|
Lines 58-63
Link Here
|
| 58 |
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.) |
58 |
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.) |
| 59 |
--> |
59 |
--> |
| 60 |
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> |
60 |
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> |
|
|
61 |
<vuln vid="93f8e0ff-f33d-11e8-be46-0019dbb15b3f"> |
| 62 |
<topic>payara -- Default typing issue in Jackson Databind</topic> |
| 63 |
<affects> |
| 64 |
<package> |
| 65 |
<name>payara</name> |
| 66 |
<range><eq>4.1.2.181.3</eq></range> |
| 67 |
<range><eq>4.1.2.182</eq></range> |
| 68 |
<range><eq>5.181.3</eq></range> |
| 69 |
<range><eq>5.182</eq></range> |
| 70 |
</package> |
| 71 |
</affects> |
| 72 |
<description> |
| 73 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 74 |
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489"> |
| 75 |
<p>FasterXML jackson-databind before 2.8.11.1 and 2.9.x before |
| 76 |
2.9.5 allows unauthenticated remote code execution because of |
| 77 |
an incomplete fix for the CVE-2017-7525 deserialization flaw. |
| 78 |
This is exploitable by sending maliciously crafted JSON input |
| 79 |
to the readValue method of the ObjectMapper, bypassing a |
| 80 |
blacklist that is ineffective if the c3p0 libraries are |
| 81 |
available in the classpath.</p> |
| 82 |
</blockquote> |
| 83 |
</body> |
| 84 |
</description> |
| 85 |
<references> |
| 86 |
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489</url> |
| 87 |
<cvename>CVE-2018-7489</cvename> |
| 88 |
</references> |
| 89 |
<dates> |
| 90 |
<discovery>2018-02-26</discovery> |
| 91 |
<entry>2018-11-28</entry> |
| 92 |
</dates> |
| 93 |
</vuln> |
| 94 |
|
| 95 |
<vuln vid="22bc5327-f33f-11e8-be46-0019dbb15b3f"> |
| 96 |
<topic>payara -- Code execution via crafted PUT requests to JSPs</topic> |
| 97 |
<affects> |
| 98 |
<package> |
| 99 |
<name>payara</name> |
| 100 |
<range><eq>4.1.2.174</eq></range> |
| 101 |
</package> |
| 102 |
</affects> |
| 103 |
<description> |
| 104 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 105 |
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615"> |
| 106 |
<p>When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP |
| 107 |
PUTs enabled (e.g. via setting the readonly initialisation |
| 108 |
parameter of the Default to false) it was possible to upload a |
| 109 |
JSP file to the server via a specially crafted request. This |
| 110 |
JSP could then be requested and any code it contained would be |
| 111 |
executed by the server.</p> |
| 112 |
</blockquote> |
| 113 |
</body> |
| 114 |
</description> |
| 115 |
<references> |
| 116 |
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615</url> |
| 117 |
<cvename>CVE-2017-12615</cvename> |
| 118 |
</references> |
| 119 |
<dates> |
| 120 |
<discovery>2017-08-07</discovery> |
| 121 |
<entry>2018-11-28</entry> |
| 122 |
</dates> |
| 123 |
</vuln> |
| 124 |
|
| 125 |
<vuln vid="d70c9e18-f340-11e8-be46-0019dbb15b3f"> |
| 126 |
<topic>payara -- Multiple vulnerabilities</topic> |
| 127 |
<affects> |
| 128 |
<package> |
| 129 |
<name>payara</name> |
| 130 |
<range><eq>4.1.2.173</eq></range> |
| 131 |
</package> |
| 132 |
</affects> |
| 133 |
<description> |
| 134 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 135 |
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031"> |
| 136 |
<p>Apache Commons FileUpload before 1.3.3 |
| 137 |
DiskFileItem File Manipulation Remote Code Execution.</p> |
| 138 |
</blockquote> |
| 139 |
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3239"> |
| 140 |
<p>Vulnerability in the Oracle GlassFish Server component of |
| 141 |
Oracle Fusion Middleware (subcomponent: Administration). |
| 142 |
Supported versions that are affected are 3.0.1 and 3.1.2. |
| 143 |
Easily exploitable vulnerability allows low privileged attacker |
| 144 |
with logon to the infrastructure where Oracle GlassFish Server |
| 145 |
executes to compromise Oracle GlassFish Server. Successful |
| 146 |
attacks of this vulnerability can result in unauthorized read |
| 147 |
access to a subset of Oracle GlassFish Server accessible data. |
| 148 |
CVSS v3.0 Base Score 3.3 (Confidentiality impacts).</p> |
| 149 |
</blockquote> |
| 150 |
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3247"> |
| 151 |
<p>Vulnerability in the Oracle GlassFish Server component of Oracle |
| 152 |
Fusion Middleware (subcomponent: Core). Supported versions that |
| 153 |
