Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2024-3616
Vulnerability from csaf_certbund
Published
2016-10-06 22:00
Modified
2024-12-05 23:00
Summary
Red Hat JBoss Fuse: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JBoss Fuse ist ein Open Source Enterprise Service Bus (ESB).
JBoss A-MQ ist eine Messaging-Plattform.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Fuse und Red Hat JBoss A-MQ ausnutzen, um einen Denial of Service Angriff durchzuführen, Code mit den Privilegien des angegriffenen Dienstes zur Ausführung bringen, vertrauliche Daten einzusehen, Informationen zu manipulieren oder Sicherheitsmechanismen zu umgehen.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "JBoss Fuse ist ein Open Source Enterprise Service Bus (ESB).\r\nJBoss A-MQ ist eine Messaging-Plattform.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Fuse und Red Hat JBoss A-MQ ausnutzen, um einen Denial of Service Angriff durchzuführen, Code mit den Privilegien des angegriffenen Dienstes zur Ausführung bringen, vertrauliche Daten einzusehen, Informationen zu manipulieren oder Sicherheitsmechanismen zu umgehen.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-3616 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2016/wid-sec-w-2024-3616.json", }, { category: "self", summary: "WID-SEC-2024-3616 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3616", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2016:2036-1 vom 2016-10-06", url: "https://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2016:2035-1 vom 2016-10-06", url: "https://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { category: "external", summary: "Juniper Security Advisory JSA11023 vom 2020-07-08", url: "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11023", }, { category: "external", summary: "Ubuntu Security Notice USN-7139-1 vom 2024-12-05", url: "https://ubuntu.com/security/notices/USN-7139-1", }, ], source_lang: "en-US", title: "Red Hat JBoss Fuse: Mehrere Schwachstellen", tracking: { current_release_date: "2024-12-05T23:00:00.000+00:00", generator: { date: "2024-12-06T09:15:40.792+00:00", engine: { name: "BSI-WID", version: "1.3.10", }, }, id: "WID-SEC-W-2024-3616", initial_release_date: "2016-10-06T22:00:00.000+00:00", revision_history: [ { date: "2016-10-06T22:00:00.000+00:00", number: "1", summary: "Initial Release", }, { date: "2016-10-06T22:00:00.000+00:00", number: "2", summary: "Version nicht vorhanden", }, { date: "2016-10-06T22:00:00.000+00:00", number: "3", summary: "Version nicht vorhanden", }, { date: "2019-06-18T22:00:00.000+00:00", number: "4", summary: "Referenz(en) aufgenommen: RHSA-2019:1545", }, { date: "2020-07-08T22:00:00.000+00:00", number: "5", summary: "Neue Updates von Juniper aufgenommen", }, { date: "2024-12-05T23:00:00.000+00:00", number: "6", summary: "Neue Updates von Ubuntu aufgenommen", }, ], status: "final", version: "6", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version_range", name: "<20.1R1", product: { name: "Juniper Junos Space <20.1R1", product_id: "T016874", }, }, { category: "product_version", name: "20.1R1", product: { name: "Juniper Junos Space 20.1R1", product_id: "T016874-fixed", product_identification_helper: { cpe: "cpe:/a:juniper:junos_space:20.1r1", }, }, }, ], category: "product_name", name: "Junos Space", }, ], category: "vendor", name: "Juniper", }, { branches: [ { branches: [ { category: "product_version", name: "6.3", product: { name: "Red Hat JBoss A-MQ 6.3", product_id: "T008598", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.3", }, }, }, ], category: "product_name", name: "JBoss A-MQ", }, { branches: [ { category: "product_version", name: "6.3", product: { name: "Red Hat JBoss Fuse 6.3", product_id: "T008597", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.3", }, }, }, ], category: "product_name", name: "JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2015-3192", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse und Red Hat JBoss A-MQ. Die Schwachstelle besteht im Spring Framework und beruht auf der Art und WEise, wie \"inline DTD Deklarationen\" verarbeitet werden. Ein Angreifer kann dieses durch Übermitteln geeignet gestalteter XML Daten zu einem Denial of Service Angirff nutzen.", }, ], product_status: { known_affected: [ "T008598", "T000126", "T016874", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2015-3192", }, { cve: "CVE-2015-5344", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse in der Apache Camel camel-xstream Komponente. Die Schwachstelle beruht auf einem Deseialisierungfehler von Java Objekten. Ein Angreifer kann dieses nutzen und u. a. vertrauliche Daten einsehen oder Code zur Ausführung bringen.", }, ], product_status: { known_affected: [ "T000126", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2015-5344", }, { cve: "CVE-2015-5348", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse. Die Schwachstelle besteht in dem Apache Camels Jetty/Servlet und beruht auf einem Deserialisierungsfehler. Ein Angreifer kann dieses durch Übermitteln geeignet gestalteter Daten nutzen und beliebigen Code zur Ausführung bringen.", }, ], product_status: { known_affected: [ "T000126", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2015-5348", }, { cve: "CVE-2015-7940", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse und Red Hat JBoss A-MQ in der Komponente \"bouncycastle\". Die Schwachstelle beruht darauf, dass ein Angreifer private Schlüssel bei Verwendung von elliptischen Kurven in der Kryptographie auslesen kann.", }, ], product_status: { known_affected: [ "T008598", "T000126", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2015-7940", }, { cve: "CVE-2016-2141", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse. Die Schwachstelle beruht darauf, dass neue Nodes durch JGroups nicht korrekt authentisiert werden. Ein Angreifer kann dieses nutzen und Sicherheitsmechanismen umgehen.", }, ], product_status: { known_affected: [ "T000126", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2016-2141", }, { cve: "CVE-2016-2510", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse im Zusammenhang mit BeanShell. Ein anonymer, entfernter Angreifer kann diese Schwachstelle nutzen, um bei der Deserialisierung einer speziell konstruierten Klassenkette beliebigen Programmcode mit den Rechten des Dienstes auszuführen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen, eine modifizierte URL oder Webseite in seinem Web-Browser zu öffnen.", }, ], product_status: { known_affected: [ "T000126", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2016-2510", }, { cve: "CVE-2016-4437", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Fuse und Red Hat JBoss A-MQ. Die Schwachstelle besteht in darin, dass Apache Shiro einen Standardschlüssel für die \"remember me\" Funktion verwendet. Ein Angreifer kann dieses ausnutzen und unautorisiert Zugriff auf die Inhalte erlangen.", }, ], product_status: { known_affected: [ "T008598", "T000126", "T008597", ], }, release_date: "2016-10-06T22:00:00.000+00:00", title: "CVE-2016-4437", }, ], }
cve-2015-7940
Vulnerability from cvelistv5
Published
2015-11-09 16:00
Modified
2024-08-06 08:06
Severity ?
Summary
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T08:06:30.850Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "79091", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/79091", }, { name: "openSUSE-SU-2015:1911", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html", }, { name: "FEDORA-2015-7d95466eda", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { name: "RHSA-2016:2036", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { name: "USN-3727-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3727-1/", }, { name: "[oss-security] 20151022 Re: CVE Request: invalid curve attack on bouncycastle", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/9", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "1037036", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1037036", }, { name: "[oss-security] 20151022 CVE Request: invalid curve attack on bouncycastle", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/7", }, { name: "DSA-3417", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2015/dsa-3417", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", }, { name: "1037046", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1037046", }, { name: "1037053", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1037053", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2015-09-15T00:00:00", descriptions: [ { lang: "en", value: "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-04-15T21:06:39", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "79091", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/79091", }, { name: "openSUSE-SU-2015:1911", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html", }, { name: "FEDORA-2015-7d95466eda", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { name: "RHSA-2016:2036", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { name: "USN-3727-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3727-1/", }, { name: "[oss-security] 20151022 Re: CVE Request: invalid curve attack on bouncycastle", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/9", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "1037036", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1037036", }, { name: "[oss-security] 20151022 CVE Request: invalid curve attack on bouncycastle", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2015/10/22/7", }, { name: "DSA-3417", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2015/dsa-3417", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", }, { tags: [ "x_refsource_MISC", ], url: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", }, { name: "1037046", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1037046", }, { name: "1037053", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1037053", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2015-7940", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2016:2035", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", refsource: "CONFIRM", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "79091", refsource: "BID", url: "http://www.securityfocus.com/bid/79091", }, { name: "openSUSE-SU-2015:1911", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html", }, { name: "FEDORA-2015-7d95466eda", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { name: "RHSA-2016:2036", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { name: "USN-3727-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3727-1/", }, { name: "[oss-security] 20151022 Re: CVE Request: invalid curve attack on bouncycastle", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2015/10/22/9", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "1037036", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1037036", }, { name: "[oss-security] 20151022 CVE Request: invalid curve attack on bouncycastle", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2015/10/22/7", }, { name: "DSA-3417", refsource: "DEBIAN", url: "http://www.debian.org/security/2015/dsa-3417", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", }, { name: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", refsource: "MISC", url: "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html", }, { name: "1037046", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1037046", }, { name: "1037053", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1037053", }, { name: "https://www.oracle.com/security-alerts/cpuapr2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2015-7940", datePublished: "2015-11-09T16:00:00", dateReserved: "2015-10-22T00:00:00", dateUpdated: "2024-08-06T08:06:30.850Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-3192
Vulnerability from cvelistv5
Published
2016-07-12 19:00
Modified
2024-08-06 05:39
Severity ?
