Vulnerability-Lookup

NCSC-2024-0417

Vulnerability from csaf_ncscnl - Published: 2024-10-17 13:19 - Updated: 2024-10-17 13:19

Summary

Kwetsbaarheden verholpen in Oracle Fusion Middleware

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: Oracle heeft kwetsbaarheden verholpen in Fusion Middleware componenten, zoals WebLogic Server, WebCenter en HTTP Server.

Interpretaties: Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade: - Denial-of-Service (DoS) - Manipuleren van data - Uitvoer van willekeurige code (Administratorrechten) - Toegang tot gevoelige gegevens Omdat deze kwetsbaarheden zich bevinden in diverse Middleware producten, is niet uit te sluiten dat applicaties, draaiende op platformen ondersteund door deze middleware ook kwetsbaar zijn, danwel gevoelig voor misbruik van deze kwetsbaarheden.

Oplossingen: Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer infomatie.

Kans: medium

Schade: high

CWE-1325: Improperly Controlled Sequential Memory Allocation

CWE-390: Detection of Error Condition Without Action

CWE-59: Improper Link Resolution Before File Access ('Link Following')

CWE-178: Improper Handling of Case Sensitivity

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

CWE-190: Integer Overflow or Wraparound

CWE-404: Improper Resource Shutdown or Release

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-416: Use After Free

CWE-401: Missing Release of Memory after Effective Lifetime

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-400: Uncontrolled Resource Consumption

CWE-770: Allocation of Resources Without Limits or Throttling

CWE-502: Deserialization of Untrusted Data

CWE-918: Server-Side Request Forgery (SSRF)

CWE-787: Out-of-bounds Write

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-20: Improper Input Validation

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE-2020-11023

6.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Known affected 25 products

Product	Identifier	Version
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.3:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.1.3.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:10.3.6.0:::::::*`	—
business_process_management_suite oracle	`cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
managed_file_transfer oracle	`cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.6:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.3.0:::::::*`	—
identity_manager_connector oracle	`cpe:2.3:a:oracle:identity_manager_connector:9.1.0.0.0:::::::*`	—
managed_file_transfer oracle	`cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.3.0:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.3.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*`	—
webcenter_sites_support_tools oracle	`cpe:2.3:a:oracle:webcenter_sites_support_tools::::::::`	—

CVE-2020-17521

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Affected products

Known affected 38 products

Product	Identifier	Version
business_process_management_suite oracle	`cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
identity_manager_connector oracle	`cpe:2.3:a:oracle:identity_manager_connector:12.2.1.3.0:::::::*`	—
identity_manager_connector oracle	`cpe:2.3:a:oracle:identity_manager_connector:9.1.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—
managed_file_transfer oracle	`cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.6:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:_console___12.2.1.3.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:_third_party___12.2.1.3.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:_console___12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:_third_party___12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:_console___14.1.1.0.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:_third_party___14.1.1.0.0:::::::*`	—
business_activity_monitoring__bam_ oracle	`cpe:2.3:a:oracle:business_activity_monitoring__bam_:12.2.1.3.0:::::::*`	—
business_activity_monitoring__bam_ oracle	`cpe:2.3:a:oracle:business_activity_monitoring__bam_:12.2.1.4.0:::::::*`	—
business_process_management_suite oracle	`cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.3.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.3.0:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.3.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:::::::*`	—
identity_manager_connector oracle	`cpe:2.3:a:oracle:identity_manager_connector:9.1.0.0.0:::::::*`	—
managed_file_transfer oracle	`cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:::::::*`	—
webcenter_sites_support_tools oracle	`cpe:2.3:a:oracle:webcenter_sites_support_tools::::::::`	—
identity_manager_connector oracle	`cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.3:::::::*`	—
identity_manager_connector oracle	`cpe:2.3:a:oracle:identity_manager_connector::::::::`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.5:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:14.1.1.0.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:all_supported_s:::::::*`	—

CVE-2022-1471

CWE-502 - Deserialization of Untrusted Data

Affected products

Known affected 26 products

Product	Identifier	Version
business_process_management_suite oracle	`cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
managed_file_transfer oracle	`cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.6:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—
identity_manager_connector oracle	`cpe:2.3:a:oracle:identity_manager_connector:12.2.1.3.0:::::::*`	—
identity_manager_connector oracle	`cpe:2.3:a:oracle:identity_manager_connector:9.1.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:_console___12.2.1.3.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:_third_party___12.2.1.3.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:_console___12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:_third_party___12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:_console___14.1.1.0.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:_third_party___14.1.1.0.0:::::::*`	—
weblogic_server_proxy_plug-in oracle	`cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:14.1.1.0.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:14.1.1.0.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—
webcenter_enterprise_capture oracle	`cpe:2.3:a:oracle:webcenter_enterprise_capture:12.2.1.4.0:::::::*`	—
weblogic_server_proxy_plug-in oracle	`cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:14.1.1.0.0:::::::*`	—

CVE-2023-4759

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Affected products

Known affected 10 products

Product	Identifier	Version
business_activity_monitoring oracle	`cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—

CVE-2023-35116

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Known affected 20 products

Product	Identifier	Version
business_process_management_suite oracle	`cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.6:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—
weblogic_server_proxy_plug-in oracle	`cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:12.2.1.4.0:::::::*`	—
weblogic_server_proxy_plug-in oracle	`cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:14.1.1.0.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
managed_file_transfer oracle	`cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:14.1.1.0.0:::::::*`	—
identity_manager_connector oracle	`cpe:2.3:a:oracle:identity_manager_connector:12.2.1.3.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:14.1.1.0.0:::::::*`	—
webcenter_enterprise_capture oracle	`cpe:2.3:a:oracle:webcenter_enterprise_capture:12.2.1.4.0:::::::*`	—
business_activity_monitoring oracle	`cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—

CVE-2023-39743

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—

CVE-2023-51775

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 18 products

Product	Identifier	Version
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.6:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:14.1.1.0.0:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
weblogic_server_proxy_plug-in oracle	`cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
managed_file_transfer oracle	`cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:::::::*`	—
identity_manager_connector oracle	`cpe:2.3:a:oracle:identity_manager_connector:12.2.1.3.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:14.1.1.0.0:::::::*`	—
webcenter_enterprise_capture oracle	`cpe:2.3:a:oracle:webcenter_enterprise_capture:12.2.1.4.0:::::::*`	—
weblogic_server_proxy_plug-in oracle	`cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:14.1.1.0.0:::::::*`	—
business_activity_monitoring oracle	`cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—

CVE-2024-2511

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-404 - Improper Resource Shutdown or Release

Affected products

Known affected 10 products

Product	Identifier	Version
business_activity_monitoring oracle	`cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—

CVE-2024-6345

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—

CVE-2024-21190

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
global_lifecycle_management_fmw_installer oracle	`cpe:2.3:a:oracle:global_lifecycle_management_fmw_installer:12.2.1.4.0:::::::*`	—

CVE-2024-21191

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
enterprise_manager_fusion_middleware_control oracle	`cpe:2.3:a:oracle:enterprise_manager_fusion_middleware_control:12.2.1.4.0:::::::*`	—

CVE-2024-21192

CVE-2024-21205

CVE-2024-21215

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—

CVE-2024-21216

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—

CVE-2024-21234

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—

CVE-2024-21246

CVE-2024-21260

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—

CVE-2024-21274

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—

CVE-2024-22201

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 18 products

Product	Identifier	Version
weblogic_server_proxy_plug-in oracle	`cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:12.2.1.4.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.6:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:14.1.1.0.0:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
managed_file_transfer oracle	`cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:::::::*`	—
identity_manager_connector oracle	`cpe:2.3:a:oracle:identity_manager_connector:12.2.1.3.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:14.1.1.0.0:::::::*`	—
webcenter_enterprise_capture oracle	`cpe:2.3:a:oracle:webcenter_enterprise_capture:12.2.1.4.0:::::::*`	—
weblogic_server_proxy_plug-in oracle	`cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:14.1.1.0.0:::::::*`	—
business_activity_monitoring oracle	`cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—

CVE-2024-22262

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Affected products

Known affected 11 products

Product	Identifier	Version
webcenter_forms_recognition oracle	`cpe:2.3:a:oracle:webcenter_forms_recognition:14.1.1.0.0:::::::*`	—
business_activity_monitoring oracle	`cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—

CVE-2024-23807

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-416 - Use After Free

Affected products

Known affected 10 products

Product	Identifier	Version
business_activity_monitoring oracle	`cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—

CVE-2024-24549

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-20 - Improper Input Validation

Affected products

Known affected 18 products

Product	Identifier	Version
weblogic_server_proxy_plug-in oracle	`cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:12.2.1.4.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.6:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:14.1.1.0.0:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
managed_file_transfer oracle	`cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:::::::*`	—
identity_manager_connector oracle	`cpe:2.3:a:oracle:identity_manager_connector:12.2.1.3.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:14.1.1.0.0:::::::*`	—
webcenter_enterprise_capture oracle	`cpe:2.3:a:oracle:webcenter_enterprise_capture:12.2.1.4.0:::::::*`	—
weblogic_server_proxy_plug-in oracle	`cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:14.1.1.0.0:::::::*`	—
business_activity_monitoring oracle	`cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—

CVE-2024-25269

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-401 - Missing Release of Memory after Effective Lifetime

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—

CVE-2024-28182

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Known affected 11 products

Product	Identifier	Version
http_server oracle	`cpe:2.3:a:oracle:http_server:14.1.1.0.0:::::::*`	—
business_activity_monitoring oracle	`cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—

CVE-2024-28752

9.3 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE-918 - Server-Side Request Forgery (SSRF)

Affected products

Known affected 11 products

Product	Identifier	Version
webcenter_forms_recognition oracle	`cpe:2.3:a:oracle:webcenter_forms_recognition:14.1.1.0.0:::::::*`	—
business_activity_monitoring oracle	`cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—

