CVE-2020-7226

Exploit

EPSS 1.65%
Published 24.01.2020 15:15:14
Last modified 21.11.2024 05:36:52
Source cve@mitre.org
Teams watchlist Login
Open Login

CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.

Affected products Warnungen 0 Metrics 3 CWE 1 References 22

Data is provided by the National Vulnerability Database (NVD)

Vt ≫ Cryptacular Version < 1.1.4

Vt ≫ Cryptacular Version >= 1.2.0 < 1.2.4

Oracle ≫ Communications Services Gatekeeper Version7.0

Oracle ≫ Webcenter Sites Version12.2.1.3.0

Oracle ≫ Webcenter Sites Version12.2.1.4.0

Oracle ≫ Weblogic Server Version12.2.1.4.0

Oracle ≫ Weblogic Server Version14.1.1.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.65%	0.812

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory

https://github.com/apereo/cas/commit/8810f2b6c71d73341d4dde6b09a18eb46cfd6d45

Patch

Third Party Advisory

https://github.com/apereo/cas/commit/93b1c3e9d90e36a19d0fa0f6efb863c6f0235e75

Patch

Third Party Advisory