EPSS score ?
Summary
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T05:39:31.943Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "1036587", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1036587", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://pivotal.io/security/cve-2015-3192", }, { name: "RHSA-2016:2036", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "RHSA-2016:1218", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:1218", }, { name: "90853", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/90853", }, { name: "RHSA-2016:1592", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1592.html", }, { name: "FEDORA-2015-11184", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html", }, { name: "FEDORA-2015-11165", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://jira.spring.io/browse/SPR-13136", }, { name: "RHSA-2016:1593", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1593.html", }, { name: "RHSA-2016:1219", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:1219", }, { name: "[debian-lts-announce] 20190713 [SECURITY] [DLA 1853-1] libspring-java security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2015-06-30T00:00:00", descriptions: [ { lang: "en", value: "Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-07-13T23:06:02", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "1036587", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1036587", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://pivotal.io/security/cve-2015-3192", }, { name: "RHSA-2016:2036", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "RHSA-2016:1218", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2016:1218", }, { name: "90853", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/90853", }, { name: "RHSA-2016:1592", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1592.html", }, { name: "FEDORA-2015-11184", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html", }, { name: "FEDORA-2015-11165", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://jira.spring.io/browse/SPR-13136", }, { name: "RHSA-2016:1593", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1593.html", }, { name: "RHSA-2016:1219", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2016:1219", }, { name: "[debian-lts-announce] 20190713 [SECURITY] [DLA 1853-1] libspring-java security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2015-3192", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2016:2035", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "1036587", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1036587", }, { name: "http://pivotal.io/security/cve-2015-3192", refsource: "CONFIRM", url: "http://pivotal.io/security/cve-2015-3192", }, { name: "RHSA-2016:2036", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "RHSA-2016:1218", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2016:1218", }, { name: "90853", refsource: "BID", url: "http://www.securityfocus.com/bid/90853", }, { name: "RHSA-2016:1592", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-1592.html", }, { name: "FEDORA-2015-11184", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html", }, { name: "FEDORA-2015-11165", refsource: "FEDORA", url: "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html", }, { name: "https://jira.spring.io/browse/SPR-13136", refsource: "CONFIRM", url: "https://jira.spring.io/browse/SPR-13136", }, { name: "RHSA-2016:1593", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-1593.html", }, { name: "RHSA-2016:1219", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2016:1219", }, { name: "[debian-lts-announce] 20190713 [SECURITY] [DLA 1853-1] libspring-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2015-3192", datePublished: "2016-07-12T19:00:00", dateReserved: "2015-04-10T00:00:00", dateUpdated: "2024-08-06T05:39:31.943Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-5348
Vulnerability from cvelistv5
Published
2016-04-15 15:00
Modified
2024-08-06 06:41
Severity ?
EPSS score ?
