CVE Daily
← All tags

Tag: Oracle JDK

All CVEs associated with "Oracle JDK". Page 25/43 • 5132 CVEs.

Subscribe CVEs: RSS for “Oracle JDK”  ·  RSS (High+Critical only)

About “Oracle JDK”

A curated feed of “Oracle JDK”-related CVEs appears below. We currently track 5132 CVEs for this tag (all time). In the last 365 days, 782 were published. Average CVSS is 6.7 (all time; 6.3 over 365d), and 48% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

In our taxonomy this topic maps to a MODERATE impact class. JDK and JVM updates affect TLS, serialization, and performance. Upgrade JDK or JRE, restart dependents, avoid unsupported builds, and consider key or cert rotation if needed. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2019-08-20
High

CVE-2019-2125

In ChangeDefaultDialerDialog.java, there is a possible escalation of privilege due to an overlay attack. This could lead to local escalation of privilege, granting privileges to a local app without t…

CVSS: 7.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
High

CVE-2019-2122

In LockTaskController.lockKeyguardIfNeeded of the LockTaskController.java, there was a difference in the handling of the default case between the WindowManager and the Settings. This could lead to a…

CVSS: 7.3 CWE: CWE-264 View on NVD
2019-08-14
Critical

CVE-2019-0345

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted…

CVSS: 9.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2019-0337

Java Proxy Runtime of SAP NetWeaver Process Integration, versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs and allows an attacker to execute malicious s…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-08-07
Medium

CVE-2019-10372

An open redirect vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows attackers to redirect users to a URL outside Jenkins after successful login.

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
High

CVE-2019-10371

A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the…

CVSS: 7.5 CWE: CWE-384 - Session Fixation View on NVD
2019-08-05
High

CVE-2019-4473

Multiple binaries in IBM SDK, Java Technology Edition 7, 7R, and 8 on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users. IBM X-…

CVSS: 7.8 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
2019-08-01
High

CVE-2019-0193

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "d…

CVSS: 7.2 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2019-07-29
Critical

CVE-2019-14379

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), lead…

CVSS: 9.8 CWE: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') View on NVD
2019-07-26
Critical

CVE-2019-13990

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

CVSS: 9.8 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
Critical

CVE-2018-11779

In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Ja…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2019-07-23
Medium

CVE-2019-2862

Vulnerability in the Oracle GraalVM Enterprise Edition component of Oracle GraalVM (subcomponent: Java). The supported version that is affected is 19.0.0. Difficult to exploit vulnerability allows un…

CVSS: 6.8 CWE: N/A View on NVD
Low

CVE-2019-2842

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attac…

CVSS: 3.7 CWE: N/A View on NVD
Medium

CVE-2019-2821

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 11.0.3 and 12.0.1. Difficult to exploit vulnerability allows unauthent…

CVSS: 5.3 CWE: N/A View on NVD
Low

CVE-2019-2818

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 11.0.3 and 12.0.1. Difficult to exploit vulnerability allows unaut…

CVSS: 3.1 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2019-2816

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embed…

CVSS: 4.8 CWE: N/A View on NVD
Low

CVE-2019-2786

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u21…

CVSS: 3.4 CWE: N/A View on NVD
Medium

CVE-2019-2769

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedd…

CVSS: 5.3 CWE: N/A View on NVD
Low

CVE-2019-2766

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embed…

CVSS: 3.1 CWE: N/A View on NVD
Medium

CVE-2019-2762

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedd…

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2019-2749

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows low pri…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2019-2745

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows…

CVSS: 5.1 CWE: N/A View on NVD
Medium

CVE-2019-1010201

Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/ac…

CVSS: 6.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2019-11696

Files with the .JNLP extension used for "Java web start" applications are not treated as executable content for download prompts even though they can be executed if Java is installed on the local sys…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2019-1010202

Jeesite 1.2.7 is affected by: XML External Entity (XXE). The impact is: sensitive information disclosure. The component is: convertToModel() function in src/main/java/com.thinkgem.jeesite/modules/act…

CVSS: 6.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2019-07-22
Critical

CVE-2019-1010234

The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper Input Validation. The impact is: The attacker can remotely execute any commands by sending malicious http request to the controlle…

