2018-07-09
|
CVE-2018-1000613
|
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes...
|
Legion\-Of\-The\-Bouncy\-Castle\-Java\-Crytography\-Api, Oncommand_workflow_automation, Leap, Api_gateway, Banking_platform, Business_process_management_suite, Business_transaction_management, Communications_application_session_controller, Communications_converged_application_server, Communications_convergence, Communications_diameter_signaling_router, Communications_webrtc_session_controller, Data_integrator, Enterprise_manager_base_platform, Enterprise_manager_for_fusion_middleware, Enterprise_repository, Managed_file_transfer, Peoplesoft_enterprise_peopletools, Retail_convenience_and_fuel_pos_software, Retail_xstore_point_of_service, Soa_suite, Utilities_network_management_system, Webcenter_portal, Weblogic_server
|
9.8
|
|
|
2020-01-21
|
CVE-2019-20388
|
xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.
|
Debian_linux, Fedora, Cloud_backup, Clustered_data_ontap, H300e_firmware, H300s_firmware, H410s_firmware, H500e_firmware, H500s_firmware, H700e_firmware, H700s_firmware, Ontap_select_deploy_administration_utility, Plug\-In_for_symantec_netbackup, Smi\-S_provider, Snapdrive, Steelstore_cloud_integrated_storage, Leap, Communications_cloud_native_core_network_function_cloud_native_environment, Enterprise_manager_base_platform, Enterprise_manager_ops_center, Mysql_workbench, Peoplesoft_enterprise_peopletools, Real_user_experience_insight, Libxml2
|
7.5
|
|
|
2017-04-17
|
CVE-2017-5645
|
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
|
Log4j, Oncommand_api_services, Oncommand_insight, Oncommand_workflow_automation, Service_level_manager, Snapcenter, Storage_automation_store, Api_gateway, Application_testing_suite, Autovue_vuelink_integration, Banking_platform, Bi_publisher, Communications_converged_application_server_\-_service_controller, Communications_instant_messaging_server, Communications_interactive_session_recorder, Communications_messaging_server, Communications_network_integrity, Communications_online_mediation_controller, Communications_pricing_design_center, Communications_service_broker, Communications_webrtc_session_controller, Configuration_manager, Endeca_information_discovery_studio, Enterprise_data_quality, Enterprise_manager_base_platform, Enterprise_manager_for_fusion_middleware, Enterprise_manager_for_mysql_database, Enterprise_manager_for_oracle_database, Enterprise_manager_for_peoplesoft, Financial_services_analytical_applications_infrastructure, Financial_services_behavior_detection_platform, Financial_services_hedge_management_and_ifrs_valuations, Financial_services_lending_and_leasing, Financial_services_loan_loss_forecasting_and_provisioning, Financial_services_profitability_management, Financial_services_regulatory_reporting_with_agilereporter, Flexcube_investor_servicing, Fusion_middleware_mapviewer, Goldengate, Goldengate_application_adapters, Identity_analytics, Identity_management_suite, Identity_manager_connector, In\-Memory_performance\-Driven_planning, Instantis_enterprisetrack, Insurance_calculation_engine, Insurance_policy_administration, Insurance_rules_palette, Jd_edwards_enterpriseone_tools, Jdeveloper, Mysql_enterprise_monitor, Peoplesoft_enterprise_fin_install, Policy_automation, Policy_automation_connector_for_siebel, Policy_automation_for_mobile_devices, Primavera_gateway, Rapid_planning, Retail_advanced_inventory_planning, Retail_clearance_optimization_engine, Retail_extract_transform_and_load, Retail_integration_bus, Retail_open_commerce_platform, Retail_predictive_application_server, Retail_service_backbone, Siebel_ui_framework, Soa_suite, Tape_library_acsls, Timesten_in\-Memory_database, Utilities_advanced_spatial_and_operational_analytics, Utilities_work_and_asset_management, Weblogic_server, Enterprise_linux, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Fuse
|
9.8
|
|
|
2017-06-16
|
CVE-2017-9735
|
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
|
Debian_linux, Jetty, Communications_cloud_native_core_policy, Enterprise_manager_base_platform, Hospitality_guest_access, Rest_data_services, Retail_xstore_point_of_service
|
7.5
|
|
|
2018-10-29
|
CVE-2018-0735
|
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).