Summary
Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
References
| ▼ | URL | Tags |
|---|---|---|
| http://packetstormsecurity.com/files/134946/Apache-Camel-Java-Object-Deserialization.html | x_refsource_MISC | |
| http://rhn.redhat.com/errata/RHSA-2016-2035.html | vendor-advisory, x_refsource_REDHAT | |
| http://camel.apache.org/security-advisories.data/CVE-2015-5348.txt.asc | x_refsource_CONFIRM | |
| https://issues.apache.org/jira/browse/CAMEL-9309 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/archive/1/537147/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/80696 | vdb-entry, x_refsource_BID | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T06:41:09.342Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/134946/Apache-Camel-Java-Object-Deserialization.html", }, { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://camel.apache.org/security-advisories.data/CVE-2015-5348.txt.asc", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://issues.apache.org/jira/browse/CAMEL-9309", }, { name: "20151217 CVE-2015-5348 - Apache Camel medium disclosure vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://www.securityfocus.com/archive/1/537147/100/0/threaded", }, { name: "80696", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/80696", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2015-12-17T00:00:00", descriptions: [ { lang: "en", value: "Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-24T10:06:03", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/134946/Apache-Camel-Java-Object-Deserialization.html", }, { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://camel.apache.org/security-advisories.data/CVE-2015-5348.txt.asc", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://issues.apache.org/jira/browse/CAMEL-9309", }, { name: "20151217 CVE-2015-5348 - Apache Camel medium disclosure vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://www.securityfocus.com/archive/1/537147/100/0/threaded", }, { name: "80696", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/80696", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2015-5348", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://packetstormsecurity.com/files/134946/Apache-Camel-Java-Object-Deserialization.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/134946/Apache-Camel-Java-Object-Deserialization.html", }, { name: "RHSA-2016:2035", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "http://camel.apache.org/security-advisories.data/CVE-2015-5348.txt.asc", refsource: "CONFIRM", url: "http://camel.apache.org/security-advisories.data/CVE-2015-5348.txt.asc", }, { name: "https://issues.apache.org/jira/browse/CAMEL-9309", refsource: "CONFIRM", url: "https://issues.apache.org/jira/browse/CAMEL-9309", }, { name: "20151217 CVE-2015-5348 - Apache Camel medium disclosure vulnerability", refsource: "BUGTRAQ", url: "http://www.securityfocus.com/archive/1/537147/100/0/threaded", }, { name: "80696", refsource: "BID", url: "http://www.securityfocus.com/bid/80696", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2015-5348", datePublished: "2016-04-15T15:00:00", dateReserved: "2015-07-01T00:00:00", dateUpdated: "2024-08-06T06:41:09.342Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-2510
Vulnerability from cvelistv5
Published
2016-04-07 20:00
Modified
2024-08-05 23:32
Severity ?
EPSS score ?
Summary
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T23:32:20.399Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "84139", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/84139", }, { name: "RHSA-2016:1135", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:1135", }, { name: "RHSA-2016:0540", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-0540.html", }, { name: "RHSA-2016:1376", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:1376", }, { name: "openSUSE-SU-2016:0788", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00056.html", }, { name: "RHSA-2016:0539", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-0539.html", }, { name: "DSA-3504", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "http://www.debian.org/security/2016/dsa-3504", }, { name: "1035440", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1035440", }, { name: "openSUSE-SU-2016:0833", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00078.html", }, { name: "USN-2923-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "http://www.ubuntu.com/usn/USN-2923-1", }, { name: "GLSA-201607-17", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/201607-17", }, { name: "RHSA-2019:1545", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:1545", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/frohoff/ysoserial/pull/13", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/beanshell/beanshell/releases/tag/2.0b6", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-02-18T00:00:00", descriptions: [ { lang: "en", value: "BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-10-20T21:14:50", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "84139", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/84139", }, { name: "RHSA-2016:1135", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2016:1135", }, { name: "RHSA-2016:0540", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-0540.html", }, { name: "RHSA-2016:1376", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2016:1376", }, { name: "openSUSE-SU-2016:0788", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00056.html", }, { name: "RHSA-2016:0539", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-0539.html", }, { name: "DSA-3504", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "http://www.debian.org/security/2016/dsa-3504", }, { name: "1035440", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1035440", }, { name: "openSUSE-SU-2016:0833", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00078.html", }, { name: "USN-2923-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "http://www.ubuntu.com/usn/USN-2923-1", }, { name: "GLSA-201607-17", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/201607-17", }, { name: "RHSA-2019:1545", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:1545", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/frohoff/ysoserial/pull/13", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/beanshell/beanshell/releases/tag/2.0b6", }, { tags: [ "x_refsource_MISC", ], url: "https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2016-2510", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2016:2035", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "84139", refsource: "BID", url: "http://www.securityfocus.com/bid/84139", }, { name: "RHSA-2016:1135", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2016:1135", }, { name: "RHSA-2016:0540", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-0540.html", }, { name: "RHSA-2016:1376", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2016:1376", }, { name: "openSUSE-SU-2016:0788", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00056.html", }, { name: "RHSA-2016:0539", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-0539.html", }, { name: "DSA-3504", refsource: "DEBIAN", url: "http://www.debian.org/security/2016/dsa-3504", }, { name: "1035440", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1035440", }, { name: "openSUSE-SU-2016:0833", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00078.html", }, { name: "USN-2923-1", refsource: "UBUNTU", url: "http://www.ubuntu.com/usn/USN-2923-1", }, { name: "GLSA-201607-17", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/201607-17", }, { name: "RHSA-2019:1545", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:1545", }, { name: "https://www.oracle.com/security-alerts/cpuoct2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { name: "https://github.com/frohoff/ysoserial/pull/13", refsource: "MISC", url: "https://github.com/frohoff/ysoserial/pull/13", }, { name: "https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49", refsource: "CONFIRM", url: "https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49", }, { name: "https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced", refsource: "CONFIRM", url: "https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced", }, { name: "https://github.com/beanshell/beanshell/releases/tag/2.0b6", refsource: "CONFIRM", url: "https://github.com/beanshell/beanshell/releases/tag/2.0b6", }, { name: "https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf", refsource: "MISC", url: "https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2016-2510", datePublished: "2016-04-07T20:00:00", dateReserved: "2016-02-18T00:00:00", dateUpdated: "2024-08-05T23:32:20.399Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-2141
Vulnerability from cvelistv5
Published
2016-06-30 00:00
Modified
2024-08-05 23:17
Severity ?