CVE-2024-29131

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-787 - Out-of-bounds Write

Affected products

Known affected 10 products

Product	Identifier	Version
business_activity_monitoring oracle	`cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*`	—
data_integrator oracle	`cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*`	—
http_server oracle	`cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::*`	—
middleware_common_libraries_and_tools oracle	`cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:::::::*`	—
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—
webcenter_content oracle	`cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::*`	—
webcenter_portal oracle	`cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*`	—
webcenter_sites oracle	`cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*`	—
weblogic_server oracle	`cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*`	—

CVE-2024-36052

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—

CVE-2024-38999

10.0 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
business_process_management_suite oracle	`cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::*`	—
business_activity_monitoring oracle	`cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:::::::*`	—

CVE-2024-45492

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-190 - Integer Overflow or Wraparound

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
outside_in_technology oracle	`cpe:2.3:a:oracle:outside_in_technology:8.5.7:::::::*`	—

References

31 references

URL	Category
https://www.oracle.com/security-alerts/cpuoct2024.html	external
https://api.ncsc.nl/velma/v1/vulnerabilities/2020…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2020…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2022…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2023…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2023…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2023…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2023…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self
https://api.ncsc.nl/velma/v1/vulnerabilities/2024…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Oracle heeft kwetsbaarheden verholpen in Fusion Middleware componenten, zoals WebLogic Server, WebCenter en HTTP Server.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorie\u00ebn schade:\n\n- Denial-of-Service (DoS)\n- Manipuleren van data\n- Uitvoer van willekeurige code (Administratorrechten)\n- Toegang tot gevoelige gegevens\n\nOmdat deze kwetsbaarheden zich bevinden in diverse Middleware producten, is niet uit te sluiten dat applicaties, draaiende op platformen ondersteund door deze middleware ook kwetsbaar zijn, danwel gevoelig voor misbruik van deze kwetsbaarheden.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer infomatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improperly Controlled Sequential Memory Allocation",
        "title": "CWE-1325"
      },
      {
        "category": "general",
        "text": "Detection of Error Condition Without Action",
        "title": "CWE-390"
      },
      {
        "category": "general",
        "text": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
        "title": "CWE-59"
      },
      {
        "category": "general",
        "text": "Improper Handling of Case Sensitivity",
        "title": "CWE-178"
      },
      {
        "category": "general",
        "text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
        "title": "CWE-601"
      },
      {
        "category": "general",
        "text": "Integer Overflow or Wraparound",
        "title": "CWE-190"
      },
      {
        "category": "general",
        "text": "Improper Resource Shutdown or Release",
        "title": "CWE-404"
      },
      {
        "category": "general",
        "text": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
        "title": "CWE-1321"
      },
      {
        "category": "general",
        "text": "Use After Free",
        "title": "CWE-416"
      },
      {
        "category": "general",
        "text": "Missing Release of Memory after Effective Lifetime",
        "title": "CWE-401"
      },
      {
        "category": "general",
        "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
        "title": "CWE-94"
      },
      {
        "category": "general",
        "text": "Uncontrolled Resource Consumption",
        "title": "CWE-400"
      },
      {
        "category": "general",
        "text": "Allocation of Resources Without Limits or Throttling",
        "title": "CWE-770"
      },
      {
        "category": "general",
        "text": "Deserialization of Untrusted Data",
        "title": "CWE-502"
      },
      {
        "category": "general",
        "text": "Server-Side Request Forgery (SSRF)",
        "title": "CWE-918"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Write",
        "title": "CWE-787"
      },
      {
        "category": "general",
        "text": "Exposure of Sensitive Information to an Unauthorized Actor",
        "title": "CWE-200"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
        "title": "CWE-79"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - cveprojectv5; hkcert; nvd; oracle; redhat",
        "url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Oracle Fusion Middleware",
    "tracking": {
      "current_release_date": "2024-10-17T13:19:16.185510Z",
      "id": "NCSC-2024-0417",
      "initial_release_date": "2024-10-17T13:19:16.185510Z",
      "revision_history": [
        {
          "date": "2024-10-17T13:19:16.185510Z",
          "number": "0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "outside_in_technology",
            "product": {
              "name": "outside_in_technology",
              "product_id": "CSAFPID-292093",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "outside_in_technology",
            "product": {
              "name": "outside_in_technology",
              "product_id": "CSAFPID-1260",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:outside_in_technology:8.5.6:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "outside_in_technology",
            "product": {
              "name": "outside_in_technology",
              "product_id": "CSAFPID-912053",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:outside_in_technology:8.5.7:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server_proxy_plug-in",
            "product": {
              "name": "weblogic_server_proxy_plug-in",
              "product_id": "CSAFPID-199883",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server_proxy_plug-in",
            "product": {
              "name": "weblogic_server_proxy_plug-in",
              "product_id": "CSAFPID-951239",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:14.1.1.0.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-764797",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:_console___12.2.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-764799",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:_console___12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-764801",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:_console___14.1.1.0.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-764798",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:_third_party___12.2.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-764800",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:_third_party___12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-764802",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:_third_party___14.1.1.0.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-113536",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:10.3.6.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-113521",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-3663",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-94310",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-3661",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-3660",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-1504444",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "weblogic_server",
            "product": {
              "name": "weblogic_server",
              "product_id": "CSAFPID-1973",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "webcenter_content",
            "product": {
              "name": "webcenter_content",
              "product_id": "CSAFPID-389123",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:webcenter_content:12.2.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "webcenter_content",
            "product": {
              "name": "webcenter_content",
              "product_id": "CSAFPID-179795",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "webcenter_enterprise_capture",
            "product": {
              "name": "webcenter_enterprise_capture",
              "product_id": "CSAFPID-912594",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:webcenter_enterprise_capture:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "webcenter_forms_recognition",
            "product": {
              "name": "webcenter_forms_recognition",
              "product_id": "CSAFPID-1673476",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:webcenter_forms_recognition:14.1.1.0.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "webcenter_portal",
            "product": {
              "name": "webcenter_portal",
              "product_id": "CSAFPID-135359",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "webcenter_portal",
            "product": {
              "name": "webcenter_portal",
              "product_id": "CSAFPID-45194",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "webcenter_sites_support_tools",
            "product": {
              "name": "webcenter_sites_support_tools",
              "product_id": "CSAFPID-765268",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:webcenter_sites_support_tools:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "webcenter_sites",
            "product": {
              "name": "webcenter_sites",
              "product_id": "CSAFPID-9026",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "webcenter_sites",
            "product": {
              "name": "webcenter_sites",
              "product_id": "CSAFPID-135354",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "webcenter_sites",
            "product": {
              "name": "webcenter_sites",
              "product_id": "CSAFPID-765390",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:webcenter_sites:all_supported_s:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "data_integrator",
            "product": {
              "name": "data_integrator",
              "product_id": "CSAFPID-204494",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "data_integrator",
            "product": {
              "name": "data_integrator",
              "product_id": "CSAFPID-204566",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "business_activity_monitoring__bam_",
            "product": {
              "name": "business_activity_monitoring__bam_",
              "product_id": "CSAFPID-764927",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:business_activity_monitoring__bam_:12.2.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "business_activity_monitoring__bam_",
            "product": {
              "name": "business_activity_monitoring__bam_",
              "product_id": "CSAFPID-764928",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:business_activity_monitoring__bam_:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "business_activity_monitoring",
            "product": {
              "name": "business_activity_monitoring",
              "product_id": "CSAFPID-228157",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "business_process_management_suite",
            "product": {
              "name": "business_process_management_suite",
              "product_id": "CSAFPID-9043",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "business_process_management_suite",
            "product": {
              "name": "business_process_management_suite",
              "product_id": "CSAFPID-9642",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "middleware_common_libraries_and_tools",
            "product": {
              "name": "middleware_common_libraries_and_tools",
              "product_id": "CSAFPID-94398",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "middleware_common_libraries_and_tools",
            "product": {
              "name": "middleware_common_libraries_and_tools",
              "product_id": "CSAFPID-94309",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "middleware_common_libraries_and_tools",
            "product": {
              "name": "middleware_common_libraries_and_tools",
              "product_id": "CSAFPID-94393",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:14.1.1.0.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "enterprise_manager_fusion_middleware_control",
            "product": {
              "name": "enterprise_manager_fusion_middleware_control",
              "product_id": "CSAFPID-1673426",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:enterprise_manager_fusion_middleware_control:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "global_lifecycle_management_fmw_installer",
