Oracle Autovue For Agile Product Lifecycle Management vulnerabilities

CVE-2021-45105 [MEDIUM] CWE-20 CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from u Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

CVE-2021-34429 [MEDIUM] CVE-2021-34429: For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using s For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

CVE-2021-34428 [LOW] CWE-613 CVE-2021-34428: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the Sessi For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application use

CVE-2021-28165 [HIGH] CWE-400 CVE-2021-28165: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage ca In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

CVE-2021-28164 [MEDIUM] CWE-200 CVE-2021-28164: In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests w In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implement

CVE-2021-28163 [LOW] CWE-200 CVE-2021-28163: In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user use In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

CVE-2020-36179 [HIGH] CWE-502 CVE-2020-36179: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36183 [HIGH] CWE-502 CVE-2020-36183: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

CVE-2020-36182 [HIGH] CWE-502 CVE-2020-36182: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36180 [HIGH] CWE-502 CVE-2020-36180: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36189 [HIGH] CWE-502 CVE-2020-36189: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

CVE-2020-36184 [HIGH] CWE-502 CVE-2020-36184: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

CVE-2020-36186 [HIGH] CWE-502 CVE-2020-36186: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

CVE-2020-36187 [HIGH] CWE-502 CVE-2020-36187: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

CVE-2020-36181 [HIGH] CWE-502 CVE-2020-36181: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36188 [HIGH] CWE-502 CVE-2020-36188: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

CVE-2020-36185 [HIGH] CWE-502 CVE-2020-36185: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

CVE-2020-35491 [HIGH] CWE-502 CVE-2020-35491: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

CVE-2020-35490 [HIGH] CWE-502 CVE-2020-35490: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

CVE-2020-24750 [HIGH] CWE-502 CVE-2020-24750: FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.