|
2020-11-06
|
CVE-2020-28196
|
MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.
|
Fedora, Kerberos_5, Active_iq_unified_manager, Cloud_backup, Oncommand_insight, Oncommand_workflow_automation, Snapcenter, Communications_cloud_native_core_policy, Communications_offline_mediation_controller, Communications_pricing_design_center, Mysql_server
|
7.5
|
|
|
|
2020-12-03
|
CVE-2020-25649
|
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
|
Iotdb, Jackson\-Databind, Fedora, Oncommand_api_services, Oncommand_workflow_automation, Service_level_manager, Agile_plm, Agile_product_lifecycle_management_integration_pack, Banking_apis, Banking_platform, Banking_treasury_management, Blockchain_platform, Coherence, Commerce_platform, Communications_billing_and_revenue_management, Communications_cloud_native_core_unified_data_repository, Communications_convergent_charging_controller, Communications_evolved_communications_application_server, Communications_instant_messaging_server, Communications_interactive_session_recorder, Communications_messaging_server, Communications_network_charging_and_control, Communications_offline_mediation_controller, Communications_pricing_design_center, Communications_services_gatekeeper, Communications_unified_inventory_management, Goldengate_application_adapters, Health_sciences_empirica_signal, Insurance_policy_administration, Insurance_rules_palette, Jd_edwards_enterpriseone_orchestrator, Jd_edwards_enterpriseone_tools, Primavera_gateway, Retail_service_backbone, Retail_xstore_point_of_service, Sd\-Wan_edge, Utilities_framework, Webcenter_portal, Quarkus
|
7.5
|
|
|
|
2020-12-03
|
CVE-2020-27783
|
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
|
Debian_linux, Fedora, Lxml, Snapcenter, Communications_offline_mediation_controller, Zfs_storage_appliance_kit, Enterprise_linux, Software_collections
|
6.1
|
|
|
|
2021-01-19
|
CVE-2021-3177
|
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
|
Debian_linux, Fedora, Active_iq_unified_manager, Ontap_select_deploy_administration_utility, Communications_cloud_native_core_network_function_cloud_native_environment, Communications_offline_mediation_controller, Communications_pricing_design_center, Enterprise_manager_ops_center, Zfs_storage_appliance_kit, Python
|
9.8
|
|
|
|
2021-02-15
|
CVE-2021-23336
|
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can...
|
Debian_linux, Django, Fedora, Cloud_backup, Inventory_collect_tool, Ontap_select_deploy_administration_utility, Snapcenter, Communications_offline_mediation_controller, Communications_pricing_design_center, Enterprise_manager_ops_center, Zfs_storage_appliance, Python
|
5.9
|
|
|
|
2021-03-05
|
CVE-2021-28041
|
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
|
Fedora, Cloud_backup, Hci_compute_node_firmware, Hci_management_node, Hci_storage_node_firmware, Solidfire, Openssh, Communications_offline_mediation_controller, Zfs_storage_appliance
|
7.1
|
|
|
|
2021-04-13
|
CVE-2021-29425
|
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
|
Commons_io, Debian_linux, Active_iq_unified_manager, Access_manager, Agile_engineering_data_management, Agile_plm, Application_performance_management, Application_testing_suite, Banking_apis, Banking_digital_experience, Banking_enterprise_default_management, Banking_enterprise_default_managment, Banking_party_management, Banking_platform, Blockchain_platform, Commerce_guided_search, Communications_application_session_controller, Communications_billing_and_revenue_management_elastic_charging_engine, Communications_cloud_native_core_network_repository_function, Communications_cloud_native_core_policy, Communications_cloud_native_core_unified_data_repository, Communications_contacts_server, Communications_converged_application_server_\-_service_controller, Communications_convergence, Communications_design_studio, Communications_diameter_intelligence_hub, Communications_interactive_session_recorder, Communications_offline_mediation_controller, Communications_order_and_service_management, Communications_policy_management, Communications_pricing_design_center