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
2019-07-19
Critical

CVE-2019-1010245

The Linux Foundation ONOS SDN Controller 1.15 and earlier versions is affected by: Improper Input Validation. The impact is: A remote attacker can execute arbitrary commands on the controller. The co…

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
2019-07-18
Medium

CVE-2019-1010252

The Linux Foundation ONOS 2.0.0 and earlier is affected by: Poor Input-validation. The impact is: A network administrator (or attacker) can install unintended flow rules in the switch by mistake. The…

CVSS: 4.9 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2019-1010250

The Linux Foundation ONOS 2.0.0 and earlier is affected by: Poor Input-validation. The impact is: A network administrator (or attacker) can install unintended flow rules in the switch by mistake. The…

CVSS: 4.9 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2019-1010249

The Linux Foundation ONOS 2.0.0 and earlier is affected by: Integer Overflow. The impact is: A network administrator (or attacker) can install unintended flow rules in the switch by mistake. The comp…

CVSS: 4.9 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
2019-07-17
Critical

CVE-2019-11772

In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by t…

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2019-10352

A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to defi…

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2019-13624

In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command.

CVSS: 9.8 CWE: CWE-19 View on NVD
High

CVE-2019-13623

In NSA Ghidra before 9.1, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive) via an archive with an executable file that has an initial ../ in its filename…

CVSS: 7.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2019-07-16
Medium

CVE-2019-1010018

Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: th…

CVSS: 6.1 CWE: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) View on NVD
2019-07-10
High

CVE-2019-0327

SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions 7.2, 7.3, 7.31, 7.4, 7.5), allows an attacker to upload files…

CVSS: 7.2 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Medium

CVE-2019-0318

Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows an attacker to access information which would otherwise be re…

CVSS: 5.3 CWE: N/A View on NVD
2019-07-08
Medium

CVE-2019-2117

In checkQueryPermission of TelephonyProvider.java, there is a possible disclosure of secure data due to a missing permission check. This could lead to local information disclosure about carrier syste…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
2019-07-05
High

CVE-2018-16386

An issue was discovered in SWIFT Alliance Web Platform 7.1.23. A log injection (and an arbitrary log filename) can be achieved via the PATH_INFO to swp/login/EJBRemoteService/, related to com.swift.e…

CVSS: 7.5 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD
2019-06-20
Critical

CVE-2018-15890

An issue was discovered in EthereumJ 1.8.2. There is Unsafe Deserialization in ois.readObject in mine/Ethash.java and decoder.readObject in crypto/ECKey.java. When a node syncs and mines a new block,…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2019-06-19
High

CVE-2019-2018

In resetPasswordInternal of DevicePolicyManagerService.java, there is a possible bypass of password reset protection due to an unusual root cause. Remote user interaction is needed for exploitation.P…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2019-2003

In addLinks of Linkify.java, there is a possible phishing vector due to an unusual root cause. This could lead to remote code execution or misdirection of clicks with no additional execution privileg…

CVSS: 8.8 CWE: CWE-264 View on NVD
High

CVE-2019-2005

In onPermissionGrantResult of GrantPermissionsActivity.java, there is a possible incorrectly granted permission due to a missing permission check. This could lead to local escalation of privilege on…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2019-1985

In findAvailSpellCheckerLocked of TextServicesManagerService.java, there is a possible way to bypass the warning dialog when selecting an untrusted spell checker due to a permissions bypass. This cou…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2019-10257

Zucchetti HR Portal through 2019-03-15 allows Directory Traversal. Unauthenticated users can escape outside of the restricted location (dot-dot-slash notation) to access files or directories that are…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2019-06-12
Medium

CVE-2019-0305

Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not restrict or incorrectly restrict frame objects…

CVSS: 4.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
2019-06-11
Medium

CVE-2019-10334

Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM when MultipartUtility.java is used to upload files.

