Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Retail_xstore_point_of_service
(Oracle)| Repositories | https://github.com/bcgit/bc-java |
| #Vulnerabilities | 126 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-07-26 | CVE-2019-13990 | initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. | Tomee, Jira_service_management, Active_iq_unified_manager, Cloud_secure_agent, Apache_batik_mapviewer, Banking_enterprise_originations, Banking_enterprise_product_manufacturing, Banking_payments, Communications_ip_service_activator, Communications_session_route_manager, Customer_management_and_segmentation_foundation, Documaker, Enterprise_manager_base_platform, Enterprise_manager_ops_center, Flexcube_investor_servicing, Flexcube_private_banking, Fusion_middleware_mapviewer, Google_guava_mapviewer, Hyperion_infrastructure_technology, Jd_edwards_enterpriseone_orchestrator, Primavera_unifier, Retail_back_office, Retail_central_office, Retail_integration_bus, Retail_order_broker, Retail_point\-Of\-Service, Retail_returns_management, Retail_xstore_point_of_service, Terracotta_quartz_scheduler_mapviewer, Webcenter_sites, Quartz | 9.8 | ||
| 2017-06-16 | CVE-2017-9735 | Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. | Debian_linux, Jetty, Communications_cloud_native_core_policy, Enterprise_manager_base_platform, Hospitality_guest_access, Rest_data_services, Retail_xstore_point_of_service | 7.5 | ||
| 2018-03-16 | CVE-2018-1199 | Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers... | Rapid_planning, Retail_xstore_point_of_service, Fuse, Spring_framework, Spring_security | 5.3 | ||
| 2018-04-06 | CVE-2018-1270 | Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. | Debian_linux, Application_testing_suite, Big_data_discovery, Communications_converged_application_server, Communications_diameter_signaling_router, Communications_performance_intelligence_center, Communications_services_gatekeeper, Enterprise_manager_ops_center, Goldengate_for_big_data, Health_sciences_information_manager, Healthcare_master_person_index, Insurance_calculation_engine, Insurance_rules_palette, Primavera_gateway, Retail_back_office, Retail_central_office, Retail_customer_insights, Retail_integration_bus, Retail_open_commerce_platform, Retail_order_broker, Retail_point\-Of\-Sale, Retail_predictive_application_server, Retail_returns_management, Retail_xstore_point_of_service, Service_architecture_leveraging_tuxedo, Tape_library_acsls, Fuse, Spring_framework | 9.8 | ||
| 2018-04-26 | CVE-2018-10237 | Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. | Guava, Banking_payments, Communications_ip_service_activator, Customer_management_and_segmentation_foundation, Database_server, Flexcube_investor_servicing, Flexcube_private_banking, Retail_integration_bus, Retail_xstore_point_of_service, Weblogic_server, Jboss_enterprise_application_platform, Openshift_container_platform, Openstack, Satellite, Satellite_capsule, Virtualization, Virtualization_host | 5.9 | ||
| 2018-06-05 | CVE-2018-1000180 | Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. | Fips_java_api, Legion\-Of\-The\-Bouncy\-Castle\-Java\-Crytography\-Api, Debian_linux, Oncommand_workflow_automation, Api_gateway, Business_process_management_suite, Business_transaction_management, Communications_application_session_controller, Communications_converged_application_server, Communications_webrtc_session_controller, Enterprise_repository, Managed_file_transfer, Peoplesoft_enterprise_peopletools, Retail_convenience_and_fuel_pos_software, Retail_xstore_point_of_service, Soa_suite, Webcenter_portal, Weblogic_server, Jboss_enterprise_application_platform, Virtualization | 7.5 | ||
| 2018-06-26 | CVE-2017-7657 | In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary... | Debian_linux, Jetty, Xp_p9000_command_view, E\-Series_santricity_management, E\-Series_santricity_os_controller, E\-Series_santricity_web_services, Element_software, Element_software_management_node, Hci_storage_nodes, Oncommand_system_manager, Oncommand_unified_manager, Santricity_cloud_connector, Snap_creator_framework, Snapcenter, Snapmanager, Rest_data_services, Retail_xstore_point_of_service | 9.8 | ||
| 2018-06-26 | CVE-2017-7658 | In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the... | Debian_linux, Jetty, Xp_p9000_command_view, E\-Series_santricity_management, E\-Series_santricity_os_controller, E\-Series_santricity_web_services, Hci_management_node, Hci_storage_node, Oncommand_system_manager, Oncommand_unified_manager_for_7\-Mode, Santricity_cloud_connector, Snap_creator_framework, Snapcenter, Snapmanager, Solidfire, Storage_services_connector, Rest_data_services, Retail_xstore_payment, Retail_xstore_point_of_service | 9.8 | ||
| 2018-06-27 | CVE-2018-12536 | In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler,... | Jetty, Retail_xstore_point_of_service | 5.3 | ||
| 2018-09-25 | CVE-2018-11763 | In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. | Http_server, Ubuntu_linux, Storage_automation_store, Enterprise_manager_ops_center, Hospitality_guest_access, Instantis_enterprisetrack, Retail_xstore_point_of_service, Secure_global_desktop, Enterprise_linux | 5.9 |