Total
118 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-3303 | 1 Oracle | 1 Enterprise Manager Base Platform | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
Vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Products Suite (subcomponent: EM Console). Supported versions that are affected are 13.2 and 13.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Enterprise Manager Base Platform accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | |||||
CVE-2018-2750 | 1 Oracle | 1 Enterprise Manager Base Platform | 2024-11-21 | 6.8 MEDIUM | 7.1 HIGH |
Vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Products Suite (subcomponent: UI Framework). The supported version that is affected is 12.1.0.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Enterprise Manager Base Platform, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 7.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). | |||||
CVE-2018-1656 | 3 Ibm, Oracle, Redhat | 6 Sdk, Enterprise Manager Base Platform, Enterprise Linux Desktop and 3 more | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 , 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882. | |||||
CVE-2018-1257 | 3 Oracle, Redhat, Vmware | 30 Agile Product Lifecycle Management, Application Testing Suite, Big Data Discovery and 27 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. | |||||
CVE-2018-12539 | 2 Eclipse, Oracle | 2 Openj9, Enterprise Manager Base Platform | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows, Linux and AIX JVMs and can be disabled using the command line option -Dcom.ibm.tools.attach.enable=no. | |||||
CVE-2018-11776 | 3 Apache, Netapp, Oracle | 8 Struts, Active Iq Unified Manager, Oncommand Insight and 5 more | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. | |||||
CVE-2018-11039 | 3 Debian, Oracle, Vmware | 33 Debian Linux, Agile Plm, Application Testing Suite and 30 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. | |||||
CVE-2018-1000613 | 4 Bouncycastle, Netapp, Opensuse and 1 more | 24 Legion-of-the-bouncy-castle-java-crytography-api, Oncommand Workflow Automation, Leap and 21 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later. | |||||
CVE-2018-0735 | 6 Canonical, Debian, Netapp and 3 more | 23 Ubuntu Linux, Debian Linux, Cloud Backup and 20 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1). | |||||
CVE-2018-0734 | 6 Canonical, Debian, Netapp and 3 more | 20 Ubuntu Linux, Debian Linux, Cloud Backup and 17 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). | |||||
CVE-2017-9735 | 3 Debian, Eclipse, Oracle | 7 Debian Linux, Jetty, Communications Cloud Native Core Policy and 4 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. | |||||
CVE-2017-5645 | 4 Apache, Netapp, Oracle and 1 more | 79 Log4j, Oncommand Api Services, Oncommand Insight and 76 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. | |||||
CVE-2017-3518 | 1 Oracle | 1 Enterprise Manager Base Platform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Grid Control (subcomponent: Discovery Framework). Supported versions that are affected are 12.1.0, 13.1.0 and 13.2.0. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Enterprise Manager Base Platform. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | |||||
CVE-2017-10091 | 1 Oracle | 1 Enterprise Manager Base Platform | 2024-11-21 | 4.0 MEDIUM | 7.7 HIGH |
Vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Grid Control (subcomponent: UI Framework). Supported versions that are affected are 12.1.0, 13.1.0 and 13.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. While the vulnerability is in Enterprise Manager Base Platform, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Enterprise Manager Base Platform accessible data. CVSS 3.0 Base Score 7.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N). | |||||
CVE-2016-5604 | 1 Oracle | 1 Enterprise Manager Base Platform | 2024-11-21 | 3.3 LOW | 6.3 MEDIUM |
Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 12.1.0.5 allows local users to affect confidentiality and integrity via vectors related to Security Framework, a different vulnerability than CVE-2016-3563. | |||||
CVE-2016-3563 | 1 Oracle | 1 Enterprise Manager Base Platform | 2024-11-21 | 5.4 MEDIUM | 6.3 MEDIUM |
Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 12.1.0.5 allows local users to affect confidentiality and integrity via vectors related to Security Framework, a different vulnerability than CVE-2016-5604. | |||||
CVE-2016-3540 | 1 Oracle | 1 Enterprise Manager Base Platform | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 12.1.0.5 and 13.1.0.0 allows remote attackers to affect confidentiality via vectors related to UI Framework. | |||||
CVE-2016-2381 | 5 Canonical, Debian, Opensuse and 2 more | 10 Ubuntu Linux, Debian Linux, Opensuse and 7 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp. |