EPSS score ?
Summary
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T23:17:50.610Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2016:1347", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:1347", }, { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "RHSA-2016:1389", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:1389", }, { name: "RHSA-2016:1345", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:1345", }, { name: "RHSA-2016:1376", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:1376", }, { name: "RHSA-2016:1330", tags: [ "vendor-advisory", "x_transferred", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1330.html", }, { name: "RHSA-2016:1439", tags: [ "vendor-advisory", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1439.html", }, { name: "RHSA-2016:1331", tags: [ "vendor-advisory", "x_transferred", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1331.html", }, { name: "91481", tags: [ "vdb-entry", "x_transferred", ], url: "http://www.securityfocus.com/bid/91481", }, { name: "RHSA-2016:1434", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:1434", }, { name: "RHSA-2016:1328", tags: [ "vendor-advisory", "x_transferred", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1328.html", }, { name: "RHSA-2016:1433", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:1433", }, { tags: [ "x_transferred", ], url: "https://issues.jboss.org/browse/JGRP-2021", }, { name: "RHSA-2016:1374", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:1374", }, { name: "RHSA-2016:1432", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:1432", }, { name: "RHSA-2016:1346", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2016:1346", }, { name: "RHSA-2016:1334", tags: [ "vendor-advisory", "x_transferred", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1334.html", }, { name: "RHSA-2016:1333", tags: [ "vendor-advisory", "x_transferred", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1333.html", }, { name: "RHSA-2016:1329", tags: [ "vendor-advisory", "x_transferred", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1329.html", }, { name: "RHSA-2016:1332", tags: [ "vendor-advisory", "x_transferred", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1332.html", }, { name: "RHSA-2016:1435", tags: [ "vendor-advisory", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1435.html", }, { name: "1036165", tags: [ "vdb-entry", "x_transferred", ], url: "http://www.securitytracker.com/id/1036165", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "[geode-dev] 20200407 JGroups vulnerabilty", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E", }, { name: "[geode-dev] 20200407 Re: JGroups vulnerabilty", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-06-23T00:00:00", descriptions: [ { lang: "en", value: "It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-26T00:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2016:1347", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2016:1347", }, { name: "RHSA-2016:2035", tags: [ "vendor-advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "RHSA-2016:1389", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2016:1389", }, { name: "RHSA-2016:1345", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2016:1345", }, { name: "RHSA-2016:1376", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2016:1376", }, { name: "RHSA-2016:1330", tags: [ "vendor-advisory", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1330.html", }, { name: "RHSA-2016:1439", tags: [ "vendor-advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1439.html", }, { name: "RHSA-2016:1331", tags: [ "vendor-advisory", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1331.html", }, { name: "91481", tags: [ "vdb-entry", ], url: "http://www.securityfocus.com/bid/91481", }, { name: "RHSA-2016:1434", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2016:1434", }, { name: "RHSA-2016:1328", tags: [ "vendor-advisory", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1328.html", }, { name: "RHSA-2016:1433", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2016:1433", }, { url: "https://issues.jboss.org/browse/JGRP-2021", }, { name: "RHSA-2016:1374", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2016:1374", }, { name: "RHSA-2016:1432", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2016:1432", }, { name: "RHSA-2016:1346", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2016:1346", }, { name: "RHSA-2016:1334", tags: [ "vendor-advisory", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1334.html", }, { name: "RHSA-2016:1333", tags: [ "vendor-advisory", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1333.html", }, { name: "RHSA-2016:1329", tags: [ "vendor-advisory", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1329.html", }, { name: "RHSA-2016:1332", tags: [ "vendor-advisory", ], url: "https://rhn.redhat.com/errata/RHSA-2016-1332.html", }, { name: "RHSA-2016:1435", tags: [ "vendor-advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-1435.html", }, { name: "1036165", tags: [ "vdb-entry", ], url: "http://www.securitytracker.com/id/1036165", }, { url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "[geode-dev] 20200407 JGroups vulnerabilty", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E", }, { name: "[geode-dev] 20200407 Re: JGroups vulnerabilty", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2016-2141", datePublished: "2016-06-30T00:00:00", dateReserved: "2016-01-29T00:00:00", dateUpdated: "2024-08-05T23:17:50.610Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-4437