are affected are 2.1.1, 3.0.1 and 3.1.2. Easily exploitable |
| 154 |
vulnerability allows unauthenticated attacker with network access |
| 155 |
via SMTP to compromise Oracle GlassFish Server. Successful |
| 156 |
attacks require human interaction from a person other than the |
| 157 |
attacker. Successful attacks of this vulnerability can result in |
| 158 |
unauthorized update, insert or delete access to some of Oracle |
| 159 |
GlassFish Server accessible data. CVSS v3.0 Base Score 4.3 |
| 160 |
(Integrity impacts).</p> |
| 161 |
</blockquote> |
| 162 |
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3249"> |
| 163 |
<p>Vulnerability in the Oracle GlassFish Server component of |
| 164 |
Oracle Fusion Middleware (subcomponent: Security). Supported |
| 165 |
versions that are affected are 2.1.1, 3.0.1 and 3.1.2. |
| 166 |
Easily exploitable vulnerability allows unauthenticated attacker |
| 167 |
with network access via LDAP to compromise Oracle GlassFish Server. |
| 168 |
Successful attacks of this vulnerability can result in unauthorized |
| 169 |
update, insert or delete access to some of Oracle GlassFish Server |
| 170 |
accessible data as well as unauthorized read access to a subset of |
| 171 |
Oracle GlassFish Server accessible data and unauthorized ability |
| 172 |
to cause a partial denial of service (partial DOS) of Oracle |
| 173 |
GlassFish Server. CVSS v3.0 Base Score 7.3 (Confidentiality, |
| 174 |
Integrity and Availability impacts).</p> |
| 175 |
</blockquote> |
| 176 |
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3250"> |
| 177 |
<p>Vulnerability in the Oracle GlassFish Server component of Oracle |
| 178 |
Fusion Middleware (subcomponent: Security). Supported versions that |
| 179 |
are affected are 2.1.1, 3.0.1 and 3.1.2. Easily exploitable |
| 180 |
vulnerability allows unauthenticated attacker with network access |
| 181 |
via HTTP to compromise Oracle GlassFish Server. Successful attacks |
| 182 |
of this vulnerability can result in unauthorized update, insert or |
| 183 |
delete access to some of Oracle GlassFish Server accessible data as |
| 184 |
well as unauthorized read access to a subset of Oracle GlassFish |
| 185 |
Server accessible data and unauthorized ability to cause a partial |
| 186 |
denial of service (partial DOS) of Oracle GlassFish Server. |
| 187 |
CVSS v3.0 Base Score 7.3 (Confidentiality, Integrity and |
| 188 |
Availability impacts).</p> |
| 189 |
</blockquote> |
| 190 |
<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5528"> |
| 191 |
<p>Vulnerability in the Oracle GlassFish Server component of Oracle |
| 192 |
Fusion Middleware (subcomponent: Security). Supported versions that |
| 193 |
are affected are 2.1.1, 3.0.1 and 3.1.2. Difficult to exploit |
| 194 |
vulnerability allows unauthenticated attacker with network access |
| 195 |
via multiple protocols to compromise Oracle GlassFish Server. While |
| 196 |
the vulnerability is in Oracle GlassFish Server, attacks may |
| 197 |
significantly impact additional products. Successful attacks of this |
| 198 |
vulnerability can result in takeover of Oracle GlassFish Server. |
| 199 |
CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and |
| 200 |
Availability impacts).</p> |
| 201 |
</blockquote> |
| 202 |
</body> |
| 203 |
</description> |
| 204 |
<references> |
| 205 |
<url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031</url> |
| 206 |
<cvename>CVE-2016-1000031</cvename> |
| 207 |
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3239</url> |
| 208 |
<cvename>CVE-2017-3239</cvename> |
| 209 |
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3247</url> |
| 210 |
<cvename>CVE-2017-3247</cvename> |
| 211 |
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3249</url> |
| 212 |
<cvename>CVE-2017-3249</cvename> |
| 213 |
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3250</url> |
| 214 |
<cvename>CVE-2017-3250</cvename> |
| 215 |
<url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5528</url> |
| 216 |
<cvename>CVE-2016-5528</cvename> |
| 217 |
</references> |
| 218 |
<dates> |
| 219 |
<discovery>2016-06-16</discovery> |
| 220 |
<entry>2018-11-28</entry> |
| 221 |
</dates> |
| 222 |
</vuln> |
| 223 |
|
| 61 |
<vuln vid="54976998-f248-11e8-81e2-005056a311d1"> |
224 |
<vuln vid="54976998-f248-11e8-81e2-005056a311d1"> |
| 62 |
<topic>samba -- multiple vulnerabilities</topic> |
225 |
<topic>samba -- multiple vulnerabilities</topic> |
| 63 |
<affects> |
226 |
<affects> |