Filtered by vendor Oracle
Subscriptions
Total
10178 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-45486 | 3 Linux, Oracle, Redhat | 6 Linux Kernel, Communications Cloud Native Core Binding Support Function, Communications Cloud Native Core Network Exposure Function and 3 more | 2024-11-21 | 3.5 Low |
| In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small. | ||||
| CVE-2021-45485 | 4 Linux, Netapp, Oracle and 1 more | 46 Linux Kernel, Aff A400, Aff A400 Firmware and 43 more | 2024-11-21 | 7.5 High |
| In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses. | ||||
| CVE-2021-45105 | 6 Apache, Debian, Netapp and 3 more | 131 Log4j, Debian Linux, Cloud Manager and 128 more | 2024-11-21 | 5.9 Medium |
| Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1. | ||||
| CVE-2021-44832 | 6 Apache, Cisco, Debian and 3 more | 31 Log4j, Cloudcenter, Debian Linux and 28 more | 2024-11-21 | 6.6 Medium |
| Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. | ||||
| CVE-2021-44224 | 7 Apache, Apple, Debian and 4 more | 15 Http Server, Mac Os X, Macos and 12 more | 2024-11-21 | 8.2 High |
| A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). | ||||
| CVE-2021-43976 | 6 Debian, Fedoraproject, Linux and 3 more | 24 Debian Linux, Fedora, Linux Kernel and 21 more | 2024-11-21 | 4.6 Medium |
| In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic). | ||||
| CVE-2021-43818 | 6 Debian, Fedoraproject, Lxml and 3 more | 16 Debian Linux, Fedora, Lxml and 13 more | 2024-11-21 | 8.2 High |
| lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. | ||||
| CVE-2021-43797 | 6 Debian, Netapp, Netty and 3 more | 28 Debian Linux, Oncommand Workflow Automation, Snapcenter and 25 more | 2024-11-21 | 6.5 Medium |
| Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final. | ||||
| CVE-2021-43527 | 5 Mozilla, Netapp, Oracle and 2 more | 17 Nss, Nss Esr, Cloud Backup and 14 more | 2024-11-21 | 9.8 Critical |
| NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1. | ||||
| CVE-2021-43396 | 2 Gnu, Oracle | 7 Glibc, Communications Cloud Native Core Binding Support Function, Communications Cloud Native Core Network Function Cloud Native Environment and 4 more | 2024-11-21 | 7.5 High |
| In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states "the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug. | ||||
| CVE-2021-43389 | 4 Debian, Linux, Oracle and 1 more | 6 Debian Linux, Linux Kernel, Communications Cloud Native Core Binding Support Function and 3 more | 2024-11-21 | 5.5 Medium |
| An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c. | ||||
| CVE-2021-42739 | 6 Debian, Fedoraproject, Linux and 3 more | 10 Debian Linux, Fedora, Linux Kernel and 7 more | 2024-11-21 | 6.7 Medium |
| The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking. | ||||
| CVE-2021-42575 | 3 Oracle, Owasp, Redhat | 4 Middleware Common Libraries And Tools, Primavera Unifier, Java Html Sanitizer and 1 more | 2024-11-21 | 9.8 Critical |
| The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. | ||||
| CVE-2021-42392 | 4 Debian, H2database, Oracle and 1 more | 7 Debian Linux, H2, Communications Cloud Native Core Policy and 4 more | 2024-11-21 | 9.8 Critical |
| The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution. | ||||
| CVE-2021-42340 | 5 Apache, Debian, Netapp and 2 more | 22 Tomcat, Debian Linux, Hci and 19 more | 2024-11-21 | 7.5 High |
| The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. | ||||
| CVE-2021-41973 | 2 Apache, Oracle | 9 Mina, Banking Payments, Banking Trade Finance Process Management and 6 more | 2024-11-21 | 6.5 Medium |
| In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater. | ||||
| CVE-2021-41772 | 4 Fedoraproject, Golang, Oracle and 1 more | 8 Fedora, Go, Timesten In-memory Database and 5 more | 2024-11-21 | 7.5 High |
| Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. | ||||
| CVE-2021-41617 | 6 Fedoraproject, Netapp, Openbsd and 3 more | 15 Fedora, Active Iq Unified Manager, Aff 500f and 12 more | 2024-11-21 | 7.0 High |
| sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. | ||||
| CVE-2021-41524 | 5 Apache, Fedoraproject, Netapp and 2 more | 5 Http Server, Fedora, Cloud Backup and 2 more | 2024-11-21 | 7.5 High |
| While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. | ||||
| CVE-2021-41303 | 2 Apache, Oracle | 2 Shiro, Financial Services Crime And Compliance Management Studio | 2024-11-21 | 9.8 Critical |
| Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0. | ||||