Oracle Communications Unified Inventory Management vulnerabilities

CVE-2021-39140 [MEDIUM] CWE-502 CVE-2021-39140: XStream is a simple library to serialize objects to XML and back again. In affected versions this vu XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected,

CVE-2021-36373 [MEDIUM] CWE-130 CVE-2021-36373: When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amoun When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

CVE-2021-36374 [MEDIUM] CWE-130 CVE-2021-36374: When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apac

CVE-2021-36090 [HIGH] CWE-130 CVE-2021-36090: When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memo When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

CVE-2021-29505 [HIGH] CWE-94 CVE-2021-29505: XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream v XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limi

CVE-2021-22118 [HIGH] CWE-269 CVE-2021-22118: In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux app In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with mult

CVE-2021-21346 [CRITICAL] CWE-434 CVE-2021-21346: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security fr

CVE-2021-21350 [CRITICAL] CWE-434 CVE-2021-21350: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist lim

CVE-2021-21344 [CRITICAL] CWE-434 CVE-2021-21344: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security fr

CVE-2021-21351 [CRITICAL] CWE-434 CVE-2021-21351: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framewor

CVE-2021-21347 [CRITICAL] CWE-434 CVE-2021-21347: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security fr

CVE-2021-21345 [CRITICAL] CWE-94 CVE-2021-21345: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security

CVE-2021-21342 [CRITICAL] CWE-502 CVE-2021-21342: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the

CVE-2021-21348 [HIGH] CWE-400 CVE-2021-21348: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited t

CVE-2021-21343 [HIGH] CWE-73 CVE-2021-21343: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the proc

CVE-2021-21349 [HIGH] CWE-502 CVE-2021-21349: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream

CVE-2021-21341 [HIGH] CWE-400 CVE-2021-21341: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. N

CVE-2021-22112 [HIGH] CVE-2021-22112: Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, an Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to r

CVE-2020-36179 [HIGH] CWE-502 CVE-2020-36179: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36183 [HIGH] CWE-502 CVE-2020-36183: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.