|
Ubuntu_linux, Debian_linux, Cloud_backup, Cn1610_firmware, Element_software, Oncommand_unified_manager, Santricity_smi\-S_provider, Smi\-S_provider, Snapdrive, Steelstore, Node\.js, Openssl, Api_gateway, Application_server, Enterprise_manager_base_platform, Enterprise_manager_ops_center, Mysql, Peoplesoft_enterprise_peopletools, Primavera_p6_enterprise_project_portfolio_management, Secure_global_desktop, Tuxedo, Vm_virtualbox
|
5.9
|
|
|
2018-10-30
|
CVE-2018-0734
|
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
|
Ubuntu_linux, Debian_linux, Cloud_backup, Cn1610_firmware, Oncommand_unified_manager, Santricity_smi\-S_provider, Snapcenter, Steelstore, Storage_automation_store, Node\.js, Openssl, Api_gateway, E\-Business_suite_technology_stack, Enterprise_manager_base_platform, Enterprise_manager_ops_center, Mysql_enterprise_backup, Peoplesoft_enterprise_peopletools, Primavera_p6_professional_project_management, Tuxedo
|
5.9
|
|
|
2018-11-15
|
CVE-2018-5407
|
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
|
Ubuntu_linux, Debian_linux, Node\.js, Openssl, Api_gateway, Application_server, Enterprise_manager_base_platform, Enterprise_manager_ops_center, Mysql_enterprise_backup, Peoplesoft_enterprise_peopletools, Primavera_p6_enterprise_project_portfolio_management, Tuxedo, Vm_virtualbox, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Nessus
|
4.7
|
|
|
2019-02-27
|
CVE-2019-1559
|
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt...
|
Ubuntu_linux, Debian_linux, Big\-Ip_access_policy_manager, Big\-Ip_advanced_firewall_manager, Big\-Ip_analytics, Big\-Ip_application_acceleration_manager, Big\-Ip_application_security_manager, Big\-Ip_domain_name_system, Big\-Ip_edge_gateway, Big\-Ip_fraud_protection_service, Big\-Ip_global_traffic_manager, Big\-Ip_link_controller, Big\-Ip_local_traffic_manager, Big\-Ip_policy_enforcement_manager, Big\-Ip_webaccelerator, Big\-Iq_centralized_management, Traffix_signaling_delivery_controller, Fedora, Agent, Data_exchange_layer, Threat_intelligence_exchange_server, Web_gateway, A220_firmware, A320_firmware, A800_firmware, Active_iq_unified_manager, Altavault, C190_firmware, Cloud_backup, Clustered_data_ontap_antivirus_connector, Cn1610_firmware, Element_software, Fas2720_firmware, Fas2750_firmware, Hci_compute_node, Hci_management_node, Hyper_converged_infrastructure, Oncommand_insight, Oncommand_unified_manager, Oncommand_unified_manager_core_package, Oncommand_workflow_automation, Ontap_select_deploy, Ontap_select_deploy_administration_utility, Santricity_smi\-S_provider, Service_processor, Smi\-S_provider, Snapcenter, Snapdrive, Snapprotect, Solidfire, Steelstore_cloud_integrated_storage, Storage_automation_store, Storagegrid, Node\.js, Openssl, Leap, Api_gateway, Business_intelligence, Communications_diameter_signaling_router, Communications_performance_intelligence_center, Communications_session_border_controller, Communications_session_router, Communications_unified_session_manager, Endeca_server, Enterprise_manager_base_platform, Enterprise_manager_ops_center, Jd_edwards_enterpriseone_tools, Jd_edwards_world_security, Mysql, Mysql_enterprise_monitor, Mysql_workbench, Peoplesoft_enterprise_peopletools, Secure_global_desktop, Services_tools_bundle, Pan\-Os, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_workstation, Jboss_enterprise_web_server, Virtualization, Virtualization_host, Nessus
|
5.9
|
|
|
2019-03-28
|
CVE-2019-0222
|
In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.
|
Activemq, Debian_linux, E\-Series_santricity_web_services, Communications_diameter_signaling_router, Enterprise_manager_base_platform, Enterprise_repository, Goldengate_stream_analytics, Identity_manager_connector
|
7.5
|
|
|
2019-04-22
|
CVE-2019-10246
|
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.
|
Jetty, Element, Oncommand_system_manager, Snap_creator_framework, Snapcenter, Snapmanager, Storage_replication_adapter_for_clustered_data_ontap, Storage_services_connector, Vasa_provider_for_clustered_data_ontap, Virtual_storage_console, Autovue, Communications_analytics, Communications_element_manager, Communications_services_gatekeeper, Communications_session_report_manager, Communications_session_route_manager, Data_integrator, Endeca_information_discovery_integrator, Enterprise_manager_base_platform, Flexcube_core_banking, Flexcube_private_banking, Hospitality_guest_access, Rest_data_services, Retail_xstore_point_of_service, Unified_directory
|
5.3
|
|
|