CVSS: 6.5 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-06-07
High

CVE-2019-2098

In areNotificationsEnabledForPackage of NotificationManagerService.java, there is a possible permissions bypass due to a missing permissions check. This could lead to local escalation of privilege, w…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2019-2092

In isSeparateProfileChallengeAllowed of DevicePolicyManagerService.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege, wi…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2019-2091

In GetPermittedAccessibilityServicesForUser of DevicePolicyManagerService.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privil…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2019-2090

In isPackageDeviceAdminOnAnyUser of PackageManagerService.java, there is a possible permissions bypass due to a missing permissions check. This could lead to local escalation of privilege, with no ad…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
2019-06-05
Medium

CVE-2019-12741

XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library before 3.8.0. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cook…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-05-28
Critical

CVE-2018-17198

Server-side Request Forgery (SSRF) and File Enumeration vulnerability in Apache Roller 5.2.1, 5.2.0 and earlier unsupported versions relies on Java SAX Parser to implement its XML-RPC interface and b…

CVSS: 9.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2019-12395

In Webbukkit Dynmap 3.0-beta-3 or below, due to a missing login check in servlet/MapStorageHandler.java, an attacker can see a map image without login even if victim enables login-required in setting.

CVSS: 5.3 CWE: CWE-287 - Improper Authentication View on NVD
2019-05-22
High

CVE-2016-10750

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinReques…

CVSS: 8.1 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2019-05-17
High

CVE-2019-12086

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON en…

CVSS: 7.5 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2019-05-15
Medium

CVE-2016-7043

It has been reported that KIE server and Busitess Central before version 7.21.0.Final contain username and password as plaintext Java properties. Any app deployed on the same server would have access…

CVSS: 5.9 CWE: CWE-260 - Password in Configuration File View on NVD
2019-05-10
High

CVE-2019-11082

core/api/datasets/internal/actions/Explode.java in the Dataset API in DKPro Core through 1.10.0 allows Directory Traversal, resulting in the overwrite of local files with the contents of an archive.

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2019-05-08
High

CVE-2019-2050

In tearDownClientInterface of WificondControl.java, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privilege…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2019-2043

In SmsDefaultDialog.onStart of SmsDefaultDialog.java, there is a possible escalation of privilege due to an overlay attack. This could lead to local escalation of privilege, granting privileges to a…

CVSS: 7.3 CWE: CWE-1188 - Initialization of a Resource with an Insecure Default View on NVD
High

CVE-2019-11642

A log poisoning vulnerability has been discovered in the OneShield Policy (Dragon Core) framework before 5.1.10. Authenticated remote adversaries can poison log files by entering malicious payloads i…

CVSS: 8.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2019-05-06
High

CVE-2019-3559

Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time f…

CVSS: 7.5 CWE: CWE-834 - Excessive Iteration View on NVD
2019-05-03
High

CVE-2018-20580

The WSDL import functionality in SmartBear ReadyAPI 2.5.0 and 2.6.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
2019-04-25
Critical

CVE-2019-3801

Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker coul…

CVSS: 9.8 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
2019-04-23
Critical

CVE-2019-2699

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Windows DLL). The supported version that is affected is Java SE: 8u202. Difficult to exploit vulnerability allows unauthenticat…

CVSS: 9.0 CWE: N/A View on NVD
High

CVE-2019-2698

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticat…

CVSS: 8.1 CWE: N/A View on NVD
High

CVE-2019-2697

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticat…

CVSS: 8.1 CWE: N/A View on NVD
Medium

CVE-2019-2684

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201.…

CVSS: 5.9 CWE: N/A View on NVD
High

CVE-2019-2602

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded:…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2019-2518

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows low pri…

CVSS: 7.5 CWE: N/A View on NVD
2019-04-19
High

CVE-2019-2026

In updateAssistMenuItems of Editor.java, there is a possible escape from the Setup Wizard due to a missing permission check. This could lead to local escalation of privilege and FRP bypass with no ad…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2019-10245

In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of bytecode array causing crashes. Eclipse OpenJ9 v0.14.0 correctly detec…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2019-04-18
Medium

CVE-2018-20200

CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE:…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-04-15
High

CVE-2019-0232

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a b…

CVSS: 8.1 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2019-04-10
Medium

CVE-2019-0282

Several web pages in SAP NetWeaver Process Integration (Runtime Workbench), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; can be accessed without user authentication, which might expose int…

