Professional OVAL Repository
[Eng]
[Rus]
[Sign-In]
OVAL
Search
Categories
RedCheck
About
OVAL Definitions
OVAL Items
FSTEC Data Bank Information Security Threats
NKCKI
EOL (End Of Life)
Linux Security Advisories
Mozilla Foundation Security Advisory
IBM
VMware
Cisco
Check Point Software Technologies
Apache
Solaris
FreeBSD
Development
GitHub Enterprise
Google Chrome Security Advisories
Oracle Security Advisories
Adobe Security Advisories
OpenSSL Security Advisories
Microsoft
CVE
CWE
CPE
Latest Updates
OS ROSA
ALT Linux
Astra Linux
RED OS
DSA (Debian Security Advisory) Patсh Statistics
DSA (Debian Security Advisory) Patсh Feed
DSA (Debian Security Advisory) Vulnerability Feed
DLA (Debian Security Advisory) Patсh Statistics
DLA (Debian Security Advisory) Patсh Feed
DLA (Debian Security Advisory) Vulnerability Feed
ALT Linux (Security Bulletins) Patсh Statistics
ALT Linux (Security Bulletins) Patсh Feed
ALT Linux (Security Bulletins) Vulnerability Feed
RED OS (Security Bulletins) Patсh Statistics
RED OS (Security Bulletins) Patсh Feed
RED OS (Security Bulletins) Vulnerability Feed
USN (Ubuntu Security Notice) Patсh Statistics
USN (Ubuntu Security Notice) Patсh Feed
USN (Ubuntu Security Notice) Vulnerability Feed
RHSA (RedHat Security Advisory) Patсh Statistics
RHSA (RedHat Security Advisory) Patсh Feed
RHSA (RedHat Security Advisory) Vulnerability Feed
ELSA (Oracle Linux Security Advisory) Patсh Statistics
ELSA (Oracle Linux Security Advisory) Patсh Feed
ELSA (Oracle Linux Security Advisory) Vulnerability Feed
SUSE (SUSE Security Advisories) Patсh Statistics
SUSE (SUSE Security Advisories) Patсh Feed
SUSE (SUSE Security Advisories) Vulnerability Feed
openSUSE (openSUSE Security Advisories) Patсh Statistics
openSUSE (openSUSE Security Advisories) Patсh Feed
openSUSE (openSUSE Security Advisories) Vulnerability Feed
Amazon Linux AMI (Security Bulletins) Patсh Statistics
Amazon Linux AMI (Security Bulletins) Patсh Feed
Amazon Linux AMI (Security Bulletins) Vulnerability Feed
Mageia Linux (Security Bulletins) Patсh Statistics
Mageia Linux (Security Bulletins) Patсh Feed
Mageia Linux (Security Bulletins) Vulnerability Feed
OS ROSA SX COBALT 1.0
OS ROSA DX COBALT 1.0
ROSA 7.3 (Security Advisories) Patсh Statistics
ROSA 7.3 (Security Advisories) Patсh Feed
ROSA 7.3 (Security Advisories) Vulnerability Feed
ALT Linux SPT 6.0
ALT Linux SPT 7.0
ALT 8 SP
ALT 9
Astra Linux SE 1.5
Astra Linux SE 1.6
Astra Linux SE 1.7
Astra Linux SE 1.8
RED OS Murom 7.1
RED OS Murom 7.2
IBM DB2
VMware Vulnerabilities Advisory (VMSA)
VMware vCenter Patch Advisories
VMware ESXi Patch Advisories
VMware NSX Patches
VMware NSX Vulnerabilities
VMware Photon OS 1.0 Patches
VMware Photon OS 1.0 Vulnerabilities
VMware Photon OS 2.0 Patches
VMware Photon OS 2.0 Vulnerabilities
Cisco ASA
Cisco IOS/NX-OS Advisory
Cisco NX-OS Vulnerabilities
Check Point Gaia
Apache Tomcat Advisories
Apache Tomcat Server
Apache HTTP Server
Python
Node.js
RubyGems
Qt
Microsoft Security Bulletin
Microsoft Knowledge Base Article
Microsoft SharePoint
Microsoft SharePoint Foundation 2013
Microsoft SharePoint Server 2013
Microsoft SharePoint Server 2016
About OVALdb
User manual
Pricing
Contact us
OVAL Definitions
>
OVAL Definition Details
Id
oval:ru.altx-soft.nix:def:241133
[Eng]
Version
1
Class
patch
ALTXid
469343
Language
Russian
Severity
High
Title
Обновление RHSA-2018:1448 : устранение уязвимостей в Red Hat JBoss Enterprise Application Platform 6.4.20
Description
jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525).
jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095).
slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution.
Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability.
solr: Directory traversal via Index Replication HTTP API.
tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources.
jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries.
Family
unix
Platform
Red Hat Enterprise Linux 7
Product
Red Hat JBoss Enterprise Application Platform
Reference
VENDOR: RHSA-2018:1448
VENDOR: RHSA-2018:1448
Id:
RHSA-2018:1448
Reference:
https://access.redhat.com/errata/RHSA-2018:1448
CVE: CVE-2016-4978
CVE: CVE-2016-4978
Id:
CVE-2016-4978
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4978
Comment
: The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.
CVSSv2 Score:
6
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
SINGLE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSSv3 Score:
7.2
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
HIGH
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE:
502 (Deserialization of Untrusted Data)
References:
[activemq-users] 20160923 [CVE-2016-4978] Apache ActiveMQ Artemis: Deserialization of untrusted input vunerability (MLIST)
https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf (MISC)
93142 (BID)
RHSA-2017:3458 (REDHAT)
RHSA-2017:3456 (REDHAT)
RHSA-2017:3455 (REDHAT)
RHSA-2017:3454 (REDHAT)
RHSA-2017:1837 (REDHAT)
RHSA-2017:1836 (REDHAT)
RHSA-2017:1835 (REDHAT)
RHSA-2017:1834 (REDHAT)
RHSA-2018:1451 (REDHAT)
RHSA-2018:1450 (REDHAT)
RHSA-2018:1449 (REDHAT)
RHSA-2018:1448 (REDHAT)
RHSA-2018:1447 (REDHAT)
https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E (MISC)
https://lists.apache.org/thread.html/7260bd0955c12aac5bd892039d3356ba3aa0ff4caaf2aa4fd4fe84a2%40%3Cissues.activemq.apache.org%3E (MISC)
https://lists.apache.org/thread.html/rc96ad63f148f784c84ea7f0a178c84a8985c6afccabbcd9847a82088%40%3Ccommits.activemq.apache.org%3E (MISC)
https://lists.apache.org/thread.html/d4ffbc6a43a915324a394b2913ceb7d07bc352f2d08caa19df0aff02%40%3Cissues.activemq.apache.org%3E (MISC)
CVE: CVE-2017-3163
CVE: CVE-2017-3163
Id:
CVE-2017-3163
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163
Comment
: When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE:
22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
References:
DSA-4124 (DEBIAN)
RHSA-2018:1451 (REDHAT)
RHSA-2018:1450 (REDHAT)
RHSA-2018:1449 (REDHAT)
RHSA-2018:1448 (REDHAT)
RHSA-2018:1447 (REDHAT)
[solr-user] 20170215 [SECURITY] CVE-2017-3163 Apache Solr ReplicationHandler path traversal attack ()
CVE: CVE-2017-15095
CVE: CVE-2017-15095
Id:
CVE-2017-15095
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095
Comment
: A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
502 (Deserialization of Untrusted Data)
References:
https://github.com/FasterXML/jackson-databind/issues/1737 (CONFIRM)
https://github.com/FasterXML/jackson-databind/issues/1680 (CONFIRM)
DSA-4037 (DEBIAN)
https://security.netapp.com/advisory/ntap-20171214-0003/ (CONFIRM)
RHSA-2017:3190 (REDHAT)
RHSA-2017:3189 (REDHAT)
1039769 (SECTRACK)
RHSA-2018:0342 (REDHAT)
RHSA-2018:0481 (REDHAT)
RHSA-2018:0480 (REDHAT)
RHSA-2018:0479 (REDHAT)
RHSA-2018:0478 (REDHAT)
RHSA-2018:0577 (REDHAT)
RHSA-2018:0576 (REDHAT)
103880 (BID)
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html (CONFIRM)
RHSA-2018:1451 (REDHAT)
RHSA-2018:1450 (REDHAT)
RHSA-2018:1449 (REDHAT)
RHSA-2018:1448 (REDHAT)
RHSA-2018:1447 (REDHAT)
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html (CONFIRM)
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html (CONFIRM)
RHSA-2018:2927 (REDHAT)
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html (CONFIRM)
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html (MISC)
RHSA-2019:2858 (REDHAT)
RHSA-2019:3149 (REDHAT)
RHSA-2019:3892 (REDHAT)
[debian-lts-announce] 20200131 [SECURITY] [DLA 2091-1] libjackson-json-java security update (MLIST)
https://www.oracle.com/security-alerts/cpuoct2020.html (MISC)
[lucene-solr-user] 20191219 Re: CVE-2017-7525 fix for Solr 7.7.x ()
CVE: CVE-2017-17485
CVE: CVE-2017-17485
Id:
CVE-2017-17485
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485
Comment
: FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
502 (Deserialization of Untrusted Data)
References:
https://github.com/irsl/jackson-rce-via-spel/ (MISC)
https://github.com/FasterXML/jackson-databind/issues/1855 (CONFIRM)
RHSA-2018:0116 (REDHAT)
https://security.netapp.com/advisory/ntap-20180201-0003/ (CONFIRM)
DSA-4114 (DEBIAN)
RHSA-2018:0342 (REDHAT)
RHSA-2018:0481 (REDHAT)
RHSA-2018:0480 (REDHAT)
RHSA-2018:0479 (REDHAT)
RHSA-2018:0478 (REDHAT)
RHSA-2018:1451 (REDHAT)
RHSA-2018:1450 (REDHAT)
RHSA-2018:1449 (REDHAT)
RHSA-2018:1448 (REDHAT)
RHSA-2018:1447 (REDHAT)
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us (CONFIRM)
20180109 CVE-2017-17485: one more way of rce in jackson-databind when defaultTyping+objects are used (BUGTRAQ)
RHSA-2018:2930 (REDHAT)
RHSA-2019:1782 (REDHAT)
RHSA-2019:1797 (REDHAT)
RHSA-2019:2858 (REDHAT)
RHSA-2019:3149 (REDHAT)
RHSA-2019:3892 (REDHAT)
https://www.oracle.com/security-alerts/cpuoct2020.html (MISC)
CVE: CVE-2018-1304
CVE: CVE-2018-1304
Id:
CVE-2018-1304
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304
Comment
: The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3 Score:
5.9
Attack vector:
NETWORK
Attack complexity:
HIGH
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
1040427 (SECTRACK)
103170 (BID)
[debian-lts-announce] 20180306 [SECURITY] [DLA 1301-1] tomcat7 security update (MLIST)
RHSA-2018:0466 (REDHAT)
RHSA-2018:0465 (REDHAT)
RHSA-2018:1320 (REDHAT)
RHSA-2018:1451 (REDHAT)
RHSA-2018:1450 (REDHAT)
RHSA-2018:1449 (REDHAT)
RHSA-2018:1448 (REDHAT)
RHSA-2018:1447 (REDHAT)
USN-3665-1 (UBUNTU)
[debian-lts-announce] 20180627 [SECURITY] [DLA 1400-1] tomcat7 security update (MLIST)
https://security.netapp.com/advisory/ntap-20180706-0001/ (CONFIRM)
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html (CONFIRM)
[debian-lts-announce] 20180729 [SECURITY] [DLA 1450-1] tomcat8 security update (MLIST)
DSA-4281 (DEBIAN)
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html (CONFIRM)
RHSA-2018:2939 (REDHAT)
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html (MISC)
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html (MISC)
RHSA-2019:2205 (REDHAT)
N/A (N/A)
https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E ()
[tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ ()
[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ ()
[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ ()
[tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ ()
[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ ()
[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/ ()
[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/ ()
[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/ ()
[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ ()
[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ ()
[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ ()
[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/ ()
[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/ ()
[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/ ()
[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/ ()
[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/ ()
CVE: CVE-2018-7489
CVE: CVE-2018-7489
Id:
CVE-2018-7489
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489
Comment
: FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
184 (Incomplete Blacklist)
References:
https://github.com/FasterXML/jackson-databind/issues/1931 (CONFIRM)
103203 (BID)
https://security.netapp.com/advisory/ntap-20180328-0001/ (CONFIRM)
1040693 (SECTRACK)
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html (CONFIRM)
DSA-4190 (DEBIAN)
RHSA-2018:1451 (REDHAT)
RHSA-2018:1450 (REDHAT)
RHSA-2018:1449 (REDHAT)
RHSA-2018:1448 (REDHAT)
RHSA-2018:1447 (REDHAT)
RHSA-2018:1786 (REDHAT)
RHSA-2018:2090 (REDHAT)
RHSA-2018:2089 (REDHAT)
RHSA-2018:2088 (REDHAT)
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html (CONFIRM)
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us (CONFIRM)
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html (CONFIRM)
1041890 (SECTRACK)
RHSA-2018:2939 (REDHAT)
RHSA-2018:2938 (REDHAT)
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html (CONFIRM)
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html (MISC)
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html (MISC)
RHSA-2019:2858 (REDHAT)
RHSA-2019:3149 (REDHAT)
https://www.oracle.com/security-alerts/cpuoct2020.html (MISC)
[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves ()
CVE: CVE-2018-8088
CVE: CVE-2018-8088
Id:
CVE-2018-8088
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088
Comment
: org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x series.
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
https://jira.qos.ch/browse/SLF4J-431 (MISC)
https://jira.qos.ch/browse/SLF4J-430 (MISC)
https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405 (MISC)
RHSA-2018:0592 (REDHAT)
RHSA-2018:0582 (REDHAT)
RHSA-2018:0630 (REDHAT)
RHSA-2018:0629 (REDHAT)
RHSA-2018:0628 (REDHAT)
RHSA-2018:0627 (REDHAT)
1040627 (SECTRACK)
RHSA-2018:1251 (REDHAT)
RHSA-2018:1249 (REDHAT)
RHSA-2018:1248 (REDHAT)
RHSA-2018:1247 (REDHAT)
103737 (BID)
RHSA-2018:1323 (REDHAT)
RHSA-2018:1525 (REDHAT)
RHSA-2018:1451 (REDHAT)
RHSA-2018:1450 (REDHAT)
RHSA-2018:1449 (REDHAT)
RHSA-2018:1448 (REDHAT)
RHSA-2018:1447 (REDHAT)
RHSA-2018:1575 (REDHAT)
RHSA-2018:2143 (REDHAT)
RHSA-2018:2420 (REDHAT)
RHSA-2018:2419 (REDHAT)
RHSA-2018:2669 (REDHAT)
RHSA-2018:2930 (REDHAT)
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html (MISC)
RHSA-2019:2413 (REDHAT)
RHSA-2019:3140 (REDHAT)
https://www.oracle.com/security-alerts/cpujul2020.html (MISC)
https://www.oracle.com/security-alerts/cpuoct2020.html (MISC)
https://www.oracle.com/security-alerts/cpuoct2021.html (MISC)
https://www.slf4j.org/news.html (MISC)
[infra-devnull] 20190321 [GitHub] [tika] dadoonet opened pull request #268: Update slf4j to 1.8.0-beta4 ()
[infra-devnull] 20190321 [GitHub] [tika] grossws commented on issue #268: Update slf4j to 1.8.0-beta4 ()
