_services_revenue_management_and_billing_analytics, Healthcare_foundation, Hyperion_data_relationship_management, Hyperion_infrastructure_technology, Identity_management_suite, Identity_manager_connector, Jdeveloper, Middleware_common_libraries_and_tools, Mysql_enterprise_monitor, Tuxedo, Weblogic_server, Reload4j	8.8
2022-01-18	CVE-2022-23305	By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the...	Log4j, Brocade_sannav, Snapmanager, Advanced_supply_chain_planning, Business_intelligence, Business_process_management_suite, Communications_eagle_ftp_table_base_retrieval, Communications_instant_messaging_server, Communications_messaging_server, Communications_network_integrity, Communications_offline_mediation_controller, Communications_unified_inventory_management, E\-Business_suite_cloud_manager_and_cloud_backup_module, E\-Business_suite_information_discovery, Enterprise_manager_base_platform, Financial_services_revenue_management_and_billing_analytics, Healthcare_foundation, Hyperion_data_relationship_management, Hyperion_infrastructure_technology, Identity_management_suite, Identity_manager_connector, Jdeveloper, Middleware_common_libraries_and_tools, Mysql_enterprise_monitor, Retail_extract_transform_and_load, Tuxedo, Weblogic_server, Reload4j	9.8
2022-01-18	CVE-2022-23307	CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.	Chainsaw, Log4j, Advanced_supply_chain_planning, Business_intelligence, Business_process_management_suite, Communications_eagle_ftp_table_base_retrieval, Communications_instant_messaging_server, Communications_messaging_server, Communications_network_integrity, Communications_offline_mediation_controller, Communications_unified_inventory_management, E\-Business_suite_cloud_manager_and_cloud_backup_module, Enterprise_manager_base_platform, Financial_services_revenue_management_and_billing_analytics, Healthcare_foundation, Hyperion_data_relationship_management, Hyperion_infrastructure_technology, Identity_management_suite, Identity_manager_connector, Jdeveloper, Middleware_common_libraries_and_tools, Mysql_enterprise_monitor, Retail_extract_transform_and_load, Tuxedo, Weblogic_server, Reload4j	8.8