CVSS: 5.3 CWE: CWE-287 - Improper Authentication View on NVD
2019-04-09
Critical

CVE-2018-19586

Silverpeas 5.15 through 6.0.2 is affected by an authenticated Directory Traversal vulnerability that can be triggered during file uploads because core/webapi/upload/FileUploadData.java mishandles a S…

CVSS: 9.9 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2019-04-07
Critical

CVE-2019-10908

In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be br…

CVSS: 9.8 CWE: CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) View on NVD
Critical

CVE-2019-10907

Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bru…

CVSS: 9.8 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2019-04-04
Medium

CVE-2014-3603

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain…

CVSS: 5.9 CWE: CWE-297 - Improper Validation of Certificate with Host Mismatch View on NVD
2019-04-03
Critical

CVE-2015-5463

AxiomSL's Axiom java applet module (used for editing uploaded Excel files and associated Java RMI services) 9.5.3 and earlier allows remote attackers to (1) access data of other basic users through a…

CVSS: 9.8 CWE: CWE-285 - Improper Authorization View on NVD
2019-03-30
Critical

CVE-2019-10648

Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of…

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
2019-03-21
Medium

CVE-2015-6462

Reflected Cross-Site Scripting (nonpersistent) allows an attacker to craft a specific URL, which contains Java script that will be executed on the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, B…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2015-6461

Remote file inclusion allows an attacker to craft a specific URL referencing the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP…

CVSS: 5.4 CWE: CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') View on NVD
2019-03-12
Medium

CVE-2019-0275

SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-03-11
Medium

CVE-2018-1890

IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users. IBM X-Force ID: 152081.

CVSS: 5.6 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
2019-03-08
High

CVE-2019-1003039

An insufficiently protected credentials vulnerability exists in JenkinsAppDynamics Dashboard Plugin 1.0.14 and earlier in src/main/java/nl/codecentric/jenkins/appd/AppDynamicsResultsPublisher.java th…

CVSS: 8.8 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
High

CVE-2019-1003038

An insufficiently protected credentials vulnerability exists in Jenkins Repository Connector Plugin 1.2.4 and earlier in src/main/java/org/jvnet/hudson/plugins/repositoryconnector/ArtifactDeployer.ja…

CVSS: 7.8 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Medium

CVE-2019-1003037

An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read…

CVSS: 6.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2019-1003036

A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read per…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2019-1003035

An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java, src/main/java/com/microsoft/az…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2019-1003033

A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permissi…

CVSS: 8.8 CWE: N/A View on NVD
Critical

CVE-2019-1003032

A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/em…

CVSS: 9.9 CWE: N/A View on NVD
Critical

CVE-2019-1003031

A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission t…

CVSS: 9.9 CWE: N/A View on NVD
Critical

CVE-2019-1003030

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able t…

CVSS: 9.9 CWE: CWE-693 - Protection Mechanism Failure View on NVD
Critical

CVE-2019-1003029

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jen…

CVSS: 9.9 CWE: N/A View on NVD
2019-03-07
High

CVE-2019-9624

Webmin 1.900 allows remote attackers to execute arbitrary code by leveraging the "Java file manager" and "Upload and Download" privileges to upload a crafted .cgi file via the /updown/upload.cgi URI.

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2019-03-06
High

CVE-2019-9615

An issue was discovered in OFCMS before 1.1.3. It allows admin/system/generate/create?sql= SQL injection, related to SystemGenerateController.java.

CVSS: 7.2 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2019-9611

An issue was discovered in OFCMS before 1.1.3. It allows admin/cms/template/getTemplates.html?res_path=res directory traversal, with ../ in the dir parameter, to write arbitrary content (in the file_…

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2019-9610

An issue was discovered in OFCMS before 1.1.3. It has admin/cms/template/getTemplates.html?res_path=res&up_dir=../ directory traversal, related to the getTemplates function in TemplateController.java.

CVSS: 4.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2019-03-05
High

CVE-2019-0741

An information disclosure vulnerability exists in the way Azure IoT Java SDK logs sensitive information, aka 'Azure IoT Java SDK Information Disclosure Vulnerability'.

