Oracle Banking Trade Finance Process Management vulnerabilities

CVE-2022-21474 [MEDIUM] CVE-2022-21474: Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure). The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction

CVE-2022-22963 [CRITICAL] CWE-94 CVE-2022-22963: In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing fu In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

CVE-2021-41973 [MEDIUM] CWE-835 CVE-2021-41973: In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.

CVE-2021-29505 [HIGH] CWE-94 CVE-2021-29505: XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream v XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limi

CVE-2021-21409 [MEDIUM] CWE-444 CVE-2021-21409: Netty is an open-source, asynchronous event-driven network application framework for rapid developme Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the requ

CVE-2021-27807 [MEDIUM] CWE-834 CVE-2021-27807: A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

CVE-2021-27906 [MEDIUM] CWE-789 CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

CVE-2021-23337 [HIGH] CWE-94 CVE-2021-23337: Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVE-2020-28500 [MEDIUM] CVE-2020-28500: Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

CVE-2021-21290 [MEDIUM] CWE-378 CVE-2021-21290: Netty is an open-source, asynchronous event-driven network application framework for rapid developme Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure c

CVE-2020-26217 [HIGH] CWE-78 CVE-2020-26217: XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a r XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workaro

CVE-2020-8203 [HIGH] CWE-770 CVE-2020-8203: Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

CVE-2019-12399 [HIGH] CWE-319 CVE-2019-12399: When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configur When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect c

CVE-2019-0228 [CRITICAL] CWE-611 CVE-2019-0228: Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent att Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.