            "product": {
              "name": "global_lifecycle_management_fmw_installer",
              "product_id": "CSAFPID-1673425",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:global_lifecycle_management_fmw_installer:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-93909",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-40303",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-912074",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:http_server:14.1.1.0.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "managed_file_transfer",
            "product": {
              "name": "managed_file_transfer",
              "product_id": "CSAFPID-204452",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "managed_file_transfer",
            "product": {
              "name": "managed_file_transfer",
              "product_id": "CSAFPID-204581",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "identity_manager_connector",
            "product": {
              "name": "identity_manager_connector",
              "product_id": "CSAFPID-765382",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:identity_manager_connector:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "identity_manager_connector",
            "product": {
              "name": "identity_manager_connector",
              "product_id": "CSAFPID-227776",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "identity_manager_connector",
            "product": {
              "name": "identity_manager_connector",
              "product_id": "CSAFPID-396523",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:identity_manager_connector:12.2.1.3.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "identity_manager_connector",
            "product": {
              "name": "identity_manager_connector",
              "product_id": "CSAFPID-204638",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:identity_manager_connector:9.1.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "identity_manager_connector",
            "product": {
              "name": "identity_manager_connector",
              "product_id": "CSAFPID-765267",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:oracle:identity_manager_connector:9.1.0.0.0:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-11023",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1973",
          "CSAFPID-3660",
          "CSAFPID-135354",
          "CSAFPID-9026",
          "CSAFPID-3663",
          "CSAFPID-3661",
          "CSAFPID-94310",
          "CSAFPID-113521",
          "CSAFPID-113536",
          "CSAFPID-9642",
          "CSAFPID-204566",
          "CSAFPID-40303",
          "CSAFPID-204581",
          "CSAFPID-94309",
          "CSAFPID-1260",
          "CSAFPID-179795",
          "CSAFPID-45194",
          "CSAFPID-204494",
          "CSAFPID-93909",
          "CSAFPID-765267",
          "CSAFPID-204452",
          "CSAFPID-94398",
          "CSAFPID-389123",
          "CSAFPID-135359",
          "CSAFPID-765268"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-11023",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-11023.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1973",
            "CSAFPID-3660",
            "CSAFPID-135354",
            "CSAFPID-9026",
            "CSAFPID-3663",
            "CSAFPID-3661",
            "CSAFPID-94310",
            "CSAFPID-113521",
            "CSAFPID-113536",
            "CSAFPID-9642",
            "CSAFPID-204566",
            "CSAFPID-40303",
            "CSAFPID-204581",
            "CSAFPID-94309",
            "CSAFPID-1260",
            "CSAFPID-179795",
            "CSAFPID-45194",
            "CSAFPID-204494",
            "CSAFPID-93909",
            "CSAFPID-765267",
            "CSAFPID-204452",
            "CSAFPID-94398",
            "CSAFPID-389123",
            "CSAFPID-135359",
            "CSAFPID-765268"
          ]
        }
      ],
      "title": "CVE-2020-11023"
    },
    {
      "cve": "CVE-2020-17521",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "other",
          "text": "Exposure of Sensitive Information to an Unauthorized Actor",
          "title": "CWE-200"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-9642",
          "CSAFPID-204566",
          "CSAFPID-40303",
          "CSAFPID-396523",
          "CSAFPID-204638",
          "CSAFPID-94309",
          "CSAFPID-179795",
          "CSAFPID-135354",
          "CSAFPID-3660",
          "CSAFPID-1973",
          "CSAFPID-204581",
          "CSAFPID-1260",
          "CSAFPID-45194",
          "CSAFPID-764797",
          "CSAFPID-764798",
          "CSAFPID-3661",
          "CSAFPID-764799",
          "CSAFPID-764800",
          "CSAFPID-764801",
          "CSAFPID-764802",
          "CSAFPID-764927",
          "CSAFPID-764928",
          "CSAFPID-9043",
          "CSAFPID-93909",
          "CSAFPID-94398",
          "CSAFPID-389123",
          "CSAFPID-135359",
          "CSAFPID-9026",
          "CSAFPID-204494",
          "CSAFPID-765267",
          "CSAFPID-204452",
          "CSAFPID-765268",
          "CSAFPID-227776",
          "CSAFPID-94310",
          "CSAFPID-765382",
          "CSAFPID-292093",
          "CSAFPID-94393",
          "CSAFPID-765390"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-17521",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-17521.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-9642",
            "CSAFPID-204566",
            "CSAFPID-40303",
            "CSAFPID-396523",
            "CSAFPID-204638",
            "CSAFPID-94309",
            "CSAFPID-179795",
            "CSAFPID-135354",
            "CSAFPID-3660",
            "CSAFPID-1973",
            "CSAFPID-204581",
            "CSAFPID-1260",
            "CSAFPID-45194",
            "CSAFPID-764797",
            "CSAFPID-764798",
            "CSAFPID-3661",
            "CSAFPID-764799",
            "CSAFPID-764800",
            "CSAFPID-764801",
            "CSAFPID-764802",
            "CSAFPID-764927",
            "CSAFPID-764928",
            "CSAFPID-9043",
            "CSAFPID-93909",
            "CSAFPID-94398",
            "CSAFPID-389123",
            "CSAFPID-135359",
            "CSAFPID-9026",
            "CSAFPID-204494",
            "CSAFPID-765267",
            "CSAFPID-204452",
            "CSAFPID-765268",
            "CSAFPID-227776",
            "CSAFPID-94310",
            "CSAFPID-765382",
            "CSAFPID-292093",
            "CSAFPID-94393",
            "CSAFPID-765390"
          ]
        }
      ],
      "title": "CVE-2020-17521"
    },
    {
      "cve": "CVE-2022-1471",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        },
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-9642",
          "CSAFPID-204566",
          "CSAFPID-40303",
          "CSAFPID-204581",
          "CSAFPID-94309",
          "CSAFPID-1260",
          "CSAFPID-179795",
          "CSAFPID-45194",
          "CSAFPID-3661",
          "CSAFPID-3660",
          "CSAFPID-1973",
          "CSAFPID-396523",
          "CSAFPID-204638",
          "CSAFPID-135354",
          "CSAFPID-764797",
          "CSAFPID-764798",
          "CSAFPID-764799",
          "CSAFPID-764800",
          "CSAFPID-764801",
          "CSAFPID-764802",
          "CSAFPID-199883",
          "CSAFPID-912074",
          "CSAFPID-94393",
          "CSAFPID-912053",
          "CSAFPID-912594",
          "CSAFPID-951239"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-1471",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-1471.json"
        }
      ],
      "title": "CVE-2022-1471"
    },
    {
      "cve": "CVE-2023-4759",
      "cwe": {
        "id": "CWE-59",
        "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
          "title": "CWE-59"
        },
        {
          "category": "other",
          "text": "Improper Handling of Case Sensitivity",
          "title": "CWE-178"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-228157",
          "CSAFPID-204566",
          "CSAFPID-40303",
          "CSAFPID-94309",
          "CSAFPID-912053",
          "CSAFPID-179795",
          "CSAFPID-45194",
          "CSAFPID-135354",
          "CSAFPID-3660",
          "CSAFPID-1973"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-4759",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-4759.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-228157",
            "CSAFPID-204566",
            "CSAFPID-40303",
            "CSAFPID-94309",
            "CSAFPID-912053",
            "CSAFPID-179795",
            "CSAFPID-45194",
            "CSAFPID-135354",
            "CSAFPID-3660",
            "CSAFPID-1973"
          ]
        }
      ],
      "title": "CVE-2023-4759"
    },
    {
      "cve": "CVE-2023-35116",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-9642",
          "CSAFPID-40303",
          "CSAFPID-1260",
          "CSAFPID-45194",
          "CSAFPID-3661",
          "CSAFPID-3660",
          "CSAFPID-1973",
          "CSAFPID-199883",
          "CSAFPID-951239",
          "CSAFPID-94309",
          "CSAFPID-179795",
          "CSAFPID-204566",
          "CSAFPID-204581",
          "CSAFPID-94393",
          "CSAFPID-396523",
          "CSAFPID-912053",
          "CSAFPID-912074",
          "CSAFPID-912594",
          "CSAFPID-228157",
          "CSAFPID-135354"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-35116",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-35116.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-9642",
            "CSAFPID-40303",
            "CSAFPID-1260",
            "CSAFPID-45194",
            "CSAFPID-3661",
            "CSAFPID-3660",
            "CSAFPID-1973",
            "CSAFPID-199883",
            "CSAFPID-951239",
            "CSAFPID-94309",
            "CSAFPID-179795",
            "CSAFPID-204566",
            "CSAFPID-204581",
            "CSAFPID-94393",
            "CSAFPID-396523",
            "CSAFPID-912053",
            "CSAFPID-912074",
            "CSAFPID-912594",
            "CSAFPID-228157",
            "CSAFPID-135354"
          ]
        }
      ],
      "title": "CVE-2023-35116"
    },
    {
      "cve": "CVE-2023-39743",
      "product_status": {
        "known_affected": [
          "CSAFPID-912053"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-39743",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-39743.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-912053"
          ]
        }
      ],
      "title": "CVE-2023-39743"
    },
    {
      "cve": "CVE-2023-51775",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1260",
          "CSAFPID-1973",
          "CSAFPID-3660",
          "CSAFPID-40303",
          "CSAFPID-45194",
          "CSAFPID-94309",
          "CSAFPID-94393",
          "CSAFPID-179795",
          "CSAFPID-199883",
          "CSAFPID-204566",
          "CSAFPID-204581",
          "CSAFPID-396523",
          "CSAFPID-912053",
          "CSAFPID-912074",
          "CSAFPID-912594",
          "CSAFPID-951239",
          "CSAFPID-228157",
          "CSAFPID-135354"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-51775",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-51775.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1260",
            "CSAFPID-1973",
            "CSAFPID-3660",
            "CSAFPID-40303",
            "CSAFPID-45194",
            "CSAFPID-94309",
            "CSAFPID-94393",
            "CSAFPID-179795",
            "CSAFPID-199883",
            "CSAFPID-204566",
            "CSAFPID-204581",
            "CSAFPID-396523",
            "CSAFPID-912053",
            "CSAFPID-912074",
            "CSAFPID-912594",
            "CSAFPID-951239",
            "CSAFPID-228157",
            "CSAFPID-135354"
          ]
        }
      ],
      "title": "CVE-2023-51775"
    },
    {
      "cve": "CVE-2024-2511",
      "cwe": {
        "id": "CWE-404",
        "name": "Improper Resource Shutdown or Release"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        },
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Improperly Controlled Sequential Memory Allocation",
          "title": "CWE-1325"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-228157",
          "CSAFPID-204566",
          "CSAFPID-40303",
          "CSAFPID-94309",
          "CSAFPID-912053",
          "CSAFPID-179795",
          "CSAFPID-45194",
          "CSAFPID-135354",
          "CSAFPID-3660",
          "CSAFPID-1973"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-2511",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-2511.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-228157",
            "CSAFPID-204566",
            "CSAFPID-40303",
            "CSAFPID-94309",
            "CSAFPID-912053",
            "CSAFPID-179795",
            "CSAFPID-45194",
            "CSAFPID-135354",
            "CSAFPID-3660",
            "CSAFPID-1973"
          ]
        }
      ],
      "title": "CVE-2024-2511"
    },
    {
      "cve": "CVE-2024-6345",
      "cwe": {
        "id": "CWE-94",
        "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "title": "CWE-94"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1973"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-6345",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-6345.json"
        }
      ],
      "title": "CVE-2024-6345"
    },
    {
      "cve": "CVE-2024-21190",
      "product_status": {
