Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Graalvm
(Oracle)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 153 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-12-08 | CVE-2020-1971 | The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp... | Debian_linux, Fedora, Active_iq_unified_manager, Aff_a250_firmware, Clustered_data_ontap_antivirus_connector, Data_ontap, E\-Series_santricity_os_controller, Ef600a_firmware, Hci_compute_node, Hci_management_node, Hci_storage_node, Manageability_software_development_kit, Oncommand_insight, Oncommand_workflow_automation, Plug\-In_for_symantec_netbackup, Santricity_smi\-S_provider, Snapcenter, Solidfire, Node\.js, Openssl, Api_gateway, Business_intelligence, Communications_cloud_native_core_network_function_cloud_native_environment, Communications_diameter_intelligence_hub, Communications_session_border_controller, Communications_session_router, Communications_subscriber\-Aware_load_balancer, Communications_unified_session_manager, Enterprise_communications_broker, Enterprise_manager_base_platform, Enterprise_manager_for_storage_management, Enterprise_manager_ops_center, Enterprise_session_border_controller, Essbase, Graalvm, Http_server, Jd_edwards_enterpriseone_tools, Jd_edwards_world_security, Mysql, Mysql_server, Peoplesoft_enterprise_peopletools, Sinec_infrastructure_network_services, Log_correlation_engine, Nessus_network_monitor | 5.9 | ||
| 2021-01-06 | CVE-2020-8265 | Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially... | Debian_linux, Fedora, Node\.js, Graalvm, Sinec_infrastructure_network_services | 8.1 | ||
| 2021-01-06 | CVE-2020-8287 | Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling. | Debian_linux, Fedora, Node\.js, Graalvm, Sinec_infrastructure_network_services | 6.5 | ||
| 2021-02-16 | CVE-2021-23840 | Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these... | Debian_linux, M10\-1_firmware, M10\-4_firmware, M10\-4s_firmware, M12\-1_firmware, M12\-2_firmware, M12\-2s_firmware, Epolicy_orchestrator, Node\.js, Openssl, Business_intelligence, Communications_cloud_native_core_policy, Enterprise_manager_for_storage_management, Enterprise_manager_ops_center, Graalvm, Jd_edwards_enterpriseone_tools, Jd_edwards_world_security, Mysql_server, Nosql_database, Log_correlation_engine, Nessus_network_monitor | 7.5 | ||
| 2021-02-16 | CVE-2021-23841 | The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function... | Ipados, Iphone_os, Macos, Safari, Debian_linux, Oncommand_insight, Oncommand_workflow_automation, Snapcenter, Openssl, Business_intelligence, Communications_cloud_native_core_policy, Enterprise_manager_for_storage_management, Enterprise_manager_ops_center, Essbase, Graalvm, Jd_edwards_world_security, Mysql_enterprise_monitor, Mysql_server, Peoplesoft_enterprise_peopletools, Zfs_storage_appliance_kit, Sinec_ins, Nessus_network_monitor, Tenable\.sc | 5.9 | ||
| 2021-02-16 | CVE-2021-23839 | OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is... | Openssl, Business_intelligence, Enterprise_manager_for_storage_management, Enterprise_manager_ops_center, Graalvm, Jd_edwards_world_security, Zfs_storage_appliance_kit, Sinec_ins | 3.7 | ||
| 2021-03-03 | CVE-2021-22883 | Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run... | Fedora, E\-Series_performance_analyzer, Node\.js, Graalvm, Jd_edwards_enterpriseone_tools, Mysql_cluster, Nosql_database, Peoplesoft_enterprise_peopletools, Sinec_infrastructure_network_services | 7.5 | ||
| 2021-03-03 | CVE-2021-22884 | Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the... | Fedora, Active_iq_unified_manager, E\-Series_performance_analyzer, Oncommand_insight, Oncommand_workflow_automation, Snapcenter, Node\.js, Graalvm, Jd_edwards_enterpriseone_tools, Mysql_cluster, Nosql_database, Peoplesoft_enterprise_peopletools, Sinec_infrastructure_network_services | 7.5 | ||
| 2021-03-12 | CVE-2021-27290 | ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. | Graalvm, Sinec_infrastructure_network_services, Ssri | 7.5 | ||
| 2021-03-23 | CVE-2021-21349 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security... | Debian_linux, Fedora, Banking_enterprise_default_management, Banking_platform, Banking_virtual_account_management, Business_activity_monitoring, Communications_billing_and_revenue_management_elastic_charging_engine, Communications_policy_management, Communications_unified_inventory_management, Graalvm, Java_se, Retail_xstore_point_of_service, Webcenter_portal, Xstream | 8.6 |