CVSS: 7.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Critical

CVE-2019-0729

An Elevation of Privilege vulnerability exists in the way Azure IoT Java SDK generates symmetric keys for encryption, allowing an attacker to predict the randomness of the key, aka 'Azure IoT Java SD…

CVSS: 9.8 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
2019-02-28
Medium

CVE-2019-1995

In ComposeActivityEmail of ComposeActivityEmail.java, there is a possible way to silently attach files to an email due to a confused deputy. This could lead to local information disclosure, sending f…

CVSS: 5.5 CWE: N/A View on NVD
High

CVE-2019-1994

In refresh of DevelopmentTiles.java, there is the possibility of leaving development settings accessible due to an insecure default value. This could lead to unwanted access to development settings,…

CVSS: 8.8 CWE: CWE-1188 - Initialization of a Resource with an Insecure Default View on NVD
2019-02-25
Medium

CVE-2019-9142

An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-02-21
Critical

CVE-2019-8982

com/wavemaker/studio/StudioService.java in WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value, leading to disclosure of local files and SSRF.

CVSS: 9.6 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2019-02-20
Medium

CVE-2019-1003028

A server-side request forgery vulnerability exists in Jenkins JMS Messaging Plugin 1.1.1 and earlier in SSLCertificateAuthenticationMethod.java, UsernameAuthenticationMethod.java that allows attacker…

CVSS: 4.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2019-1003027

A server-side request forgery vulnerability exists in Jenkins OctopusDeploy Plugin 1.8.1 and earlier in OctopusDeployPlugin.java that allows attackers with Overall/Read permission to have Jenkins con…

CVSS: 4.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2019-1003026

A server-side request forgery vulnerability exists in Jenkins Mattermost Notification Plugin 2.6.2 and earlier in MattermostNotifier.java that allows attackers with Overall/Read permission to have Je…

CVSS: 4.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
High

CVE-2019-1003025

A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2019-1003024

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy s…

CVSS: 8.8 CWE: N/A View on NVD
2019-02-11
High

CVE-2018-9587

In savePhotoFromUriToUri of ContactPhotoUtils.java in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, there is possible unauthorized access to files within the cont…

CVSS: 7.3 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
High

CVE-2018-9586

In run of InstallPackageTask.java in Android-7.0, Android-7.1.1, Android-7.1.2, Android-8.0, Android-8.1 and Android-9, it is possible that package verification is turned off and remains off due to a…

CVSS: 7.0 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2019-02-09
Critical

CVE-2019-7684

inxedu through 2018-12-24 has a vulnerability that can lead to the upload of a malicious JSP file. The vulnerable code location is com.inxedu.os.common.controller.VideoUploadController#gok4 (com/inxe…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2019-02-06
Medium

CVE-2019-1003023

A cross-site scripting vulnerability exists in Jenkins Warnings Next Generation Plugin 1.0.1 and earlier in src/main/java/io/jenkins/plugins/analysis/core/model/DetailsTableModel.java, src/main/java/…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2019-1003022

A denial of service vulnerability exists in Jenkins Monitoring Plugin 1.74.0 and earlier in PluginImpl.java that allows attackers to kill threads running on the Jenkins master.

CVSS: 6.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2019-1003020

A server-side request forgery vulnerability exists in Jenkins Kanboard Plugin 1.5.10 and earlier in KanboardGlobalConfiguration.java that allows attackers with Overall/Read permission to submit a GET…

CVSS: 4.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2019-1003019

An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they ca…

CVSS: 5.9 CWE: CWE-384 - Session Fixation View on NVD
Medium

CVE-2019-1003017

A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potential…

CVSS: 5.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
High

CVE-2019-1003016

An exposure of sensitive information vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/JobImportAction.java, src/main/java/org/jenkin…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Critical

CVE-2019-1003015

An XML external entity processing vulnerability exists in Jenkins Job Import Plugin 2.1 and earlier in src/main/java/org/jenkins/ci/plugins/jobimport/client/RestApiClient.java that allows attackers w…

CVSS: 9.1 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD