CVE Daily
← All tags

Tag: Oracle JDK

All CVEs associated with "Oracle JDK". Page 11/43 • 5132 CVEs.

Subscribe CVEs: RSS for “Oracle JDK”  ·  RSS (High+Critical only)

About “Oracle JDK”

A curated feed of “Oracle JDK”-related CVEs appears below. We currently track 5132 CVEs for this tag (all time). In the last 365 days, 782 were published. Average CVSS is 6.7 (all time; 6.3 over 365d), and 48% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

In our taxonomy this topic maps to a MODERATE impact class. JDK and JVM updates affect TLS, serialization, and performance. Upgrade JDK or JRE, restart dependents, avoid unsupported builds, and consider key or cert rotation if needed. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2024-06-11
Medium

CVE-2024-28164

SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensitive information about the server which would otherwise be restricted causing low impact on confident…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2024-05-29
High

CVE-2024-36114

Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash…

CVSS: 8.6 CWE: CWE-125 - Out-of-bounds Read View on NVD
2024-05-24
Medium

CVE-2023-46442

An infinite loop in the retrieveActiveBody function of Soot before v4.4.1 under Java 8 allows attackers to cause a Denial of Service (DoS).

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-05-15
High

CVE-2024-3967

Remote Code Execution has been discovered in OpenText™ iManager 3.2.6.0200. The vulnerability can trigger remote code execution unisng unsafe java object deserialization.

CVSS: 7.6 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Critical

CVE-2024-32888

The Amazon JDBC Driver for Redshift is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs) available in the Java Platform, Enterpr…

CVSS: 10.0 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-05-14
High

CVE-2024-30172

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2024-30171

An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.

CVSS: 5.9 CWE: CWE-203 - Observable Discrepancy View on NVD
High

CVE-2024-29857

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC cert…

CVSS: 7.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
Low

CVE-2024-28866

GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on the loading page displayed while…

CVSS: 3.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2023-38264

The IBM SDK, Java Technology Edition's Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to impro…

CVSS: 5.9 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2024-05-07
High

CVE-2024-23713

In migrateNotificationFilter of NotificationManagerService.java, there is a possible failure to persist notifications settings due to improper input validation. This could lead to local escalation of…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
Medium

CVE-2024-23712

In multiple functions of AppOpsService.java, there is a possible way to saturate the content of /data/system/appops_accesses.xml due to resource exhaustion. This could lead to local denial of service…

CVSS: 5.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2024-23710

In assertPackageWithSharedUserIdIsPrivileged of InstallPackageHelper.java, there is a possible execution of arbitrary app code as a privileged app due to a logic error in the code. This could lead to…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2024-23708

In multiple functions of NotificationManagerService.java, there is a possible way to not show a toast message when a clipboard message has been accessed. This could lead to local escalation of privil…

CVSS: 7.8 CWE: CWE-451 - User Interface (UI) Misrepresentation of Critical Information View on NVD
High

CVE-2024-23704

In onCreate of WifiDialogActivity.java, there is a possible way to bypass the DISALLOW_ADD_WIFI_CONFIG restriction due to a missing permission check. This could lead to local escalation of privilege…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-0027

In multiple functions of SnoozeHelper.java, there is a possible way to cause a boot loop due to resource exhaustion. This could lead to local denial of service with no additional execution privileges…

CVSS: 5.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Medium

CVE-2024-0026

In multiple functions of SnoozeHelper.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privil…

CVSS: 5.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
High

CVE-2024-0025

In sendIntentSender of ActivityManagerService.java, there is a possible background activity launch due to a logic error. This could lead to local escalation of privilege with no additional execution…

CVSS: 7.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2024-0024

In multiple methods of UserManagerService.java, there is a possible failure to persist or enforce user restrictions due to improper input validation. This could lead to local escalation of privilege…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
Medium

CVE-2024-0022

In multiple functions of CompanionDeviceManagerService.java, there is a possible launch NotificationAccessConfirmationActivity of another user profile due to improper input validation. This could lea…

CVSS: 5.5 CWE: CWE-20 - Improper Input Validation View on NVD
2024-05-06
Medium

CVE-2024-33117

crmeb_java v1.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the mergeList method in class com.zbkj.front.pub.ImageMergeController.