        "known_affected": [
          "CSAFPID-1673425"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-21190",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21190.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1673425"
          ]
        }
      ],
      "title": "CVE-2024-21190"
    },
    {
      "cve": "CVE-2024-21191",
      "product_status": {
        "known_affected": [
          "CSAFPID-1673426"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-21191",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21191.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1673426"
          ]
        }
      ],
      "title": "CVE-2024-21191"
    },
    {
      "cve": "CVE-2024-21192",
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-21192",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21192.json"
        }
      ],
      "title": "CVE-2024-21192"
    },
    {
      "cve": "CVE-2024-21205",
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-21205",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21205.json"
        }
      ],
      "title": "CVE-2024-21205"
    },
    {
      "cve": "CVE-2024-21215",
      "product_status": {
        "known_affected": [
          "CSAFPID-3660",
          "CSAFPID-1973"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-21215",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21215.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-3660",
            "CSAFPID-1973"
          ]
        }
      ],
      "title": "CVE-2024-21215"
    },
    {
      "cve": "CVE-2024-21216",
      "product_status": {
        "known_affected": [
          "CSAFPID-1973",
          "CSAFPID-3660"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-21216",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21216.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1973",
            "CSAFPID-3660"
          ]
        }
      ],
      "title": "CVE-2024-21216"
    },
    {
      "cve": "CVE-2024-21234",
      "product_status": {
        "known_affected": [
          "CSAFPID-3660",
          "CSAFPID-1973"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-21234",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21234.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-3660",
            "CSAFPID-1973"
          ]
        }
      ],
      "title": "CVE-2024-21234"
    },
    {
      "cve": "CVE-2024-21246",
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-21246",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21246.json"
        }
      ],
      "title": "CVE-2024-21246"
    },
    {
      "cve": "CVE-2024-21260",
      "product_status": {
        "known_affected": [
          "CSAFPID-3660",
          "CSAFPID-1973"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-21260",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21260.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-3660",
            "CSAFPID-1973"
          ]
        }
      ],
      "title": "CVE-2024-21260"
    },
    {
      "cve": "CVE-2024-21274",
      "product_status": {
        "known_affected": [
          "CSAFPID-1973",
          "CSAFPID-3660"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-21274",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21274.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1973",
            "CSAFPID-3660"
          ]
        }
      ],
      "title": "CVE-2024-21274"
    },
    {
      "cve": "CVE-2024-22201",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-199883",
          "CSAFPID-1260",
          "CSAFPID-1973",
          "CSAFPID-3660",
          "CSAFPID-40303",
          "CSAFPID-45194",
          "CSAFPID-94309",
          "CSAFPID-94393",
          "CSAFPID-179795",
          "CSAFPID-204566",
          "CSAFPID-204581",
          "CSAFPID-396523",
          "CSAFPID-912053",
          "CSAFPID-912074",
          "CSAFPID-912594",
          "CSAFPID-951239",
          "CSAFPID-228157",
          "CSAFPID-135354"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-22201",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22201.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-199883",
            "CSAFPID-1260",
            "CSAFPID-1973",
            "CSAFPID-3660",
            "CSAFPID-40303",
            "CSAFPID-45194",
            "CSAFPID-94309",
            "CSAFPID-94393",
            "CSAFPID-179795",
            "CSAFPID-204566",
            "CSAFPID-204581",
            "CSAFPID-396523",
            "CSAFPID-912053",
            "CSAFPID-912074",
            "CSAFPID-912594",
            "CSAFPID-951239",
            "CSAFPID-228157",
            "CSAFPID-135354"
          ]
        }
      ],
      "title": "CVE-2024-22201"
    },
    {
      "cve": "CVE-2024-22262",
      "cwe": {
        "id": "CWE-601",
        "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
          "title": "CWE-601"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1673476",
          "CSAFPID-228157",
          "CSAFPID-204566",
          "CSAFPID-40303",
          "CSAFPID-94309",
          "CSAFPID-912053",
          "CSAFPID-179795",
          "CSAFPID-45194",
          "CSAFPID-135354",
          "CSAFPID-3660",
          "CSAFPID-1973"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-22262",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22262.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1673476",
            "CSAFPID-228157",
            "CSAFPID-204566",
            "CSAFPID-40303",
            "CSAFPID-94309",
            "CSAFPID-912053",
            "CSAFPID-179795",
            "CSAFPID-45194",
            "CSAFPID-135354",
            "CSAFPID-3660",
            "CSAFPID-1973"
          ]
        }
      ],
      "title": "CVE-2024-22262"
    },
    {
      "cve": "CVE-2024-23807",
      "cwe": {
        "id": "CWE-416",
        "name": "Use After Free"
      },
      "notes": [
        {
          "category": "other",
          "text": "Use After Free",
          "title": "CWE-416"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-228157",
          "CSAFPID-204566",
          "CSAFPID-40303",
          "CSAFPID-94309",
          "CSAFPID-912053",
          "CSAFPID-179795",
          "CSAFPID-45194",
          "CSAFPID-135354",
          "CSAFPID-3660",
          "CSAFPID-1973"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-23807",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-23807.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-228157",
            "CSAFPID-204566",
            "CSAFPID-40303",
            "CSAFPID-94309",
            "CSAFPID-912053",
            "CSAFPID-179795",
            "CSAFPID-45194",
            "CSAFPID-135354",
            "CSAFPID-3660",
            "CSAFPID-1973"
          ]
        }
      ],
      "title": "CVE-2024-23807"
    },
    {
      "cve": "CVE-2024-24549",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-199883",
          "CSAFPID-1260",
          "CSAFPID-1973",
          "CSAFPID-3660",
          "CSAFPID-40303",
          "CSAFPID-45194",
          "CSAFPID-94309",
          "CSAFPID-94393",
          "CSAFPID-179795",
          "CSAFPID-204566",
          "CSAFPID-204581",
          "CSAFPID-396523",
          "CSAFPID-912053",
          "CSAFPID-912074",
          "CSAFPID-912594",
          "CSAFPID-951239",
          "CSAFPID-228157",
          "CSAFPID-135354"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-24549",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-24549.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-199883",
            "CSAFPID-1260",
            "CSAFPID-1973",
            "CSAFPID-3660",
            "CSAFPID-40303",
            "CSAFPID-45194",
            "CSAFPID-94309",
            "CSAFPID-94393",
            "CSAFPID-179795",
            "CSAFPID-204566",
            "CSAFPID-204581",
            "CSAFPID-396523",
            "CSAFPID-912053",
            "CSAFPID-912074",
            "CSAFPID-912594",
            "CSAFPID-951239",
            "CSAFPID-228157",
            "CSAFPID-135354"
          ]
        }
      ],
      "title": "CVE-2024-24549"
    },
    {
      "cve": "CVE-2024-25269",
      "cwe": {
        "id": "CWE-401",
        "name": "Missing Release of Memory after Effective Lifetime"
      },
      "notes": [
        {
          "category": "other",
          "text": "Missing Release of Memory after Effective Lifetime",
          "title": "CWE-401"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-912053"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-25269",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-25269.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-912053"
          ]
        }
      ],
      "title": "CVE-2024-25269"
    },
    {
      "cve": "CVE-2024-28182",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        },
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        },
        {
          "category": "other",
          "text": "Detection of Error Condition Without Action",
          "title": "CWE-390"
        },
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-912074",
          "CSAFPID-228157",
          "CSAFPID-204566",
          "CSAFPID-40303",
          "CSAFPID-94309",
          "CSAFPID-912053",
          "CSAFPID-179795",
          "CSAFPID-45194",
          "CSAFPID-135354",
          "CSAFPID-3660",
          "CSAFPID-1973"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-28182",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-28182.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-912074",
            "CSAFPID-228157",
            "CSAFPID-204566",
            "CSAFPID-40303",
            "CSAFPID-94309",
            "CSAFPID-912053",
            "CSAFPID-179795",
            "CSAFPID-45194",
            "CSAFPID-135354",
            "CSAFPID-3660",
            "CSAFPID-1973"
          ]
        }
      ],
      "title": "CVE-2024-28182"
    },
    {
      "cve": "CVE-2024-28752",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Server-Side Request Forgery (SSRF)",
          "title": "CWE-918"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1673476",
          "CSAFPID-228157",
          "CSAFPID-204566",
          "CSAFPID-40303",
          "CSAFPID-94309",
          "CSAFPID-912053",
          "CSAFPID-179795",
          "CSAFPID-45194",
          "CSAFPID-135354",
          "CSAFPID-3660",
          "CSAFPID-1973"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-28752",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-28752.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1673476",
            "CSAFPID-228157",
            "CSAFPID-204566",
            "CSAFPID-40303",
            "CSAFPID-94309",
            "CSAFPID-912053",
            "CSAFPID-179795",
            "CSAFPID-45194",
            "CSAFPID-135354",
            "CSAFPID-3660",
            "CSAFPID-1973"
          ]
        }
      ],
      "title": "CVE-2024-28752"
    },
    {
      "cve": "CVE-2024-29131",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Write",
          "title": "CWE-787"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-228157",
          "CSAFPID-204566",
          "CSAFPID-40303",
          "CSAFPID-94309",
          "CSAFPID-912053",
          "CSAFPID-179795",
          "CSAFPID-45194",
          "CSAFPID-135354",
          "CSAFPID-3660",
          "CSAFPID-1973"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-29131",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-29131.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-228157",
            "CSAFPID-204566",
            "CSAFPID-40303",
            "CSAFPID-94309",
            "CSAFPID-912053",
            "CSAFPID-179795",
            "CSAFPID-45194",
            "CSAFPID-135354",
            "CSAFPID-3660",
            "CSAFPID-1973"
          ]
        }
      ],
      "title": "CVE-2024-29131"
    },
    {
      "cve": "CVE-2024-36052",
      "product_status": {
        "known_affected": [
          "CSAFPID-912053"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-36052",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-36052.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-912053"
          ]
        }
      ],
      "title": "CVE-2024-36052"
    },
    {
      "cve": "CVE-2024-38999",
      "cwe": {
        "id": "CWE-1321",
        "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
          "title": "CWE-1321"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-9642",
          "CSAFPID-228157"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-38999",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38999.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-9642",
            "CSAFPID-228157"
          ]
        }
      ],
      "title": "CVE-2024-38999"
    },
    {
      "cve": "CVE-2024-45492",
      "cwe": {
        "id": "CWE-190",
        "name": "Integer Overflow or Wraparound"
      },
      "notes": [
        {
          "category": "other",
          "text": "Integer Overflow or Wraparound",
          "title": "CWE-190"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-912053"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-45492",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45492.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-912053"
          ]
        }
      ],
      "title": "CVE-2024-45492"
    }
  ]
}