, Communications_service_broker, Enterprise_communications_broker, Enterprise_session_border_controller, Financial_services_analytical_applications_infrastructure, Financial_services_model_management_and_governance, Flexcube_core_banking, Fusion_middleware_mapviewer, Health_sciences_data_management_workbench, Health_sciences_information_manager, Healthcare_data_repository, Helidon, Insurance_policy_administration, Insurance_rules_palette, Oss_support_tools, Primavera_unifier, Real_user_experience_insight, Rest_data_services, Retail_assortment_planning, Retail_integration_bus, Retail_merchandising_system, Retail_order_broker, Retail_pricing, Retail_service_backbone, Retail_size_profile_optimization, Retail_xstore_point_of_service, Solaris_cluster, Utilities_testing_accelerator, Webcenter_portal, Weblogic_server
|
4.8
|
|
|
|
2021-12-28
|
CVE-2021-44832
|
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
|
Log4j, Cloudcenter, Debian_linux, Fedora, Communications_brm_\-_elastic_charging_engine, Communications_diameter_signaling_router, Communications_interactive_session_recorder, Communications_offline_mediation_controller, Flexcube_private_banking, Health_sciences_data_management_workbench, Policy_automation, Policy_automation_for_mobile_devices, Primavera_gateway, Primavera_p6_enterprise_project_portfolio_management, Primavera_unifier, Product_lifecycle_analytics, Retail_assortment_planning, Retail_fiscal_management, Retail_order_broker, Retail_xstore_point_of_service, Siebel_ui_framework, Weblogic_server
|
6.6
|
|
|
|
2020-09-17
|
CVE-2020-24750
|
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
|
Debian_linux, Jackson\-Databind, Agile_plm, Application_testing_suite, Autovue_for_agile_product_lifecycle_management, Banking_corporate_lending_process_management, Banking_credit_facilities_process_management, Banking_liquidity_management, Banking_supply_chain_finance, Blockchain_platform, Communications_calendar_server, Communications_contacts_server, Communications_diameter_signaling_router, Communications_element_manager, Communications_instant_messaging_server, Communications_messaging_server, Communications_offline_mediation_controller, Communications_policy_management, Communications_pricing_design_center, Communications_services_gatekeeper, Communications_session_report_manager, Communications_session_route_manager, Communications_unified_inventory_management, Identity_manager_connector, Siebel_core_\-_server_framework, Siebel_ui_framework
|
8.1
|
|
|
|
2021-01-06
|
CVE-2020-36185
|
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
|
Debian_linux, Jackson\-Databind, Cloud_backup, Service_level_manager, Agile_plm, Application_testing_suite, Autovue_for_agile_product_lifecycle_management, Banking_corporate_lending_process_management, Banking_credit_facilities_process_management, Banking_extensibility_workbench, Banking_supply_chain_finance, Banking_treasury_management, Banking_virtual_account_management, Blockchain_platform, Commerce_platform, Communications_billing_and_revenue_management, Communications_cloud_native_core_policy, Communications_cloud_native_core_unified_data_repository, Communications_convergent_charging_controller, Communications_diameter_signaling_route, Communications_element_manager, Communications_evolved_communications_application_server, Communications_instant_messaging_server, Communications_network_charging_and_control, Communications_offline_mediation_controller, Communications_policy_management, Communications_pricing_design_center, Communications_services_gatekeeper, Communications_session_report_manager, Communications_session_route_manager, Communications_unified_inventory_management, Data_integrator, Documaker, Goldengate_application_adapters, Insurance_policy_administration, Insurance_rules_palette, Jd_edwards_enterpriseone_orchestrator, Jd_edwards_enterpriseone_tools, Primavera_gateway, Primavera_unifier, Retail_customer_management_and_segmentation_foundation, Retail_merchandising_system, Retail_service_backbone, Retail_xstore_point_of_service, Webcenter_portal
|
8.1
|
|
|