Oracle Communications Element Manager vulnerabilities
68 known vulnerabilities affecting oracle/communications_element_manager.
Total CVEs
68
CISA KEV
2
actively exploited
Public exploits
9
Exploited in wild
3
Severity breakdown
CRITICAL7HIGH44MEDIUM15LOW2
Vulnerabilities
Page 3 of 4
CVE-2020-1954MEDIUMCVSS 5.3≥ 8.2.0, ≤ 8.2.22020-04-01
CVE-2020-1954 [MEDIUM] CVE-2020-1954: Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension
Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind th
nvd
CVE-2020-1934MEDIUMCVSS 5.3v8.1.1v8.2.0+1 more2020-04-01
CVE-2020-1934 [MEDIUM] CWE-908 CVE-2020-1934: In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.
nvd
CVE-2020-11111HIGHCVSS 8.8≥ 8.2.0, ≤ 8.2.22020-03-31
CVE-2020-11111 [HIGH] CWE-502 CVE-2020-11111: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
nvd
CVE-2020-11113HIGHCVSS 8.8≥ 8.2.0, ≤ 8.2.22020-03-31
CVE-2020-11113 [HIGH] CWE-502 CVE-2020-11113: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
nvd
CVE-2020-11112HIGHCVSS 8.8≥ 8.2.0, ≤ 8.2.22020-03-31
CVE-2020-11112 [HIGH] CWE-502 CVE-2020-11112: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
nvd
CVE-2020-10969HIGHCVSS 8.8≥ 8.2.0, ≤ 8.2.22020-03-26
CVE-2020-10969 [HIGH] CWE-502 CVE-2020-10969: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
nvd
CVE-2020-10968HIGHCVSS 8.8≥ 8.2.0, ≤ 8.2.22020-03-26
CVE-2020-10968 [HIGH] CWE-502 CVE-2020-10968: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
nvd
CVE-2020-10673HIGHCVSS 8.8≥ 8.2.0, ≤ 8.2.22020-03-18
CVE-2020-10673 [HIGH] CWE-502 CVE-2020-10673: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
nvd
CVE-2020-10672HIGHCVSS 8.8≥ 8.2.0, ≤ 8.2.22020-03-18
CVE-2020-10672 [HIGH] CWE-502 CVE-2020-10672: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
nvd
CVE-2020-9546CRITICALCVSS 9.8≥ 8.2.0, ≤ 8.2.22020-03-02
CVE-2020-9546 [CRITICAL] CWE-502 CVE-2020-9546: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
nvd
CVE-2020-9548CRITICALCVSS 9.8PoC≥ 8.2.0, ≤ 8.2.22020-03-02
CVE-2020-9548 [CRITICAL] CWE-502 CVE-2020-9548: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadg
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
nvd
CVE-2020-1938CRITICALCVSS 9.8KEVPoCv8.1.1v8.2.0+1 more2020-02-24
CVE-2020-1938 [CRITICAL] CVE-2020-1938: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8
nvd
CVE-2020-1935MEDIUMCVSS 4.8v8.1.1v8.2.0+1 more2020-02-24
CVE-2020-1935 [MEDIUM] CWE-444 CVE-2020-1935: In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing cod
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encodi
nvd
CVE-2020-5398HIGHCVSS 7.5v8.1.1v8.2.0+1 more2020-01-17
CVE-2020-5398 [HIGH] CWE-79 CVE-2020-5398: In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.
nvd
CVE-2020-5397MEDIUMCVSS 5.3v8.1.1v8.2.0+1 more2020-01-17
CVE-2020-5397 [MEDIUM] CWE-352 CVE-2020-5397: Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS prefligh
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail au
nvd
CVE-2019-12423HIGHCVSS 7.5≥ 8.2.0, ≤ 8.2.22020-01-16
CVE-2019-12423 [HIGH] CWE-522 CVE-2019-12423: Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry
nvd
CVE-2019-17573MEDIUMCVSS 6.1v8.1.1v8.2.0+1 more2020-01-16
CVE-2019-17573 [MEDIUM] CWE-79 CVE-2019-17573: By default, Apache CXF creates a /services page containing a listing of the available endpoint names
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in mod
nvd
CVE-2019-10082CRITICALCVSS 9.1v8.0.0v8.1.0+2 more2019-09-26
CVE-2019-10082 [CRITICAL] CWE-416 CVE-2019-10082: In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could b
In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.
nvd
CVE-2019-10097HIGHCVSS 7.2v8.0.0v8.1.0+2 more2019-09-26
CVE-2019-10097 [HIGH] CWE-476 CVE-2019-10097: In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary
In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.
nvd
CVE-2019-10092MEDIUMCVSS 6.1PoCv8.0.0v8.1.0+2 more2019-09-26
CVE-2019-10092 [MEDIUM] CWE-79 CVE-2019-10092: In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that
nvd