CVE-2020-11023 (GCVE-0-2020-11023)

Vulnerability from cvelistv5 – Published: 2020-04-29 00:00 – Updated: 2025-10-21 23:35

Title

Potential XSS vulnerability in jQuery

Summary

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Severity

6.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

65 references

URL	Tags
https://www.debian.org/security/2020/dsa-4693	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://www.oracle.com/security-alerts/cpujul2020.html
https://jquery.com/upgrade-guide/3.5/
https://security.netapp.com/advisory/ntap-2020051…
https://www.drupal.org/sa-core-2020-002
https://github.com/jquery/jquery/security/advisor…
https://blog.jquery.com/2020/04/10/jquery-3-5-0-r…
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisory
https://security.gentoo.org/glsa/202007-03	vendor-advisory
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisory
https://lists.apache.org/thread.html/r094f4355955…	mailing-list
https://lists.apache.org/thread.html/rf661a90a15d…	mailing-list
https://lists.apache.org/thread.html/r9c5fda81e4b…	mailing-list
https://lists.apache.org/thread.html/ra3c9219fcb0…	mailing-list
https://lists.apache.org/thread.html/radcb2aa874a…	mailing-list
https://lists.apache.org/thread.html/rd38b4185a79…	mailing-list
https://lists.apache.org/thread.html/r6e97b379639…	mailing-list
https://lists.apache.org/thread.html/rb69b7d8217c…	mailing-list
https://lists.apache.org/thread.html/r4aadb98086c…	mailing-list
https://lists.apache.org/thread.html/ra374bb0299b…	mailing-list
https://lists.apache.org/thread.html/rb25c3bc7418…	mailing-list
https://lists.apache.org/thread.html/rf1ba79e564f…	mailing-list
https://lists.apache.org/thread.html/ra32c7103ded…	mailing-list
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.apache.org/thread.html/ra406b3adfcf…	mailing-list
https://lists.apache.org/thread.html/rab82dd040f3…	mailing-list
https://lists.apache.org/thread.html/r6c4df3b33e6…	mailing-list
https://lists.apache.org/thread.html/r1fed19c860a…	mailing-list
https://lists.apache.org/thread.html/r0593393ca1e…	mailing-list
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.apache.org/thread.html/rda99599896c…	mailing-list
https://www.oracle.com/security-alerts/cpuoct2020.html
https://lists.apache.org/thread.html/r706cfbc0984…	mailing-list
https://lists.apache.org/thread.html/rbb448222ba6…	mailing-list
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisory
https://lists.apache.org/thread.html/r49ce4243b47…	mailing-list
https://lists.apache.org/thread.html/r2c85121a474…	mailing-list
https://lists.apache.org/thread.html/r4dba67be323…	mailing-list
https://lists.apache.org/thread.html/r3702ede0ff8…	mailing-list
https://lists.apache.org/thread.html/r07ab379471f…	mailing-list
https://lists.apache.org/thread.html/r9e0bd31b7da…	mailing-list
https://lists.apache.org/thread.html/rf0f89395960…	mailing-list
https://lists.apache.org/thread.html/r9006ad2abf8…	mailing-list
https://lists.apache.org/thread.html/r55f5e066cc7…	mailing-list
https://www.oracle.com/security-alerts/cpujan2021.html
https://lists.apache.org/thread.html/r8f70b0f65d6…	mailing-list
https://lists.apache.org/thread.html/r564585d97bc…	mailing-list
https://lists.debian.org/debian-lts-announce/2021…	mailing-list
https://lists.apache.org/thread.html/ree3bd8ddb23…	mailing-list
https://lists.apache.org/thread.html/rede9cfaa756…	mailing-list
https://lists.apache.org/thread.html/r54565a8f025…	mailing-list
https://lists.apache.org/thread.html/re4ae96fa5c1…	mailing-list
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.tenable.com/security/tns-2021-10
https://www.tenable.com/security/tns-2021-02
http://packetstormsecurity.com/files/162160/jQuer…
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://lists.apache.org/thread.html/r0483ba00727…	mailing-list
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://lists.debian.org/debian-lts-announce/2023…	mailing-list

