Vulnerabilities (CVE)

Filtered by vendor Oracle Subscribe
Filtered by product Jd Edwards Enterpriseone Tools
Total 126 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-27216 6 Apache, Debian, Eclipse and 3 more 19 Beam, Debian Linux, Jetty and 16 more 2024-11-21 4.4 MEDIUM 7.0 HIGH
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
CVE-2020-27193 2 Ckeditor, Oracle 9 Ckeditor, Agile Plm, Application Express and 6 more 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.
CVE-2020-25649 6 Apache, Fasterxml, Fedoraproject and 3 more 39 Iotdb, Jackson-databind, Fedora and 36 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CVE-2020-25648 4 Fedoraproject, Mozilla, Oracle and 1 more 6 Fedora, Network Security Services, Communications Offline Mediation Controller and 3 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.
CVE-2020-1971 8 Debian, Fedoraproject, Netapp and 5 more 46 Debian Linux, Fedora, Active Iq Unified Manager and 43 more 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).
CVE-2020-13956 4 Apache, Netapp, Oracle and 1 more 17 Httpclient, Active Iq Unified Manager, Snapcenter and 14 more 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
CVE-2020-11620 4 Debian, Fasterxml, Netapp and 1 more 18 Debian Linux, Jackson-databind, Active Iq Unified Manager and 15 more 2024-11-21 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
CVE-2020-11619 4 Debian, Fasterxml, Netapp and 1 more 21 Debian Linux, Jackson-databind, Active Iq Unified Manager and 18 more 2024-11-21 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
CVE-2020-11113 4 Debian, Fasterxml, Netapp and 1 more 32 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 29 more 2024-11-21 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
CVE-2020-11112 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2024-11-21 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
CVE-2020-11111 4 Debian, Fasterxml, Netapp and 1 more 25 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 22 more 2024-11-21 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
CVE-2020-11023 7 Debian, Drupal, Fedoraproject and 4 more 55 Debian Linux, Drupal, Fedora and 52 more 2024-11-21 4.3 MEDIUM 6.9 MEDIUM
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVE-2020-10969 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2024-11-21 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
CVE-2020-10968 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2024-11-21 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
CVE-2020-10673 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2024-11-21 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
CVE-2020-10672 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2024-11-21 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
CVE-2019-2564 1 Oracle 1 Jd Edwards Enterpriseone Tools 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracle JD Edwards Products (subcomponent: Web Runtime). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
CVE-2019-20330 4 Debian, Fasterxml, Netapp and 1 more 30 Debian Linux, Jackson-databind, Active Iq Unified Manager and 27 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
CVE-2019-1559 13 Canonical, Debian, F5 and 10 more 90 Ubuntu Linux, Debian Linux, Big-ip Access Policy Manager and 87 more 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
CVE-2019-17566 2 Apache, Oracle 18 Batik, Api Gateway, Business Intelligence and 15 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.