ReportizFlow
Filtered by vendor
Subscriptions
Total
74 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-20104 | 1 Atlassian | 1 Crowd | 2024-11-21 | 7.5 High |
| The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1 allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. | ||||
| CVE-2019-15903 | 3 Libexpat Project, Python, Redhat | 5 Libexpat, Python, Enterprise Linux and 2 more | 2024-11-21 | 7.5 High |
| In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. | ||||
| CVE-2019-15160 | 1 Kbrw | 1 Sweet Xml | 2024-11-21 | N/A |
| The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD. | ||||
| CVE-2019-12401 | 1 Apache | 1 Solr | 2024-11-21 | 7.5 High |
| Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs. | ||||
| CVE-2019-11253 | 2 Kubernetes, Redhat | 5 Kubernetes, Openshift, Openshift Container Platform and 2 more | 2024-11-21 | 7.5 High |
| Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send malicious YAML or JSON payloads, causing the API server to consume excessive CPU or memory, potentially crashing and becoming unavailable. Prior to v1.14.0, default RBAC policy authorized anonymous users to submit requests that could trigger this vulnerability. Clusters upgraded from a version prior to v1.14.0 keep the more permissive policy by default for backwards compatibility. | ||||
| CVE-2018-1307 | 1 Apache | 1 Juddi | 2024-11-21 | N/A |
| In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5. | ||||
| CVE-2018-16848 | 1 Redhat | 1 Openstack-mistral | 2024-11-21 | 6.5 Medium |
| A Denial of Service (DoS) condition is possible in OpenStack Mistral in versions up to and including 7.0.3. Submitting a specially crafted workflow definition YAML file containing nested anchors can lead to resource exhaustion culminating in a denial of service. | ||||
| CVE-2018-11796 | 2 Apache, Redhat | 2 Tika, Jboss Fuse | 2024-11-21 | N/A |
| In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later. | ||||
| CVE-2018-11761 | 2 Apache, Oracle | 2 Tika, Business Process Management Suite | 2024-11-21 | N/A |
| In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack. | ||||
| CVE-2018-10868 | 1 Redhat | 1 Certification | 2024-11-21 | 7.5 High |
| redhat-certification 7 does not properly restrict the number of recursive definitions of entities in XML documents, allowing an unauthenticated user to run a "Billion Laugh Attack" by replying to XMLRPC methods when getting the status of an host. | ||||
| CVE-2017-5644 | 1 Apache | 1 Poi | 2024-11-21 | N/A |
| Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. | ||||
| CVE-2017-18640 | 5 Fedoraproject, Oracle, Quarkus and 2 more | 8 Fedora, Peoplesoft Enterprise Pt Peopletools, Quarkus and 5 more | 2024-11-21 | 7.5 High |
| The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564. | ||||
| CVE-2017-16932 | 1 Xmlsoft | 1 Libxml2 | 2024-11-21 | N/A |
| parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. | ||||
| CVE-2017-16931 | 1 Xmlsoft | 1 Libxml2 | 2024-11-21 | N/A |
| parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name. | ||||
| CVE-2016-8734 | 2 Apache, Debian | 2 Subversion, Debian Linux | 2024-11-21 | N/A |
| Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory. | ||||
| CVE-2016-10149 | 3 Debian, Pysaml2 Project, Redhat | 3 Debian Linux, Pysaml2, Openstack | 2024-11-21 | N/A |
| XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response. | ||||
| CVE-2016-10040 | 1 Qt | 1 Qxmlsimplereader | 2024-11-21 | N/A |
| Stack-based buffer overflow in QXmlSimpleReader in Qt 4.8.5 allows remote attackers to cause a denial of service (application crash) via a xml file with multiple nested open tags. | ||||
| CVE-2015-9541 | 3 Fedoraproject, Qt, Redhat | 3 Fedora, Qt, Enterprise Linux | 2024-11-21 | 7.5 High |
| Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564. | ||||
| CVE-2014-8090 | 2 Redhat, Ruby-lang | 3 Enterprise Linux, Rhel Software Collections, Ruby | 2024-11-21 | N/A |
| The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080. | ||||
| CVE-2014-8080 | 4 Canonical, Opensuse, Redhat and 1 more | 5 Ubuntu Linux, Opensuse, Enterprise Linux and 2 more | 2024-11-21 | N/A |
| The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack. | ||||