Impacted products

1 product

Vendor	Product	Version
jquery	jQuery	Affected: >= 1.0.3, < 3.5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-01-23T21:07:47.681Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://github.com/github/advisory-database/blob/99afa6fdeaf5d1d23e1021ff915a5e5dbc82c1f1/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json#L20-L37"
          },
          {
            "name": "DSA-4693",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4693"
          },
          {
            "name": "FEDORA-2020-36d2db5f51",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jquery.com/upgrade-guide/3.5/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200511-0006/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.drupal.org/sa-core-2020-002"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released"
          },
          {
            "name": "openSUSE-SU-2020:1060",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html"
          },
          {
            "name": "GLSA-202007-03",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202007-03"
          },
          {
            "name": "openSUSE-SU-2020:1106",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html"
          },
          {
            "name": "[hive-issues] 20200813 [jira] [Assigned] (HIVE-24039) update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec%40%3Cissues.hive.apache.org%3E"
          },
          {
            "name": "[hive-dev] 20200813 [jira] [Created] (HIVE-24039) update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248%40%3Cdev.hive.apache.org%3E"
          },
          {
            "name": "[hive-issues] 20200813 [jira] [Updated] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15%40%3Cissues.hive.apache.org%3E"
          },
          {
            "name": "[hive-gitbox] 20200813 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c%40%3Cgitbox.hive.apache.org%3E"
          },
          {
            "name": "[hive-issues] 20200902 [jira] [Work started] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea%40%3Cissues.hive.apache.org%3E"
          },
          {
            "name": "[hive-issues] 20200902 [jira] [Commented] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9%40%3Cissues.hive.apache.org%3E"
          },
          {
            "name": "[hive-issues] 20200902 [jira] [Assigned] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49%40%3Cissues.hive.apache.org%3E"
          },
          {
            "name": "[hive-issues] 20200902 [jira] [Comment Edited] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7%40%3Cissues.hive.apache.org%3E"
          },
          {
            "name": "[hive-issues] 20200904 [jira] [Assigned] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5%40%3Cissues.hive.apache.org%3E"
          },
          {
            "name": "[hive-gitbox] 20200911 [GitHub] [hive] rajkrrsingh closed pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72%40%3Cgitbox.hive.apache.org%3E"
          },
          {
            "name": "[hive-gitbox] 20200911 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61%40%3Cgitbox.hive.apache.org%3E"
          },
          {
            "name": "[hive-gitbox] 20200912 [GitHub] [hive] rajkrrsingh closed pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93%40%3Cgitbox.hive.apache.org%3E"
          },
          {
            "name": "[hive-gitbox] 20200912 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac%40%3Cgitbox.hive.apache.org%3E"
          },
          {
            "name": "FEDORA-2020-fbb94073a1",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/"
          },
          {
            "name": "FEDORA-2020-0b32a59b54",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/"
          },
          {
            "name": "[hive-issues] 20200915 [jira] [Resolved] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6%40%3Cissues.hive.apache.org%3E"
          },
          {
            "name": "[hive-commits] 20200915 [hive] branch master updated: HIVE-24039 : Update jquery version to mitigate CVE-2020-11023 (#1403)",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9%40%3Ccommits.hive.apache.org%3E"
          },
          {
            "name": "[hive-issues] 20200915 [jira] [Work logged] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1%40%3Cissues.hive.apache.org%3E"
          },
          {
            "name": "[hive-gitbox] 20200915 [GitHub] [hive] kgyrtkirk merged pull request #1403: HIVE-24039 : Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c%40%3Cgitbox.hive.apache.org%3E"
          },
          {
            "name": "[hive-issues] 20200915 [jira] [Updated] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb%40%3Cissues.hive.apache.org%3E"
          },
          {
            "name": "FEDORA-2020-fe94df8c34",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/"
          },
          {
            "name": "[nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "name": "[flink-issues] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E"
          },
          {
            "name": "[flink-dev] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E"
          },
          {
            "name": "openSUSE-SU-2020:1888",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html"
          },
          {
            "name": "[flink-issues] 20201129 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E"
          },
          {
            "name": "[felix-dev] 20201208 [jira] [Created] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330%40%3Cdev.felix.apache.org%3E"
          },
          {
            "name": "[felix-dev] 20201208 [jira] [Updated] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16%40%3Cdev.felix.apache.org%3E"
          },
          {
            "name": "[felix-dev] 20201208 [GitHub] [felix-dev] cziegeler merged pull request #64: FELIX-6366 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef%40%3Cdev.felix.apache.org%3E"
          },
          {
            "name": "[felix-dev] 20201208 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #64: FELIX-6366 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6%40%3Cdev.felix.apache.org%3E"
          },
          {
            "name": "[felix-dev] 20201208 [jira] [Commented] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e%40%3Cdev.felix.apache.org%3E"
          },
          {
            "name": "[felix-dev] 20201208 [jira] [Assigned] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817%40%3Cdev.felix.apache.org%3E"
          },
          {
            "name": "[felix-commits] 20201208 [felix-dev] branch master updated: FELIX-6366 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023 (#64)",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c%40%3Ccommits.felix.apache.org%3E"
          },
          {
            "name": "[felix-dev] 20201208 [jira] [Updated] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.5.0 is vulnerable to CVE-2020-11023",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494%40%3Cdev.felix.apache.org%3E"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "name": "[flink-issues] 20210209 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E"
          },
          {
            "name": "[flink-issues] 20210209 [jira] [Comment Edited] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E"
          },
          {
            "name": "[debian-lts-announce] 20210326 [SECURITY] [DLA 2608-1] jquery security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html"
          },
          {
            "name": "[flink-issues] 20210422 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E"
          },
          {
            "name": "[flink-issues] 20210422 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E"
          },
          {
            "name": "[flink-issues] 20210429 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E"
          },
          {
            "name": "[flink-issues] 20210429 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2021-10"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2021-02"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "name": "[flink-issues] 20211031 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "name": "[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-11023",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-23T18:07:17.892570Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-01-23",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11023"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:35:45.230Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11023"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-01-23T00:00:00.000Z",
            "value": "CVE-2020-11023 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jQuery",
          "vendor": "jquery",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.3, \u003c 3.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing \u003coption\u003e elements from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-31T02:06:42.262Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "DSA-4693",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4693"
        },
        {
          "name": "FEDORA-2020-36d2db5f51",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "url": "https://jquery.com/upgrade-guide/3.5/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20200511-0006/"
        },
        {
          "url": "https://www.drupal.org/sa-core-2020-002"
        },
        {
          "url": "https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6"
        },
        {
          "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released"
        },
        {
          "name": "openSUSE-SU-2020:1060",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html"
        },
        {
          "name": "GLSA-202007-03",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202007-03"
        },
        {
          "name": "openSUSE-SU-2020:1106",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html"
        },
        {
          "name": "[hive-issues] 20200813 [jira] [Assigned] (HIVE-24039) update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec%40%3Cissues.hive.apache.org%3E"
        },
        {
          "name": "[hive-dev] 20200813 [jira] [Created] (HIVE-24039) update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248%40%3Cdev.hive.apache.org%3E"
        },
        {
          "name": "[hive-issues] 20200813 [jira] [Updated] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15%40%3Cissues.hive.apache.org%3E"
        },
        {
          "name": "[hive-gitbox] 20200813 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c%40%3Cgitbox.hive.apache.org%3E"
        },
        {
          "name": "[hive-issues] 20200902 [jira] [Work started] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea%40%3Cissues.hive.apache.org%3E"
        },
        {
          "name": "[hive-issues] 20200902 [jira] [Commented] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9%40%3Cissues.hive.apache.org%3E"
        },
        {
          "name": "[hive-issues] 20200902 [jira] [Assigned] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49%40%3Cissues.hive.apache.org%3E"
        },
        {
          "name": "[hive-issues] 20200902 [jira] [Comment Edited] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7%40%3Cissues.hive.apache.org%3E"
        },
        {
          "name": "[hive-issues] 20200904 [jira] [Assigned] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5%40%3Cissues.hive.apache.org%3E"
        },
        {
          "name": "[hive-gitbox] 20200911 [GitHub] [hive] rajkrrsingh closed pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72%40%3Cgitbox.hive.apache.org%3E"
        },
        {
          "name": "[hive-gitbox] 20200911 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61%40%3Cgitbox.hive.apache.org%3E"
        },
        {
          "name": "[hive-gitbox] 20200912 [GitHub] [hive] rajkrrsingh closed pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93%40%3Cgitbox.hive.apache.org%3E"
        },
        {
          "name": "[hive-gitbox] 20200912 [GitHub] [hive] rajkrrsingh opened a new pull request #1403: Hive 24039 : Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac%40%3Cgitbox.hive.apache.org%3E"
        },
        {
          "name": "FEDORA-2020-fbb94073a1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/"
        },
        {
          "name": "FEDORA-2020-0b32a59b54",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/"
        },
        {
          "name": "[hive-issues] 20200915 [jira] [Resolved] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6%40%3Cissues.hive.apache.org%3E"
        },
        {
          "name": "[hive-commits] 20200915 [hive] branch master updated: HIVE-24039 : Update jquery version to mitigate CVE-2020-11023 (#1403)",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9%40%3Ccommits.hive.apache.org%3E"
        },
        {
          "name": "[hive-issues] 20200915 [jira] [Work logged] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1%40%3Cissues.hive.apache.org%3E"
        },
        {
          "name": "[hive-gitbox] 20200915 [GitHub] [hive] kgyrtkirk merged pull request #1403: HIVE-24039 : Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c%40%3Cgitbox.hive.apache.org%3E"
        },
        {
          "name": "[hive-issues] 20200915 [jira] [Updated] (HIVE-24039) Update jquery version to mitigate CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb%40%3Cissues.hive.apache.org%3E"
        },
        {
          "name": "FEDORA-2020-fe94df8c34",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/"
        },
        {
          "name": "[nifi-commits] 20200930 svn commit: r1882168 - /nifi/site/trunk/security.html",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "name": "[flink-issues] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E"
        },
        {
          "name": "[flink-dev] 20201105 [jira] [Created] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E"
        },
        {
          "name": "openSUSE-SU-2020:1888",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html"
        },
        {
          "name": "[flink-issues] 20201129 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E"
        },
        {
          "name": "[felix-dev] 20201208 [jira] [Created] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330%40%3Cdev.felix.apache.org%3E"
        },
        {
          "name": "[felix-dev] 20201208 [jira] [Updated] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16%40%3Cdev.felix.apache.org%3E"
        },
        {
          "name": "[felix-dev] 20201208 [GitHub] [felix-dev] cziegeler merged pull request #64: FELIX-6366 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef%40%3Cdev.felix.apache.org%3E"
        },
        {
          "name": "[felix-dev] 20201208 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #64: FELIX-6366 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6%40%3Cdev.felix.apache.org%3E"
        },
        {
          "name": "[felix-dev] 20201208 [jira] [Commented] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e%40%3Cdev.felix.apache.org%3E"
        },
        {
          "name": "[felix-dev] 20201208 [jira] [Assigned] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817%40%3Cdev.felix.apache.org%3E"
        },
        {
          "name": "[felix-commits] 20201208 [felix-dev] branch master updated: FELIX-6366 1.0.3 \u003c jQuery \u003c3.4.0 is vulnerable to CVE-2020-11023 (#64)",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c%40%3Ccommits.felix.apache.org%3E"
        },
        {
          "name": "[felix-dev] 20201208 [jira] [Updated] (FELIX-6366) 1.0.3 \u003c jQuery \u003c3.5.0 is vulnerable to CVE-2020-11023",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494%40%3Cdev.felix.apache.org%3E"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        },
        {
          "name": "[flink-issues] 20210209 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E"
        },
        {
          "name": "[flink-issues] 20210209 [jira] [Comment Edited] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E"
        },
        {
          "name": "[debian-lts-announce] 20210326 [SECURITY] [DLA 2608-1] jquery security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html"
        },
        {
          "name": "[flink-issues] 20210422 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E"
        },
        {
          "name": "[flink-issues] 20210422 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E"
        },
        {
          "name": "[flink-issues] 20210429 [jira] [Commented] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E"
        },
        {
          "name": "[flink-issues] 20210429 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
        },
        {
          "url": "https://www.tenable.com/security/tns-2021-10"
        },
        {
          "url": "https://www.tenable.com/security/tns-2021-02"
        },
        {
          "url": "http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html"
        },
        {
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "name": "[flink-issues] 20211031 [jira] [Updated] (FLINK-20014) Resolve CVE-2020-11022 and CVE-2020-11023 in scala-compiler",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "name": "[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
        }
      ],
      "source": {
        "advisory": "GHSA-jpcq-cgw6-v4j6",
        "discovery": "UNKNOWN"
      },
      "title": "Potential XSS vulnerability in jQuery"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-11023",
    "datePublished": "2020-04-29T00:00:00.000Z",
    "dateReserved": "2020-03-30T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:35:45.230Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-17521 (GCVE-0-2020-17521)

Vulnerability from cvelistv5 – Published: 2020-12-07 19:22 – Updated: 2024-08-04 14:00

Summary

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Severity

No CVSS data available.