CVSS: 5.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2024-05-03
High

CVE-2024-34447

An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identi…

CVSS: 7.5 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
High

CVE-2023-39469

PaperCut NG External User Lookup Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PaperCut NG. Aut…

CVSS: 7.2 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2024-05-02
Medium

CVE-2024-34148

Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically disables the fix for CVE-2016-3721 whenever a build is triggered from a release tag, by setting the Java system pr…

CVSS: 6.8 CWE: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') View on NVD
2024-04-30
High

CVE-2024-29466

Directory Traversal vulnerability in lsgwr spring boot online exam v.0.9 allows an attacker to execute arbitrary code via the FileTransUtil.java component.

CVSS: 8.8 CWE: CWE-26 - Path Traversal: '/dir/../filename' View on NVD
2024-04-25
Medium

CVE-2023-5675

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation p…

CVSS: 6.5 CWE: CWE-285 - Improper Authorization View on NVD
2024-04-24
High

CVE-2024-32876

NewPipe is an Android app for video streaming written in Java. It supports exporting and importing backups, as a way to let users move their data to a new device effortlessly. However, in versions 0.…

CVSS: 8.5 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2024-04-22
High

CVE-2024-32656

Ant Media Server is live streaming engine software. A local privilege escalation vulnerability in present in versions 2.6.0 through 2.8.2 allows any unprivileged operating system user account to esca…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-32653

jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerabil…

CVSS: 6.1 CWE: CWE-20 - Improper Input Validation View on NVD
2024-04-19
Medium

CVE-2024-29962

Brocade SANnav OVA before v2.3.1 and v2.3.0a have an insecure file permission setting that makes files world-readable. This could allow a local user without the required privileges to access sensitiv…

CVSS: 5.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2024-04-17
High

CVE-2024-32463

phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. Th…

CVSS: 7.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-04-16
Low

CVE-2024-21098

Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.…

CVSS: 3.7 CWE: N/A View on NVD
Low

CVE-2024-21094

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE…

CVSS: 3.7 CWE: CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data View on NVD
Medium

CVE-2024-21093

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.22 and 21.3-21.13. Difficult to exploit vulnerability allows low privileged attack…

CVSS: 5.3 CWE: N/A View on NVD
Low

CVE-2024-21085

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf,…

CVSS: 3.7 CWE: N/A View on NVD
Low

CVE-2024-21068

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE…

CVSS: 3.7 CWE: N/A View on NVD
Low

CVE-2024-21012

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java…

CVSS: 3.7 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Low

CVE-2024-21011

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE…

CVSS: 3.7 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Low

CVE-2024-21005

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM E…

CVSS: 3.1 CWE: N/A View on NVD
Low

CVE-2024-21004

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM E…

CVSS: 2.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Low

CVE-2024-21003

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM E…

CVSS: 3.1 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
Low

CVE-2024-21002

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM E…

CVSS: 2.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Low

CVE-2024-20954

Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.…

CVSS: 3.7 CWE: N/A View on NVD
High

CVE-2024-1961

vertaai/modeldb is vulnerable to a path traversal attack due to improper sanitization of user-supplied file paths in its file upload functionality. Attackers can exploit this vulnerability to write a…

CVSS: 8.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-04-10
High

CVE-2024-23077

JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBounds via the component /chart/plot/CompassPlot.java. NOTE: this is disputed by multiple third parties who believe there was not r…

CVSS: 7.5 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
High

CVE-2024-23076

JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /labels/BubbleXYItemLabelGenerator.java. NOTE: this is disputed by multiple third parties who believe there was no…

