CVE-2019-2413
published 2019-01-16CVE-2019-2413: Vulnerability in the Oracle Reports Developer component of Oracle Fusion Middleware (subcomponent: Valid Session). The supported version that is affected is…
PriorityP343medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
6.47%
92.9th percentile
Vulnerability in the Oracle Reports Developer component of Oracle Fusion Middleware (subcomponent: Valid Session). The supported version that is affected is 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Reports Developer. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Reports Developer, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Reports Developer accessible data as well as unauthorized read access to a subset of Oracle Reports Developer accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | reports_developer | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Bugzilla
CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution
bugzilla·2019-05-23·CVSS 8.1
CVE-2016-10750 [HIGH] CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution
CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution
In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization.
Upstream issue:
https://github.com/hazelcast/hazelcast/issues/8024
Upstream pull:
https://github.com/hazelcast/hazelcast/pull/12230
Discussion:
Created hazelcast tracking bugs for this issue:
Affects: fedora-all [bug 1713216]
---
This issue has been addressed in the following products:
Red Hat Fuse 7.4.0
Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2016-10750
---
Statement:
The module
Bugzilla
CVE-2018-10899 jolokia: system-wide CSRF that could lead to Remote Code Execution
bugzilla·2018-07-13·CVSS 8.1
CVE-2018-10899 [HIGH] CVE-2018-10899 jolokia: system-wide CSRF that could lead to Remote Code Execution
CVE-2018-10899 jolokia: system-wide CSRF that could lead to Remote Code Execution
A flaw was found in Jolokia versions from 1.2. up to and including 1.6.0. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.
Discussion:
Acknowledgments:
Name: Martin Bajanik
---
External References:
https://jolokia.org/#Minor_updates_coming_with_1.6.1
---
This issue has been addressed in the following products:
Red Hat Fuse 7.4.0
Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/c
http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttp://www.securityfocus.com/bid/106603https://www.exploit-db.com/exploits/46187/http://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttp://www.securityfocus.com/bid/106603https://www.exploit-db.com/exploits/46187/
2019-01-16
Published