Max CVSS 9.0 Min CVSS 4.0 Total Count2
IDCVSSSummaryLast (major) updatePublished
CVE-2016-1000338 5.0
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in s
29-08-2024 - 11:09 01-06-2018 - 20:29
CVE-2018-8088 7.5
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.
27-12-2023 - 15:15 20-03-2018 - 16:29
CVE-2014-0114 7.5
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "m
13-02-2023 - 00:32 30-04-2014 - 10:49
CVE-2018-1272 6.0
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a r
23-06-2022 - 16:33 06-04-2018 - 13:29
CVE-2018-1271 4.3
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file s
23-06-2022 - 16:33 06-04-2018 - 13:29
CVE-2018-1000180 5.0
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. T
14-06-2021 - 18:15 05-06-2018 - 13:29
CVE-2017-14063 5.0
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE
16-12-2020 - 06:15 31-08-2017 - 16:29
CVE-2016-1000339 5.0
In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lo
20-10-2020 - 22:15 04-06-2018 - 13:29
CVE-2016-1000352 5.8
In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
20-10-2020 - 22:15 04-06-2018 - 21:29
CVE-2016-1000346 4.3
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in
20-10-2020 - 22:15 04-06-2018 - 21:29
CVE-2016-1000345 4.3
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identif
20-10-2020 - 22:15 04-06-2018 - 21:29
CVE-2016-1000344 5.8
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
20-10-2020 - 22:15 04-06-2018 - 21:29
CVE-2016-1000342 5.0
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in
20-10-2020 - 22:15 04-06-2018 - 13:29
CVE-2016-1000343 5.0
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generate
20-10-2020 - 22:15 04-06-2018 - 13:29
CVE-2016-1000341 4.3
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacke
20-10-2020 - 22:15 04-06-2018 - 13:29
CVE-2016-1000340 5.0
In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom el
20-10-2020 - 22:15 04-06-2018 - 13:29
CVE-2017-14063 5.0
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE
25-09-2020 - 15:15 31-08-2017 - 16:29
CVE-2016-5397 9.0
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
04-06-2020 - 17:15 12-02-2018 - 17:29
CVE-2018-1114 4.0
It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.
09-10-2019 - 23:38 11-09-2018 - 15:29
CVE-2018-8036 4.3
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
03-10-2019 - 00:03 03-07-2018 - 20:29
CVE-2018-1339 4.3
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.
03-10-2019 - 00:03 25-04-2018 - 21:29
CVE-2018-1338 4.3
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.
03-10-2019 - 00:03 25-04-2018 - 21:29
CVE-2018-1000130 6.8
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.
08-03-2019 - 15:16 14-03-2018 - 13:29
CVE-2018-1000129 4.3
An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser.
07-03-2019 - 20:12 14-03-2018 - 13:29
Back to Top Mark selected
Back to Top