CVSS: 7.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2024-04-09
High

CVE-2024-27899

Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This c…

CVSS: 8.8 CWE: CWE-640 - Weak Password Recovery Mechanism for Forgotten Password View on NVD
2024-04-07
Medium

CVE-2021-4438

A vulnerability, which was classified as critical, has been found in kyivstarteam react-native-sms-user-consent up to 1.1.4 on Android. Affected by this issue is the function registerReceiver of the…

CVSS: 5.3 CWE: CWE-926 - Improper Export of Android Application Components View on NVD
2024-04-06
Low

CVE-2024-3366

A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the…

CVSS: 3.5 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2024-04-05
High

CVE-2024-31851

A path traversal vulnerability exists in the Java version of CData Sync < 23.4.8843 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access t…

CVSS: 8.6 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2024-31850

A path traversal vulnerability exists in the Java version of CData Arc < 23.4.8839 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to…

CVSS: 8.6 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2024-31849

A path traversal vulnerability exists in the Java version of CData Connect < 23.4.8846 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain compl…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2024-31848

A path traversal vulnerability exists in the Java version of CData API Server < 23.4.8844 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain co…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-04-04
Medium

CVE-2024-3311

A vulnerability was found in Dreamer CMS up to 4.1.3.0. It has been declared as critical. Affected by this vulnerability is the function ZipUtils.unZipFiles of the file controller/admin/ThemesControl…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-04-01
Medium

CVE-2024-31033

JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwt…

CVSS: 6.8 CWE: N/A View on NVD
2024-03-28
High

CVE-2024-28714

SQL Injection vulnerability in CRMEB_Java e-commerce system v.1.3.4 allows an attacker to execute arbitrary code via the groupid parameter.

CVSS: 8.1 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-03-22
Medium

CVE-2024-2828

A vulnerability, which was classified as critical, was found in lakernote EasyAdmin up to 20240315. Affected is the function thumbnail of the file src/main/java/com/laker/admin/module/sys/controller/…

CVSS: 6.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2024-03-21
Medium

CVE-2024-24110

SQL Injection vulnerability in crmeb_java before v1.3.4 allows attackers to run arbitrary SQL commands via crafted GET request to the component /api/front/spread/people.

CVSS: 6.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2022-4963

A vulnerability was found in Folio Spring Module Core up to 1.1.5. It has been rated as critical. Affected by this issue is the function dropSchema of the file tenant/src/main/java/org/folio/spring/t…

CVSS: 5.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-03-20
Critical

CVE-2024-25294

An SSRF issue in REBUILD v.3.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the FileDownloader.java, proxyDownload,URL parameters.

CVSS: 9.1 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2024-23821

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 a…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-23819

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 a…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-23818

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 a…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-23643

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.2 a…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-23642

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 a…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-23640

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 a…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-23634

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2…

CVSS: 6.0 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2023-51445

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 a…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2023-51444

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file upload vulnerability exists in versions prior to 2.23.4 and 2.24.1 t…

CVSS: 7.2 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2023-41877

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A path traversal vulnerability in versions 2.23.4 and prior requires GeoServer Adminis…

CVSS: 7.2 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-03-18
Critical

CVE-2024-24578

RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a unauthenticated remote code execution (RC…

CVSS: 10.0 CWE: CWE-23 - Relative Path Traversal View on NVD
High

CVE-2024-24230

Komm.One CMS 10.4.2.14 has a Server-Side Template Injection (SSTI) vulnerability via the Velocity template engine. It allows remote attackers to execute arbitrary code via a URL that specifies java.l…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2024-03-15
High

CVE-2024-28848

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `‎CompiledRule::valida…

CVSS: 8.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2024-28254

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `‎AlertUtil::validateE…

CVSS: 8.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2024-03-12
High

CVE-2024-27135

Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for run…

CVSS: 8.5 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2024-22127

SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection v…

CVSS: 9.1 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2024-03-11
High

CVE-2024-27222

In onSkipButtonClick of FaceEnrollFoldPage.java, there is a possible way to access the file the app cannot access due to Intent Redirect GRANT_URI_PERMISSIONS Attack. This could lead to local escala…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
Low