CWE

Information Disclosure

Assigner

apache

References

12 references

URL	Tags
https://groovy-lang.org/security.html#CVE-2020-17521	x_refsource_CONFIRM
https://lists.apache.org/thread.html/ra9dab34bf86…	mailing-listx_refsource_MLIST
https://www.oracle.com/security-alerts/cpujan2021.html	x_refsource_MISC
https://security.netapp.com/advisory/ntap-2020121…	x_refsource_CONFIRM
https://lists.apache.org/thread.html/rea63a4666ba…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r4b2f13c302e…	mailing-listx_refsource_MLIST
https://www.oracle.com/security-alerts/cpuApr2021.html	x_refsource_MISC
https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
https://www.oracle.com/security-alerts/cpuoct2021.html	x_refsource_MISC
https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Groovy	Affected: 2.0 to 2.4.20 Affected: 2.5.0 to 2.5.13 Affected: 3.0.0 to 3.0.6 Affected: 4.0.0-alpha-1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T14:00:48.677Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://groovy-lang.org/security.html#CVE-2020-17521"
          },
          {
            "name": "[groovy-notifications] 20201207 [jira] [Closed] (GROOVY-9824) CVE-2020-17521 Apache Groovy Information Disclosure",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20201218-0006/"
          },
          {
            "name": "[atlas-dev] 20210422 [jira] [Created] (ATLAS-4257) Atlas - Upgrade groovy to 2.4.21+, 2.5.14+, 3.0.7+, or 4.0.0-alpha-2+ due to CVE-2020-17521",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3%40%3Cdev.atlas.apache.org%3E"
          },
          {
            "name": "[atlas-dev] 20210422 [jira] [Updated] (ATLAS-4257) Atlas - Upgrade groovy to 2.4.21+, 2.5.14+, 3.0.7+, or 4.0.0-alpha-2+ due to CVE-2020-17521",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08%40%3Cdev.atlas.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Groovy",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "2.0 to 2.4.20"
            },
            {
              "status": "affected",
              "version": "2.5.0 to 2.5.13"
            },
            {
              "status": "affected",
              "version": "3.0.0 to 3.0.6"
            },
            {
              "status": "affected",
              "version": "4.0.0-alpha-1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy\u0027s implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information Disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:14:34.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://groovy-lang.org/security.html#CVE-2020-17521"
        },
        {
          "name": "[groovy-notifications] 20201207 [jira] [Closed] (GROOVY-9824) CVE-2020-17521 Apache Groovy Information Disclosure",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20201218-0006/"
        },
        {
          "name": "[atlas-dev] 20210422 [jira] [Created] (ATLAS-4257) Atlas - Upgrade groovy to 2.4.21+, 2.5.14+, 3.0.7+, or 4.0.0-alpha-2+ due to CVE-2020-17521",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3%40%3Cdev.atlas.apache.org%3E"
        },
        {
          "name": "[atlas-dev] 20210422 [jira] [Updated] (ATLAS-4257) Atlas - Upgrade groovy to 2.4.21+, 2.5.14+, 3.0.7+, or 4.0.0-alpha-2+ due to CVE-2020-17521",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08%40%3Cdev.atlas.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-17521",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Groovy",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "2.0 to 2.4.20"
                          },
                          {
                            "version_value": "2.5.0 to 2.5.13"
                          },
                          {
                            "version_value": "3.0.0 to 3.0.6"
                          },
                          {
                            "version_value": "4.0.0-alpha-1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy\u0027s implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groovy-lang.org/security.html#CVE-2020-17521",
              "refsource": "CONFIRM",
              "url": "https://groovy-lang.org/security.html#CVE-2020-17521"
            },
            {
              "name": "[groovy-notifications] 20201207 [jira] [Closed] (GROOVY-9824) CVE-2020-17521 Apache Groovy Information Disclosure",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465@%3Cnotifications.groovy.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20201218-0006/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20201218-0006/"
            },
            {
              "name": "[atlas-dev] 20210422 [jira] [Created] (ATLAS-4257) Atlas - Upgrade groovy to 2.4.21+, 2.5.14+, 3.0.7+, or 4.0.0-alpha-2+ due to CVE-2020-17521",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3@%3Cdev.atlas.apache.org%3E"
            },
            {
              "name": "[atlas-dev] 20210422 [jira] [Updated] (ATLAS-4257) Atlas - Upgrade groovy to 2.4.21+, 2.5.14+, 3.0.7+, or 4.0.0-alpha-2+ due to CVE-2020-17521",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08@%3Cdev.atlas.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2020-17521",
    "datePublished": "2020-12-07T19:22:37.000Z",
    "dateReserved": "2020-08-12T00:00:00.000Z",
    "dateUpdated": "2024-08-04T14:00:48.677Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-1471 (GCVE-0-2022-1471)

Vulnerability from cvelistv5 – Published: 2022-12-01 10:47 – Updated: 2025-06-18 08:32

Title

Remote Code execution in SnakeYAML

Summary

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Severity

8.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE

CWE-20 - Improper Input Validation

Assigner

Google

References

11 references

URL	Tags
https://github.com/google/security-research/secur…
https://bitbucket.org/snakeyaml/snakeyaml/issues/…
https://github.com/mbechler/marshalsec
https://www.github.com/mbechler/marshalsec/blob/m…
https://groups.google.com/g/kubernetes-security-a…
https://security.netapp.com/advisory/ntap-2023081…
http://packetstormsecurity.com/files/175095/PyTor…
http://www.openwall.com/lists/oss-security/2023/11/19/1
https://security.netapp.com/advisory/ntap-2024062…
https://infosecwriteups.com/%EF%B8%8F-inside-the-…
https://confluence.atlassian.com/security/cve-202…

Impacted products

1 product

Vendor	Product	Version
SnakeYAML	SnakeYAML	Affected: 0 , ≤ 2.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:03:06.269Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mbechler/marshalsec"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230818-0015/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/11/19/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-1471",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-07T18:13:22.155371Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-17T13:52:47.976Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SnakeYAML",
          "vendor": "SnakeYAML",
          "versions": [
            {
              "lessThanOrEqual": "2.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSnakeYaml\u0027s Constructor() class does not restrict types which can be instantiated during deserialization.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDeserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml\u0027s SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "SnakeYaml\u0027s Constructor() class does not restrict types which can be instantiated during deserialization.\u00a0Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml\u0027s SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-253",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-253 Remote Code Inclusion"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T08:32:58.546Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
        },
        {
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479"
        },
        {
          "url": "https://github.com/mbechler/marshalsec"
        },
        {
          "url": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true"
        },
        {
          "url": "https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230818-0015/"
        },
        {
          "url": "http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2023/11/19/1"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
        },
        {
          "url": "https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c"
        },
        {
          "url": "https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code execution in SnakeYAML",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2022-1471",
    "datePublished": "2022-12-01T10:47:07.203Z",
    "dateReserved": "2022-04-26T08:32:53.188Z",
    "dateUpdated": "2025-06-18T08:32:58.546Z",
    "requesterUserId": "ed9b5bb2-2df1-4aa3-9791-5fb260d88e62",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-35116 (GCVE-0-2023-35116)

Vulnerability from cvelistv5 – Published: 2023-06-14 00:00 – Updated: 2024-08-02 16:23 Disputed

Summary

jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

1 reference

URL	Tags
https://github.com/FasterXML/jackson-databind/iss…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:23:58.755Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/FasterXML/jackson-databind/issues/3972"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor\u0027s perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-26T00:00:00.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/FasterXML/jackson-databind/issues/3972"
        }
      ],
      "tags": [
        "disputed"
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-35116",
    "datePublished": "2023-06-14T00:00:00.000Z",
    "dateReserved": "2023-06-13T00:00:00.000Z",
    "dateUpdated": "2024-08-02T16:23:58.755Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-39743 (GCVE-0-2023-39743)

Vulnerability from cvelistv5 – Published: 2023-08-17 00:00 – Updated: 2024-10-08 18:14

Summary

lrzip-next LZMA v23.01 was discovered to contain an access violation via the component /bz3_decode_block src/libbz3.c.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

3 references

URL	Tags
https://github.com/huanglei3/lrzip-next-poc/tree/main
https://github.com/pete4abw/lrzip-next/issues/132
https://gist.github.com/huanglei3/ec9090096aa9244…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:18:09.840Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/huanglei3/lrzip-next-poc/tree/main"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/pete4abw/lrzip-next/issues/132"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gist.github.com/huanglei3/ec9090096aa92445cf0a8baa8e929084"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-39743",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-08T18:13:19.954453Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-284",
                "description": "CWE-284 Improper Access Control",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-08T18:14:31.768Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "lrzip-next LZMA v23.01 was discovered to contain an access violation via the component /bz3_decode_block src/libbz3.c."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-25T13:37:54.343Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/huanglei3/lrzip-next-poc/tree/main"
        },
        {
          "url": "https://github.com/pete4abw/lrzip-next/issues/132"
        },
        {
          "url": "https://gist.github.com/huanglei3/ec9090096aa92445cf0a8baa8e929084"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-39743",
    "datePublished": "2023-08-17T00:00:00.000Z",
    "dateReserved": "2023-08-07T00:00:00.000Z",
    "dateUpdated": "2024-10-08T18:14:31.768Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-4759 (GCVE-0-2023-4759)

Vulnerability from cvelistv5 – Published: 2023-09-12 09:12 – Updated: 2024-08-02 07:37

Title

Improper handling of case insensitive filesystems in Eclipse JGit allows arbitrary file write

Summary

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem. The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r. The JGit maintainers would like to thank RyotaK for finding and reporting this issue.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CWE-178 - Improper Handling of Case Sensitivity

Assigner

eclipse

References

3 references

URL	Tags
https://gitlab.eclipse.org/security/vulnerability…
https://projects.eclipse.org/projects/technology.…
https://git.eclipse.org/c/jgit/jgit.git/commit/?i…

Impacted products

1 product

Vendor	Product	Version
Eclipse Foundation	Eclipse JGit	Affected: 0.0.0 , ≤ 6.6.0.202305301015-r (semver) Unaffected: 5.13.3.202401111512-r

