oracle

goldengate_stream_analytics

10 known vulnerabilities · sorted by CVSS score

CVE-2019-16335

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

fasterxml / jackson-databind+38

Network

Published Sep 15, 2019

CVE-2019-14893

CRITICAL9.8

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

fasterxml / jackson-databind+4

Network

Published Mar 2, 2020

CVE-2018-8088

CRITICAL9.8

org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x series.

qos / slf4j+32

Network

Published Mar 20, 2018

CVE-2019-14540

CRITICAL9.8

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

fasterxml / jackson-databind+48

Network

Published Sep 15, 2019

CVE-2019-20330

CRITICAL9.8

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

fasterxml / jackson-databind+52

Network

Published Jan 3, 2020

CVE-2019-14379

CRITICAL9.8

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

fasterxml / jackson-databind+57

Network

Published Jul 29, 2019

CVE-2019-0222

HIGH7.5

In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.

apache / activemq+12

Network

Published Mar 28, 2019

CVE-2019-14439

HIGH7.5

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

fasterxml / jackson-databind+44

Network

Published Jul 30, 2019

CVE-2018-8012

HIGH7.5

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

apache / zookeeper+6

Network

Published May 21, 2018

CVE-2019-0201

MEDIUM5.9

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

apache / zookeeper+29

Network

Published May 23, 2019