CVE-2024-0053

In getCustomPrinterIcon of PrintManagerService.java, there is a possible way to view other user's images due to a confused deputy. This could lead to local information disclosure with no additional e…

CVSS: 3.3 CWE: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere View on NVD
High

CVE-2024-0048

In Session of AccountManagerService.java, there is a possible method to retain foreground service privileges due to incorrect handling of null responses. This could lead to local escalation of privil…

CVSS: 7.8 CWE: CWE-230 - Improper Handling of Missing Values View on NVD
Medium

CVE-2024-0047

In writeUserLP of UserManagerService.java, device policies are serialized with an incorrect tag due to a logic error in the code. This could lead to local denial of service when policies are deserial…

CVSS: 5.5 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
High

CVE-2024-0046

In installExistingPackageAsUser of InstallPackageHelper.java, there is a possible carrier restriction bypass due to a logic error in the code. This could lead to local escalation of privilege with no…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
Medium

CVE-2024-0044

In createSessionInternal of PackageInstallerService.java, there is a possible run-as any app due to improper input validation. This could lead to local escalation of privilege with no additional exec…

CVSS: 6.7 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Low

CVE-2024-2365

A vulnerability classified as problematic was found in Musicshelf 1.0/1.1 on Android. Affected by this vulnerability is an unknown functionality of the file io\fabric\sdk\android\services\network\Pin…

CVSS: 1.6 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
2024-03-07
Critical

CVE-2024-28213

nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization.

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2024-03-01
Medium

CVE-2024-2064

A vulnerability has been found in rahman SelectCours 1.0 and classified as problematic. Affected by this vulnerability is the function getCacheNames of the file CacheController.java of the component…

CVSS: 4.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2024-02-29
Critical

CVE-2024-23328

Dataease is an open source data visualization analysis tool. A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The location of the v…

CVSS: 9.1 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Medium

CVE-2023-51775

The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-02-27
High

CVE-2024-24323

SQL injection vulnerability in linlinjava litemall v.1.8.0 allows a remote attacker to obtain sensitive information via the nickname, consignee, orderSN, orderStatusArray parameters of the AdminOrder…

CVSS: 7.2 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-02-26
High

CVE-2024-22201

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2024-02-23
High

CVE-2024-25469

SQL Injection vulnerability in CRMEB crmeb_java v.1.3.4 and before allows a remote attacker to obtain sensitive information via the latitude and longitude parameters in the api/front/store/list compo…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-02-22
Critical

CVE-2023-51653

Hertzbeat is a real-time monitoring system. In the implementation of `JmxCollectImpl.java`, `JMXConnectorFactory.connect` is vulnerable to JNDI injection. The corresponding interface is `/api/monitor…

CVSS: 9.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Critical

CVE-2023-51388

Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in Aviato…

CVSS: 9.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2024-02-20
Critical

CVE-2024-22824

An issue in Timo v.2.0.3 allows a remote attacker to execute arbitrary code via the filetype restrictions in the UploadController.java component.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-02-17
Medium

CVE-2024-20945

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java S…

CVSS: 4.7 CWE: N/A View on NVD
Low

CVE-2024-20925

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM E…

CVSS: 3.1 CWE: N/A View on NVD
Low

CVE-2024-20923

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM E…

CVSS: 3.1 CWE: CWE-693 - Protection Mechanism Failure View on NVD
Medium

CVE-2024-20921

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE…

CVSS: 5.9 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Medium

CVE-2024-20919

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE…

CVSS: 5.9 CWE: N/A View on NVD
Medium

CVE-2024-20903

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.21 and 21.3-21.12. Easily exploitable vulnerability allows low privileged attacker…

