9.8
CVE-2018-1000613
- EPSS 4.04%
- Veröffentlicht 09.07.2018 20:29:00
- Zuletzt bearbeitet 12.05.2025 17:37:16
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Bouncycastle ≫ Bc-java Version >= 1.58 < 1.60
Netapp ≫ Oncommand Workflow Automation Version-
Oracle ≫ Api Gateway Version11.1.2.4.0
Oracle ≫ Banking Platform Version2.6.0
Oracle ≫ Banking Platform Version2.6.1
Oracle ≫ Banking Platform Version2.6.2
Oracle ≫ Business Process Management Suite Version11.1.1.9.0
Oracle ≫ Business Process Management Suite Version12.1.3.0.0
Oracle ≫ Business Process Management Suite Version12.2.1.3.0
Oracle ≫ Business Transaction Management Version12.1.0
Oracle ≫ Communications Application Session Controller Version3.7.1
Oracle ≫ Communications Application Session Controller Version3.8.0
Oracle ≫ Communications Converged Application Server Version < 7.0.0.1
Oracle ≫ Communications Converged Application Server Version7.0.0.1
Oracle ≫ Communications Convergence Version3.0.2
Oracle ≫ Communications Diameter Signaling Router Version8.0.0
Oracle ≫ Communications Diameter Signaling Router Version8.1
Oracle ≫ Communications Diameter Signaling Router Version8.2
Oracle ≫ Communications Diameter Signaling Router Version8.2.1
Oracle ≫ Communications Webrtc Session Controller Version < 7.2
Oracle ≫ Communications Webrtc Session Controller Version7.2
Oracle ≫ Data Integrator Version12.2.1.3.0
Oracle ≫ Enterprise Manager Base Platform Version12.1.0.5.0
Oracle ≫ Enterprise Manager Base Platform Version13.2.0.0
Oracle ≫ Enterprise Manager Base Platform Version13.3.0.0
Oracle ≫ Enterprise Manager For Fusion Middleware Version13.2.0.0
Oracle ≫ Enterprise Manager For Fusion Middleware Version13.3.0.0
Oracle ≫ Enterprise Repository Version11.1.1.7.0
Oracle ≫ Enterprise Repository Version12.1.3.0.0
Oracle ≫ Managed File Transfer Version12.1.3.0.0
Oracle ≫ Managed File Transfer Version12.2.1.3.0
Oracle ≫ Peoplesoft Enterprise Peopletools Version8.55
Oracle ≫ Peoplesoft Enterprise Peopletools Version8.56
Oracle ≫ Peoplesoft Enterprise Peopletools Version8.57
Oracle ≫ Retail Convenience And Fuel Pos Software Version2.8.1
Oracle ≫ Retail Xstore Point Of Service Version7.0
Oracle ≫ Retail Xstore Point Of Service Version7.1
Oracle ≫ Utilities Network Management System Version1.12.0.3
Oracle ≫ Utilities Network Management System Version2.3.0.0
Oracle ≫ Utilities Network Management System Version2.3.0.1
Oracle ≫ Utilities Network Management System Version2.3.0.2
Oracle ≫ Webcenter Portal Version11.1.1.9.0
Oracle ≫ Webcenter Portal Version12.2.1.3.0
Oracle ≫ Weblogic Server Version12.2.1.3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 4.04% | 0.88 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.