Filtered by vendor Oracle Subscriptions
Filtered by product Communications Instant Messaging Server Subscriptions
Total 57 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-36181 5 Debian, Fasterxml, Netapp and 2 more 46 Debian Linux, Jackson-databind, Service Level Manager and 43 more 2024-11-21 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36180 5 Debian, Fasterxml, Netapp and 2 more 47 Debian Linux, Jackson-databind, Cloud Backup and 44 more 2024-11-21 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36179 5 Debian, Fasterxml, Netapp and 2 more 45 Debian Linux, Jackson-databind, Cloud Backup and 42 more 2024-11-21 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
CVE-2020-35491 5 Debian, Fasterxml, Netapp and 2 more 28 Debian Linux, Jackson-databind, Service Level Manager and 25 more 2024-11-21 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CVE-2020-35490 5 Debian, Fasterxml, Netapp and 2 more 27 Debian Linux, Jackson-databind, Service Level Manager and 24 more 2024-11-21 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CVE-2020-25649 7 Apache, Fasterxml, Fedoraproject and 4 more 50 Iotdb, Jackson-databind, Fedora and 47 more 2024-11-21 7.5 High
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CVE-2020-24750 4 Debian, Fasterxml, Oracle and 1 more 29 Debian Linux, Jackson-databind, Agile Plm and 26 more 2024-11-21 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CVE-2020-24616 4 Debian, Fasterxml, Netapp and 1 more 25 Debian Linux, Jackson-databind, Active Iq Unified Manager and 22 more 2024-11-21 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CVE-2020-1938 8 Apache, Blackberry, Debian and 5 more 27 Geode, Tomcat, Good Control and 24 more 2024-11-21 9.8 Critical
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
CVE-2020-1935 7 Apache, Canonical, Debian and 4 more 25 Tomcat, Ubuntu Linux, Debian Linux and 22 more 2024-11-21 4.8 Medium
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
CVE-2020-17527 5 Apache, Debian, Netapp and 2 more 15 Tomcat, Debian Linux, Element Plug-in and 12 more 2024-11-21 7.5 High
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
CVE-2020-14195 5 Debian, Fasterxml, Netapp and 2 more 17 Debian Linux, Jackson-databind, Active Iq Unified Manager and 14 more 2024-11-21 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
CVE-2020-14061 5 Debian, Fasterxml, Netapp and 2 more 20 Debian Linux, Jackson-databind, Active Iq Unified Manager and 17 more 2024-11-21 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
CVE-2020-13935 8 Apache, Canonical, Debian and 5 more 23 Tomcat, Ubuntu Linux, Debian Linux and 20 more 2024-11-21 7.5 High
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
CVE-2020-13934 7 Apache, Canonical, Debian and 4 more 17 Tomcat, Ubuntu Linux, Debian Linux and 14 more 2024-11-21 7.5 High
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
CVE-2020-11620 5 Debian, Fasterxml, Netapp and 2 more 26 Debian Linux, Jackson-databind, Active Iq Unified Manager and 23 more 2024-11-21 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
CVE-2020-11619 5 Debian, Fasterxml, Netapp and 2 more 31 Debian Linux, Jackson-databind, Active Iq Unified Manager and 28 more 2024-11-21 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
CVE-2020-11113 5 Debian, Fasterxml, Netapp and 2 more 41 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 38 more 2024-11-21 8.8 High
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
CVE-2020-11112 5 Debian, Fasterxml, Netapp and 2 more 39 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 36 more 2024-11-21 8.8 High
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
CVE-2020-11111 5 Debian, Fasterxml, Netapp and 2 more 33 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 30 more 2024-11-21 8.8 High
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).