Vulnerability from cvelistv5
Published
2016-06-07 14:00
Modified
2025-02-07 13:29
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-2035.html | vendor-advisory, x_refsource_REDHAT | |
| https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html | x_refsource_MISC | |
| http://rhn.redhat.com/errata/RHSA-2016-2036.html | vendor-advisory, x_refsource_REDHAT | |
| http://www.securityfocus.com/bid/91024 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/538570/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T00:32:24.897Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "[announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", }, { name: "RHSA-2016:2036", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "91024", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/91024", }, { name: "20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://www.securityfocus.com/archive/1/538570/100/0/threaded", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2016-4437", options: [ { Exploitation: "active", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-07T13:29:14.189192Z", version: "2.0.3", }, type: "ssvc", }, }, { other: { content: { dateAdded: "2021-11-03", reference: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2016-4437", }, type: "kev", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-321", description: "CWE-321 Use of Hard-coded Cryptographic Key", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-07T13:29:17.376Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-06-03T00:00:00.000Z", descriptions: [ { lang: "en", value: "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-04-29T17:06:16.000Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "[announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", }, { name: "RHSA-2016:2036", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "91024", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/91024", }, { name: "20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://www.securityfocus.com/archive/1/538570/100/0/threaded", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2016-4437", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2016:2035", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "[announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4@%3Cannouncements.aurora.apache.org%3E", }, { name: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", }, { name: "RHSA-2016:2036", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "91024", refsource: "BID", url: "http://www.securityfocus.com/bid/91024", }, { name: "20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability", refsource: "BUGTRAQ", url: "http://www.securityfocus.com/archive/1/538570/100/0/threaded", }, { name: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2016-4437", datePublished: "2016-06-07T14:00:00.000Z", dateReserved: "2016-05-02T00:00:00.000Z", dateUpdated: "2025-02-07T13:29:17.376Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-5344
Vulnerability from cvelistv5
Published
2016-02-03 15:00
Modified
2024-08-06 06:41
Severity ?
EPSS score ?
Summary
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
References
| ▼ | URL | Tags |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-2035.html | vendor-advisory, x_refsource_REDHAT | |
| http://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/82260 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/537414/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E | mailing-list, x_refsource_MLIST |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T06:41:09.552Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc", }, { name: "82260", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/82260", }, { name: "20160130 CVE-2015-5344 - Apache Camel medium disclosure vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://www.securityfocus.com/archive/1/537414/100/0/threaded", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-01-30T00:00:00", descriptions: [ { lang: "en", value: "The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-24T10:06:04", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc", }, { name: "82260", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/82260", }, { name: "20160130 CVE-2015-5344 - Apache Camel medium disclosure vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://www.securityfocus.com/archive/1/537414/100/0/threaded", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2015-5344", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2016:2035", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "http://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc", refsource: "CONFIRM", url: "http://camel.apache.org/security-advisories.data/CVE-2015-5344.txt.asc", }, { name: "82260", refsource: "BID", url: "http://www.securityfocus.com/bid/82260", }, { name: "20160130 CVE-2015-5344 - Apache Camel medium disclosure vulnerability", refsource: "BUGTRAQ", url: "http://www.securityfocus.com/archive/1/537414/100/0/threaded", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2015-5344", datePublished: "2016-02-03T15:00:00", dateReserved: "2015-07-01T00:00:00", dateUpdated: "2024-08-06T06:41:09.552Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.