[hadoop-common-dev] 20200824 [jira] [Created] (HADOOP-17220) Upgrade slf4j to 1.7.30 ( To Adress: CVE-2018-8088) ()
[hadoop-common-issues] 20200824 [jira] [Created] (HADOOP-17220) Upgrade slf4j to 1.7.30 ( To Adress: CVE-2018-8088) ()
[hadoop-common-issues] 20200824 [jira] [Updated] (HADOOP-17220) Upgrade slf4j to 1.7.30 ( To Adress: CVE-2018-8088) ()
[hadoop-common-issues] 20200824 [jira] [Commented] (HADOOP-17220) Upgrade slf4j to 1.7.30 ( To Adress: CVE-2018-8088) ()
[hadoop-common-commits] 20200824 [hadoop] branch branch-3.3 updated: HADOOP-17220. Upgrade slf4j to 1.7.30 ( To Address: CVE-2018-8088). Contributed by Brahma Reddy Battula. ()
[hadoop-common-issues] 20200824 [jira] [Updated] (HADOOP-17220) Upgrade slf4j to 1.7.30 ( To Address: CVE-2018-8088) ()
[hadoop-common-commits] 20200824 [hadoop] branch trunk updated: HADOOP-17220. Upgrade slf4j to 1.7.30 ( To Address: CVE-2018-8088). Contributed by Brahma Reddy Battula. ()
[logging-notifications] 20200825 [jira] [Commented] (LOG4J2-2329) Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088 ()
[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list ()
[pulsar-commits] 20210127 [GitHub] [pulsar] GLouMcK opened a new issue #9347: Security Vulnerabilities - Black Duck Scan ()
[iotdb-notifications] 20210325 [jira] [Created] (IOTDB-1258) jcl-over-slf4j have Security Vulnerabilities CVE-2018-8088 ()
[iotdb-reviews] 20210325 [GitHub] [iotdb] wangchao316 opened a new pull request #2906: [IOTDB-1258] jcl-over-slf4j have security vulnerabilities CVE-2018-8088 ()
[iotdb-reviews] 20210327 [GitHub] [iotdb] wangchao316 closed pull request #2906: [IOTDB-1258] jcl-over-slf4j have security vulnerabilities CVE-2018-8088 ()
[iotdb-reviews] 20210327 [GitHub] [iotdb] wangchao316 opened a new pull request #2906: [IOTDB-1258] jcl-over-slf4j have security vulnerabilities CVE-2018-8088 ()
[zookeeper-issues] 20210327 [jira] [Created] (ZOOKEEPER-4264) Apache Zookeeper 3.6.2 - slf4j 1.7.25 has security vulnerability CVE-2018-8088 ()
[zookeeper-issues] 20210327 [jira] [Updated] (ZOOKEEPER-4264) Apache Zookeeper 3.6.2 - slf4j 1.7.25 has security vulnerability CVE-2018-8088 ()
[zookeeper-dev] 20210327 [jira] [Created] (ZOOKEEPER-4264) Apache Zookeeper 3.6.2 - slf4j 1.7.25 has security vulnerability CVE-2018-8088 ()
[zookeeper-issues] 20210328 [jira] [Commented] (ZOOKEEPER-4264) Apache Zookeeper 3.6.2 - slf4j 1.7.25 has security vulnerability CVE-2018-8088 ()
[iotdb-reviews] 20210328 [GitHub] [iotdb] HTHou merged pull request #2906: [IOTDB-1258] jcl-over-slf4j have security vulnerabilities CVE-2018-8088 ()
[iotdb-commits] 20210328 [iotdb] branch master updated: [IOTDB-1258] jcl-over-slf4j have security vulnerabilities CVE-2018-8088 (#2906) ()
[flink-dev] 20210720 [jira] [Created] (FLINK-23444) Slf4j 1.7.15 has the high-risk vulnerability CVE-2018-8088 ()
[flink-issues] 20210720 [jira] [Created] (FLINK-23444) Slf4j 1.7.15 has the high-risk vulnerability CVE-2018-8088 ()
[flink-issues] 20210721 [jira] [Commented] (FLINK-23444) Slf4j 1.7.15 has the high-risk vulnerability CVE-2018-8088 ()
[flink-issues] 20210725 [jira] [Commented] (FLINK-23444) Slf4j 1.7.15 has the high-risk vulnerability CVE-2018-8088 ()
[flink-issues] 20210804 [jira] [Closed] (FLINK-23444) Slf4j 1.7.15 has the high-risk vulnerability CVE-2018-8088 ()
https://security.netapp.com/advisory/ntap-20231227-0010/ ()
Content available only for registered users!
ovaldb@altx-soft.com