Vulnerabilities (CVE)

Filtered by vendor Oracle Subscribe
Filtered by product Primavera Unifier
Total 88 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-35460 2 Mpxj, Oracle 2 Mpxj, Primavera Unifier 2022-08-06 5.0 MEDIUM 5.3 MEDIUM
common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations.
CVE-2021-44832 5 Apache, Cisco, Debian and 2 more 13 Log4j, Cloudcenter, Debian Linux and 10 more 2022-07-25 8.5 HIGH 6.6 MEDIUM
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
CVE-2021-45105 5 Apache, Debian, Netapp and 2 more 44 Log4j, Debian Linux, Cloud Manager and 41 more 2022-07-25 4.3 MEDIUM 5.9 MEDIUM
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
CVE-2021-42575 2 Oracle, Owasp 2 Primavera Unifier, Java Html Sanitizer 2022-07-25 7.5 HIGH 9.8 CRITICAL
The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.
CVE-2021-38153 3 Apache, Oracle, Quarkus 3 Kafka, Primavera Unifier, Quarkus 2022-07-25 4.3 MEDIUM 5.9 MEDIUM
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
CVE-2021-37714 4 Jsoup, Netapp, Oracle and 1 more 13 Jsoup, Management Services For Element Software And Netapp Hci, Banking Trade Finance and 10 more 2022-07-25 5.0 MEDIUM 7.5 HIGH
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
CVE-2020-36188 4 Debian, Fasterxml, Netapp and 1 more 44 Debian Linux, Jackson-databind, Cloud Backup and 41 more 2022-07-25 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
CVE-2021-31811 3 Apache, Fedoraproject, Oracle 12 Pdfbox, Fedora, Banking Corporate Lending Process Management and 9 more 2022-07-25 4.3 MEDIUM 5.5 MEDIUM
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2020-36181 4 Debian, Fasterxml, Netapp and 1 more 43 Debian Linux, Jackson-databind, Service Level Manager and 40 more 2022-07-25 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
CVE-2021-35516 3 Apache, Netapp, Oracle 23 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 20 more 2022-07-25 5.0 MEDIUM 7.5 HIGH
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVE-2020-28500 2 Lodash, Oracle 16 Lodash, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 13 more 2022-07-25 5.0 MEDIUM 5.3 MEDIUM
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVE-2020-36183 4 Debian, Fasterxml, Netapp and 1 more 44 Debian Linux, Jackson-databind, Cloud Backup and 41 more 2022-07-25 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
CVE-2020-36186 4 Debian, Fasterxml, Netapp and 1 more 44 Debian Linux, Jackson-databind, Cloud Backup and 41 more 2022-07-25 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
CVE-2020-36185 4 Debian, Fasterxml, Netapp and 1 more 44 Debian Linux, Jackson-databind, Cloud Backup and 41 more 2022-07-25 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
CVE-2021-36374 2 Apache, Oracle 33 Ant, Agile Plm, Banking Trade Finance and 30 more 2022-07-25 4.3 MEDIUM 5.5 MEDIUM
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
CVE-2020-5258 3 Debian, Linuxfoundation, Oracle 10 Debian Linux, Dojo, Communications Application Session Controller and 7 more 2022-07-25 5.0 MEDIUM 7.7 HIGH
In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2
CVE-2021-23337 3 Lodash, Netapp, Oracle 20 Lodash, Active Iq Unified Manager, Cloud Manager and 17 more 2022-07-25 6.5 MEDIUM 7.2 HIGH
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVE-2021-35517 3 Apache, Netapp, Oracle 26 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 23 more 2022-07-25 5.0 MEDIUM 7.5 HIGH
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CVE-2020-36187 4 Debian, Fasterxml, Netapp and 1 more 44 Debian Linux, Jackson-databind, Cloud Backup and 41 more 2022-07-25 6.8 MEDIUM 8.1 HIGH
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
CVE-2021-36090 3 Apache, Netapp, Oracle 33 Commons Compress, Active Iq Unified Manager, Oncommand Insight and 30 more 2022-07-25 5.0 MEDIUM 7.5 HIGH
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.