Vulnerabilities (CVE)

Filtered by vendor Oracle Subscribe
Filtered by product Communications Diameter Signaling Router
Total 80 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-9484 7 Apache, Canonical, Debian and 4 more 26 Tomcat, Ubuntu Linux, Debian Linux and 23 more 2023-12-10 4.4 MEDIUM 7.0 HIGH
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
CVE-2020-24750 3 Debian, Fasterxml, Oracle 26 Debian Linux, Jackson-databind, Agile Plm and 23 more 2023-12-10 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CVE-2020-1945 5 Apache, Canonical, Fedoraproject and 2 more 50 Ant, Ubuntu Linux, Fedora and 47 more 2023-12-10 3.3 LOW 6.3 MEDIUM
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
CVE-2020-11113 4 Debian, Fasterxml, Netapp and 1 more 32 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 29 more 2023-12-10 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
CVE-2020-10969 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2023-12-10 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
CVE-2020-10672 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2023-12-10 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
CVE-2020-11998 2 Apache, Oracle 7 Activemq, Communications Diameter Signaling Router, Communications Element Manager and 4 more 2023-12-10 7.5 HIGH 9.8 CRITICAL
A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code." Mitigation: Upgrade to Apache ActiveMQ 5.15.13
CVE-2020-14195 4 Debian, Fasterxml, Netapp and 1 more 14 Debian Linux, Jackson-databind, Active Iq Unified Manager and 11 more 2023-12-10 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
CVE-2020-14060 3 Fasterxml, Netapp, Oracle 12 Jackson-databind, Active Iq Unified Manager, Steelstore Cloud Integrated Storage and 9 more 2023-12-10 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
CVE-2020-1954 3 Apache, Netapp, Oracle 10 Cxf, Oncommand Workflow Automation, Snapmanager and 7 more 2023-12-10 2.9 LOW 5.3 MEDIUM
Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.
CVE-2020-11973 2 Apache, Oracle 4 Camel, Communications Diameter Signaling Router, Enterprise Manager Base Platform and 1 more 2023-12-10 7.5 HIGH 9.8 CRITICAL
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0.
CVE-2020-24616 4 Debian, Fasterxml, Netapp and 1 more 25 Debian Linux, Jackson-databind, Active Iq Unified Manager and 22 more 2023-12-10 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CVE-2020-10543 4 Fedoraproject, Opensuse, Oracle and 1 more 15 Fedora, Leap, Communications Billing And Revenue Management and 12 more 2023-12-10 6.4 MEDIUM 8.2 HIGH
Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
CVE-2020-11619 4 Debian, Fasterxml, Netapp and 1 more 21 Debian Linux, Jackson-databind, Active Iq Unified Manager and 18 more 2023-12-10 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
CVE-2020-11994 2 Apache, Oracle 4 Camel, Communications Diameter Signaling Router, Enterprise Manager Base Platform and 1 more 2023-12-10 5.0 MEDIUM 7.5 HIGH
Server-Side Template Injection and arbitrary file disclosure on Camel templating components
CVE-2020-10673 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2023-12-10 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
CVE-2020-1941 2 Apache, Oracle 7 Activemq, Communications Diameter Signaling Router, Communications Element Manager and 4 more 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.
CVE-2020-14062 4 Debian, Fasterxml, Netapp and 1 more 13 Debian Linux, Jackson-databind, Active Iq Unified Manager and 10 more 2023-12-10 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
CVE-2020-14061 4 Debian, Fasterxml, Netapp and 1 more 15 Debian Linux, Jackson-databind, Active Iq Unified Manager and 12 more 2023-12-10 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
CVE-2020-10968 4 Debian, Fasterxml, Netapp and 1 more 31 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 28 more 2023-12-10 6.8 MEDIUM 8.8 HIGH
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).