CVSS: 6.5 CWE: N/A View on NVD
2024-02-16
High

CVE-2024-0021

In onCreate of NotificationAccessConfirmationActivity.java, there is a possible way for an app in the work profile to enable notification listener services due to a logic error in the code. This coul…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2024-0020

In onActivityResult of NotificationSoundPreference.java, there is a possible way to hear audio files belonging to a different user due to a confused deputy. This could lead to local information discl…

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2024-0019

In setListening of AppOpsControllerImpl.java, there is a possible way to hide the microphone privacy indicator when restarting systemUI due to a missing check for active recordings. This could lead t…

CVSS: 5.0 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2024-0017

In shouldUseNoOpLocation of CameraActivity.java, there is a possible confused deputy due to a permissions bypass. This could lead to local information disclosure with no additional execution privileg…

CVSS: 5.5 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2024-0015

In convertToComponentName of DreamService.java, there is a possible way to launch arbitrary protected activities due to intent redirection. This could lead to local escalation of privilege with User…

CVSS: 7.8 CWE: CWE-280 - Improper Handling of Insufficient Permissions or Privileges View on NVD
High

CVE-2024-0038

In injectInputEventToInputFilter of AccessibilityManagerService.java, there is a possible arbitrary input event injection due to a missing permission check. This could lead to local escalation of pri…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
Low

CVE-2024-0037

In applyCustomDescription of SaveUi.java, there is a possible way to view images belonging to a different user due to a missing permission check. This could lead to local information disclosure with…

CVSS: 3.3 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-0036

In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to bypass the restrictions on starting activities from the background due to a logic error in the code. This c…

CVSS: 7.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2024-0035

In onNullBinding of TileLifecycleManager.java, there is a possible way to launch an activity from the background due to a missing null check. This could lead to local escalation of privilege with no…

CVSS: 7.8 CWE: CWE-476 - NULL Pointer Dereference View on NVD
High

CVE-2024-0014

In startInstall of UpdateFetcher.java, there is a possible way to trigger a malicious config update due to a logic error. This could lead to local escalation of privilege with no additional execution…

CVSS: 7.8 CWE: CWE-693 - Protection Mechanism Failure View on NVD
Low

CVE-2023-40122

In applyCustomDescription of SaveUi.java, there is a possible way to view other user's images due to a confused deputy. This could lead to local information disclosure with no additional execution pr…

CVSS: 3.3 CWE: N/A View on NVD
2024-02-15
High

CVE-2023-40111

In setMediaButtonReceiver of MediaSessionRecord.java, there is a possible way to send a pending intent on behalf of system_server due to a confused deputy. This could lead to local escalation of priv…

CVSS: 7.8 CWE: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy') View on NVD
High

CVE-2023-40109

In createFromParcel of UsbConfiguration.java, there is a possible background activity launch (BAL) due to a permissions bypass. This could lead to local escalation of privilege with no additional exe…

CVSS: 7.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
High

CVE-2023-40106

In sanitizeSbn of NotificationManagerService.java, there is a possible way to launch an activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additi…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
Medium

CVE-2023-40105

In backupAgentCreated of ActivityManagerService.java, there is a possible way to leak sensitive data due to a missing permission check. This could lead to local information disclosure with no additio…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
2024-02-13
High

CVE-2024-24743

SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enabl…

CVSS: 8.6 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
Medium

CVE-2024-22126

The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This r…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-02-09
High

CVE-2023-50386

Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This iss…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2023-50291

Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Sol…

CVSS: 7.5 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Medium

CVE-2024-23639

Micronaut Framework is a modern, JVM-based, full stack Java framework designed for building modular, easily testable JVM applications with support for Java, Kotlin and the Groovy language. Enabled bu…

CVSS: 5.1 CWE: CWE-15 - External Control of System or Configuration Setting View on NVD
2024-02-07
High

CVE-2024-24824

Graylog is a free and open log management platform. Starting in version 2.0.0 and prior to versions 5.1.11 and 5.2.4, arbitrary classes can be loaded and instantiated using a HTTP PUT request to the…

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD