Vulnerabilities (CVE)

Filtered by vendor Oracle Subscribe
Filtered by product Enterprise Manager Ops Center
Total 107 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-2726 1 Oracle 1 Enterprise Manager Ops Center 2024-02-28 6.3 MEDIUM 6.3 MEDIUM
Vulnerability in the Enterprise Manager Ops Center component of Oracle Enterprise Manager Products Suite (subcomponent: Services Integration). The supported version that is affected is 12.3.3. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Enterprise Manager Ops Center. While the vulnerability is in Enterprise Manager Ops Center, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Enterprise Manager Ops Center. CVSS 3.0 Base Score 6.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H).
CVE-2019-5436 7 Debian, F5, Fedoraproject and 4 more 11 Debian Linux, Traffix Signaling Delivery Controller, Fedora and 8 more 2024-02-28 4.6 MEDIUM 7.8 HIGH
A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.
CVE-2019-0190 3 Apache, Openssl, Oracle 6 Http Server, Openssl, Enterprise Manager Ops Center and 3 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.
CVE-2018-11058 2 Dell, Oracle 13 Bsafe, Bsafe Crypto-c, Application Testing Suite and 10 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and prior to 4.1.6 (in 4.1.x), and RSA BSAFE Crypto-C Micro Edition, version prior to 4.0.5.3 (in 4.0.x) contain a Buffer Over-Read vulnerability when parsing ASN.1 data. A remote attacker could use maliciously constructed ASN.1 data that would result in such issue.
CVE-2018-11057 2 Dell, Oracle 12 Bsafe, Application Testing Suite, Communications Analytics and 9 more 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and prior to 4.1.6.1 (in 4.1.x) contains a Covert Timing Channel vulnerability during RSA decryption, also known as a Bleichenbacher attack on RSA decryption. A remote attacker may be able to recover a RSA key.
CVE-2018-11054 2 Dell, Oracle 12 Bsafe, Application Testing Suite, Communications Analytics and 9 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
RSA BSAFE Micro Edition Suite, version 4.1.6, contains an integer overflow vulnerability. A remote attacker could use maliciously constructed ASN.1 data to potentially cause a Denial Of Service.
CVE-2018-11055 2 Dell, Oracle 12 Bsafe, Application Testing Suite, Communications Analytics and 9 more 2024-02-28 2.1 LOW 5.5 MEDIUM
RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and prior to 4.1.6.1 (in 4.1.x), contains an Improper Clearing of Heap Memory Before Release ('Heap Inspection') vulnerability. Decoded PKCS #12 data in heap memory is not zeroized by MES before releasing the memory internally and a malicious local user could gain access to the unauthorized data by doing heap inspection.
CVE-2018-5407 7 Canonical, Debian, Nodejs and 4 more 20 Ubuntu Linux, Debian Linux, Node.js and 17 more 2024-02-28 1.9 LOW 4.7 MEDIUM
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
CVE-2018-17189 7 Apache, Canonical, Debian and 4 more 13 Http Server, Ubuntu Linux, Debian Linux and 10 more 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
CVE-2018-0735 6 Canonical, Debian, Netapp and 3 more 23 Ubuntu Linux, Debian Linux, Cloud Backup and 20 more 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).
CVE-2018-11056 2 Dell, Oracle 13 Bsafe, Bsafe Crypto-c, Application Testing Suite and 10 more 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
RSA BSAFE Micro Edition Suite, prior to 4.1.6.1 (in 4.1.x), and RSA BSAFE Crypto-C Micro Edition versions prior to 4.0.5.3 (in 4.0.x) contain an Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability when parsing ASN.1 data. A remote attacker could use maliciously constructed ASN.1 data that would exhaust the stack, potentially causing a Denial Of Service.
CVE-2018-11763 5 Apache, Canonical, Netapp and 2 more 9 Http Server, Ubuntu Linux, Storage Automation Store and 6 more 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
CVE-2019-3822 7 Canonical, Debian, Haxx and 4 more 16 Ubuntu Linux, Debian Linux, Libcurl and 13 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.
CVE-2018-2976 1 Oracle 1 Enterprise Manager Ops Center 2024-02-28 6.4 MEDIUM 8.2 HIGH
Vulnerability in the Enterprise Manager Ops Center component of Oracle Enterprise Manager Products Suite (subcomponent: Networking). The supported version that is affected is 12.2.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Ops Center. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Ops Center accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Ops Center accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).
CVE-2018-0734 6 Canonical, Debian, Netapp and 3 more 20 Ubuntu Linux, Debian Linux, Cloud Backup and 17 more 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
CVE-2018-15756 3 Debian, Oracle, Vmware 40 Debian Linux, Agile Plm, Communications Brm - Elastic Charging Engine and 37 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
CVE-2018-15769 2 Dell, Oracle 12 Bsafe, Application Testing Suite, Communications Analytics and 9 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is sent to the TLS client, and an Ephemeral or Anonymous Diffie-Hellman cipher suite (DHE or ADH) is used.
CVE-2019-1559 13 Canonical, Debian, F5 and 10 more 90 Ubuntu Linux, Debian Linux, Big-ip Access Policy Manager and 87 more 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
CVE-2018-17199 5 Apache, Canonical, Debian and 2 more 6 Http Server, Ubuntu Linux, Debian Linux and 3 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
CVE-2018-1000301 5 Canonical, Debian, Haxx and 2 more 9 Ubuntu Linux, Debian Linux, Curl and 6 more 2024-02-28 6.4 MEDIUM 9.1 CRITICAL
curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.