Oracle

Financial Services Analytical Applications Infrastructure

84 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2018-14718

  • EPSS 9.37%
  • Veröffentlicht 02.01.2019 18:29:00
  • Zuletzt bearbeitet 21.11.2024 03:49:39

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

9.8

CVE-2018-14719

  • EPSS 2.19%
  • Veröffentlicht 02.01.2019 18:29:00
  • Zuletzt bearbeitet 21.11.2024 03:49:40

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

9.8

CVE-2018-14720

  • EPSS 2.52%
  • Veröffentlicht 02.01.2019 18:29:00
  • Zuletzt bearbeitet 21.11.2024 03:49:40

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

10

CVE-2018-14721

  • EPSS 5.93%
  • Veröffentlicht 02.01.2019 18:29:00
  • Zuletzt bearbeitet 21.11.2024 03:49:40

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

7.5

CVE-2018-15756

  • EPSS 22.78%
  • Veröffentlicht 18.10.2018 22:29:00
  • Zuletzt bearbeitet 21.11.2024 03:51:24

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler,...

6.1

CVE-2018-8032

  • EPSS 2.34%
  • Veröffentlicht 02.08.2018 13:29:00
  • Zuletzt bearbeitet 08.05.2025 18:13:51

Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.

9.8

CVE-2018-8013

  • EPSS 1.33%
  • Veröffentlicht 24.05.2018 16:29:00
  • Zuletzt bearbeitet 21.11.2024 04:13:05

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before ...

9.8

CVE-2017-7525

  • EPSS 79.65%
  • Veröffentlicht 06.02.2018 15:29:00
  • Zuletzt bearbeitet 21.11.2024 03:32:04

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the Obj...

9.8

CVE-2017-15095

  • EPSS 9.26%
  • Veröffentlicht 06.02.2018 15:29:00
  • Zuletzt bearbeitet 21.11.2024 03:14:03

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMappe...

6.1

CVE-2015-9251

  • EPSS 14.53%
  • Veröffentlicht 18.01.2018 23:29:00
  • Zuletzt bearbeitet 21.11.2024 02:40:09

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.