7.5

CVE-2020-7226

Exploit
CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VtCryptacular Version < 1.1.4
VtCryptacular Version >= 1.2.0 < 1.2.4
OracleWebcenter Sites Version12.2.1.3.0
OracleWebcenter Sites Version12.2.1.4.0
OracleWeblogic Server Version12.2.1.4.0
OracleWeblogic Server Version14.1.1.0.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.33% 0.871
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
https://github.com/apereo/cas/commit/8810f2b6c71d73341d4dde6b09a18eb46cfd6d45
Patch
Third Party Advisory
https://github.com/apereo/cas/commit/93b1c3e9d90e36a19d0fa0f6efb863c6f0235e75
Patch
Third Party Advisory
https://github.com/apereo/cas/commit/a042808d6adbbf44753d52c55cac5f533e24101f
Patch
Third Party Advisory
https://github.com/apereo/cas/pull/4685
Patch
Third Party Advisory
https://github.com/vt-middleware/cryptacular/blob/fafccd07ab1214e3588a35afe3c361519129605f/src/main/java/org/cryptacular/CiphertextHeader.java#L153
Third Party Advisory
Exploit
https://github.com/vt-middleware/cryptacular/blob/master/src/main/java/org/cryptacular/CiphertextHeader.java#L153
Third Party Advisory
Exploit
https://github.com/vt-middleware/cryptacular/issues/52
Third Party Advisory
Exploit
https://lists.apache.org/thread.html/r0847c7eb78c8f9e87d5b841fbd5da52b2ad4b4345e04b51c30621d88%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r209de85beae4d257d27fc577e3a3e97039bdb4c2dc6f4a8e5a5a5811%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r2237a27040b57adc2fcc5570bd530ad2038e67fcb2a3ce65283d3143%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r380781f5b489cb3c818536cd3b3757e806bfe0bca188591e0051ac03%40%3Ccommits.ws.apache.org%3E
https://lists.apache.org/thread.html/r4a62133ad01d5f963755021027a4cce23f76b8674a13860d2978c7c8%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r77c48cd851f60833df9a9c9c31f12243508e15d1b2a0961066d44fc6%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/rc36b75cabb4d700b48035d15ad8b8c2712bb32123572a1bdaec2510a%40%3Cdev.ws.apache.org%3E
https://lists.apache.org/thread.html/re04e4f8f0d095387fb6b0ff9016a0af8c93f42e1de93b09298bfa547%40%3Ccommits.ws.apache.org%3E
https://lists.apache.org/thread.html/re7f46c4cc29a4616e0aa669c84a0eb34832e83a8eef05189e2e59b44%40%3Cdev.ws.apache.org%3E
https://lists.apache.org/thread.html/rfa4647c58e375996e62a9094bffff6dc350ec311ba955b430e738945%40%3Cdev.ws.apache.org%3E