Date Public

2023-09-12 10:00

Credits

RyotaK

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "jgit",
            "vendor": "eclipse",
            "versions": [
              {
                "lessThanOrEqual": "6.6.0.202305301015-r",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:eclipse:jgit:5.13.3.202401111512-r:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "jgit",
            "vendor": "eclipse",
            "versions": [
              {
                "status": "unaffected",
                "version": "5.13.3.202401111512-r"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4759",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-19T03:55:38.083883Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-19T13:51:38.023Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:37:59.574Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://git.eclipse.org/c/jgit/jgit.git/",
          "defaultStatus": "unaffected",
          "product": "Eclipse JGit",
          "vendor": "Eclipse Foundation",
          "versions": [
            {
              "lessThanOrEqual": "6.6.0.202305301015-r",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "  5.13.3.202401111512-r"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "RyotaK"
        }
      ],
      "datePublic": "2023-09-12T10:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eArbitrary File Overwrite in Eclipse JGit \u0026lt;= 6.6.0\u003c/p\u003e\u003cp\u003eIn Eclipse JGit, all versions \u0026lt;= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.\u003c/p\u003e\u003cp\u003eThis can happen on checkout (\u003ccode\u003eDirCacheCheckout\u003c/code\u003e), merge (\u003ccode\u003eResolveMerger\u003c/code\u003e\u0026nbsp;via its \u003ccode\u003eWorkingTreeUpdater\u003c/code\u003e), pull (\u003ccode\u003ePullCommand\u003c/code\u003e\u0026nbsp;using merge), and when applying a patch (\u003ccode\u003ePatchApplier\u003c/code\u003e). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.\u003c/p\u003e\u003cp\u003eThe issue occurs only on case-\u003cstrong\u003ein\u003c/strong\u003esensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.\u003c/p\u003e\u003cp\u003eSetting git configuration option \u003ccode\u003ecore.symlinks = false\u003c/code\u003e\u0026nbsp;before checking out avoids the problem.\u003c/p\u003e\u003cp\u003eThe issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://repo1.maven.org/maven2/org/eclipse/jgit/\"\u003eMaven Central\u003c/a\u003e\u0026nbsp;and \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://repo.eclipse.org/content/repositories/jgit-releases/\"\u003erepo.eclipse.org\u003c/a\u003e. A backport is available in 5.13.3 starting from  5.13.3.202401111512-r.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThe JGit maintainers would like to thank RyotaK for finding and reporting this issue.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "Arbitrary File Overwrite in Eclipse JGit \u003c= 6.6.0\n\nIn Eclipse JGit, all versions \u003c= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.\n\nThis can happen on checkout (DirCacheCheckout), merge (ResolveMerger\u00a0via its WorkingTreeUpdater), pull (PullCommand\u00a0using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.\n\nThe issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.\n\nSetting git configuration option core.symlinks = false\u00a0before checking out avoids the problem.\n\nThe issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via  Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/ \u00a0and  repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from  5.13.3.202401111512-r.\n\n\nThe JGit maintainers would like to thank RyotaK for finding and reporting this issue.\n\n\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-132",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-132 Symlink Attack"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178 Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-12T15:21:24.101Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11"
        },
        {
          "url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1"
        },
        {
          "url": "https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Improper handling of case insensitive filesystems in Eclipse JGit allows arbitrary file write",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSetting git configuration option \u003ccode\u003ecore.symlinks = false\u003c/code\u003e\u0026nbsp;before checking out avoids the problem.\u003c/p\u003e"
            }
          ],
          "value": "Setting git configuration option core.symlinks = false\u00a0before checking out avoids the problem.\n\n"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2023-4759",
    "datePublished": "2023-09-12T09:12:10.254Z",
    "dateReserved": "2023-09-04T16:06:00.689Z",
    "dateUpdated": "2024-08-02T07:37:59.574Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-51775 (GCVE-0-2023-51775)

Vulnerability from cvelistv5 – Published: 2023-12-25 00:00 – Updated: 2025-11-03 21:50

Summary

The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

Assigner

mitre

References

1 reference

URL	Tags
https://bitbucket.org/b_c/jose4j/issues/212

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:50:19.303Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bitbucket.org/b_c/jose4j/issues/212"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20241108-0002/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:jose4j_project:jose4j:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "jose4j",
            "vendor": "jose4j_project",
            "versions": [
              {
                "lessThan": "0.9.4",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-51775",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-01T18:51:39.813007Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-14T18:42:03.439Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-25T21:16:04.514Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://bitbucket.org/b_c/jose4j/issues/212"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-51775",
    "datePublished": "2023-12-25T00:00:00.000Z",
    "dateReserved": "2023-12-25T00:00:00.000Z",
    "dateUpdated": "2025-11-03T21:50:19.303Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-21190 (GCVE-0-2024-21190)

Vulnerability from cvelistv5 – Published: 2024-10-15 19:52 – Updated: 2024-10-16 14:51

Summary

Vulnerability in the Oracle Global Lifecycle Management FMW Installer product of Oracle Fusion Middleware (component: Cloning). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via SFTP to compromise Oracle Global Lifecycle Management FMW Installer. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Global Lifecycle Management FMW Installer accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

Easily exploitable vulnerability allows unauthenticated attacker with network access via SFTP to compromise Oracle Global Lifecycle Management FMW Installer. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Global Lifecycle Management FMW Installer accessible data.

Assigner

oracle

References

1 reference

URL	Tags
https://www.oracle.com/security-alerts/cpuoct2024.html	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Oracle Corporation	Oracle Global Lifecycle Management FMW Installer	Affected: 12.2.1.4.0 cpe:2.3:a:oracle:global_lifecycle_management_fmw_installer:12.2.1.4.0:::::::*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21190",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-16T14:48:18.460081Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-16T14:51:01.705Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:oracle:global_lifecycle_management_fmw_installer:12.2.1.4.0:*:*:*:*:*:*:*"
          ],
          "product": "Oracle Global Lifecycle Management FMW Installer",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "12.2.1.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Vulnerability in the Oracle Global Lifecycle Management FMW Installer product of Oracle Fusion Middleware (component: Cloning).   The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via SFTP to compromise Oracle Global Lifecycle Management FMW Installer.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Global Lifecycle Management FMW Installer accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via SFTP to compromise Oracle Global Lifecycle Management FMW Installer.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Global Lifecycle Management FMW Installer accessible data.",
              "lang": "en-US"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-15T19:52:16.649Z",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "name": "Oracle Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2024-21190",
    "datePublished": "2024-10-15T19:52:16.649Z",
    "dateReserved": "2023-12-07T22:28:10.688Z",
    "dateUpdated": "2024-10-16T14:51:01.705Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-21191 (GCVE-0-2024-21191)

Vulnerability from cvelistv5 – Published: 2024-10-15 19:52 – Updated: 2024-10-16 14:46

Summary

Vulnerability in the Oracle Enterprise Manager Fusion Middleware Control product of Oracle Fusion Middleware (component: FMW Control Plugin). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Fusion Middleware Control. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Fusion Middleware Control, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Manager Fusion Middleware Control accessible data as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Fusion Middleware Control accessible data. CVSS 3.1 Base Score 7.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N).

Severity

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CWE

Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Fusion Middleware Control. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Fusion Middleware Control, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Manager Fusion Middleware Control accessible data as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Fusion Middleware Control accessible data.

Assigner

oracle

References

1 reference

URL	Tags
https://www.oracle.com/security-alerts/cpuoct2024.html	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Oracle Corporation	Oracle Enterprise Manager Fusion Middleware Control	Affected: 12.2.1.4.0 cpe:2.3:a:oracle:enterprise_manager_fusion_middleware_control:12.2.1.4.0:::::::*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21191",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-16T14:44:22.106088Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-16T14:46:43.432Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:oracle:enterprise_manager_fusion_middleware_control:12.2.1.4.0:*:*:*:*:*:*:*"
          ],
          "product": "Oracle Enterprise Manager Fusion Middleware Control",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "12.2.1.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Vulnerability in the Oracle Enterprise Manager Fusion Middleware Control product of Oracle Fusion Middleware (component: FMW Control Plugin).   The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Fusion Middleware Control.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Fusion Middleware Control, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Enterprise Manager Fusion Middleware Control accessible data as well as  unauthorized update, insert or delete access to some of Oracle Enterprise Manager Fusion Middleware Control accessible data. CVSS 3.1 Base Score 7.6 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Fusion Middleware Control.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Fusion Middleware Control, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Enterprise Manager Fusion Middleware Control accessible data as well as  unauthorized update, insert or delete access to some of Oracle Enterprise Manager Fusion Middleware Control accessible data.",
              "lang": "en-US"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-15T19:52:34.801Z",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "name": "Oracle Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2024-21191",
    "datePublished": "2024-10-15T19:52:34.801Z",
    "dateReserved": "2023-12-07T22:28:10.688Z",
    "dateUpdated": "2024-10-16T14:46:43.432Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-21192 (GCVE-0-2024-21192)

Vulnerability from cvelistv5 – Published: 2024-10-15 19:52 – Updated: 2024-10-16 14:43

Summary

Vulnerability in the Oracle Enterprise Manager for Fusion Middleware product of Oracle Fusion Middleware (component: WebLogic Mgmt). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Enterprise Manager for Fusion Middleware executes to compromise Oracle Enterprise Manager for Fusion Middleware. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Manager for Fusion Middleware accessible data. CVSS 3.1 Base Score 4.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

Severity

4.4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE

Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Enterprise Manager for Fusion Middleware executes to compromise Oracle Enterprise Manager for Fusion Middleware. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Manager for Fusion Middleware accessible data.

Assigner

oracle

References

1 reference

URL	Tags
https://www.oracle.com/security-alerts/cpuoct2024.html	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Oracle Corporation	Oracle Enterprise Manager for Fusion Middleware	Affected: 12.2.1.4.0 cpe:2.3:a:oracle:enterprise_manager_for_fusion_middleware:12.2.1.4.0:::::::*

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21192",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-16T14:42:57.198602Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-16T14:43:13.942Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:oracle:enterprise_manager_for_fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*"
          ],
          "product": "Oracle Enterprise Manager for Fusion Middleware",
          "vendor": "Oracle Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "12.2.1.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Vulnerability in the Oracle Enterprise Manager for Fusion Middleware product of Oracle Fusion Middleware (component: WebLogic Mgmt).   The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Enterprise Manager for Fusion Middleware executes to compromise Oracle Enterprise Manager for Fusion Middleware.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Enterprise Manager for Fusion Middleware accessible data. CVSS 3.1 Base Score 4.4 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Enterprise Manager for Fusion Middleware executes to compromise Oracle Enterprise Manager for Fusion Middleware.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Enterprise Manager for Fusion Middleware accessible data.",
              "lang": "en-US"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-15T19:52:35.130Z",
        "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "shortName": "oracle"
      },
      "references": [
        {
          "name": "Oracle Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
    "assignerShortName": "oracle",
    "cveId": "CVE-2024-21192",
    "datePublished": "2024-10-15T19:52:35.130Z",
    "dateReserved": "2023-12-07T22:28:10.688Z",
    "dateUpdated": "2024-10-16T14:43:13.942Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

NCSC-2024-0417

CVE-2020-11023 (GCVE-0-2020-11023)

CVE-2020-17521 (GCVE-0-2020-17521)

CVE-2022-1471 (GCVE-0-2022-1471)

CVE-2023-35116 (GCVE-0-2023-35116)

CVE-2023-39743 (GCVE-0-2023-39743)

CVE-2023-4759 (GCVE-0-2023-4759)

CVE-2023-51775 (GCVE-0-2023-51775)

CVE-2024-21190 (GCVE-0-2024-21190)

CVE-2024-21191 (GCVE-0-2024-21191)

CVE-2024-21192 (GCVE-0-2024-21192)

Tags

Sightings

Nomenclature