Oracle Instantis Enterprisetrack vulnerabilities

57 known vulnerabilities affecting oracle/instantis_enterprisetrack.

Total CVEs

CISA KEV

actively exploited

Public exploits

Exploited in wild

Severity breakdown

CRITICAL12HIGH29MEDIUM16

Vulnerabilities

Page 2 of 3

CVE-2021-22222HIGHCVSS 7.5v17.1v17.2+1 more2021-06-07

CVE-2021-22222 [HIGH] CWE-835 CVE-2021-22222: Infinite loop in DVB-S2-BB dissector in Wireshark 3.4.0 to 3.4.5 allows denial of service via packet Infinite loop in DVB-S2-BB dissector in Wireshark 3.4.0 to 3.4.5 allows denial of service via packet injection or crafted capture file

nvd

CVE-2021-25329HIGHCVSS 7.0v17.1v17.2+1 more2021-03-01

CVE-2021-25329 [HIGH] CVE-2021-25329: The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously

nvd

CVE-2021-25122HIGHCVSS 7.5v17.1v17.2+1 more2021-03-01

CVE-2021-25122 [HIGH] CWE-200 CVE-2021-25122: When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

nvd

CVE-2020-11987HIGHCVSS 8.2v17.1v17.2+1 more2021-02-24

CVE-2020-11987 [HIGH] CWE-20 CVE-2020-11987: Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

nvd

CVE-2020-17527HIGHCVSS 7.5v17.1v17.2+1 more2020-12-03

CVE-2020-17527 [HIGH] CWE-200 CVE-2020-17527: While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the

nvd

CVE-2019-17566HIGHCVSS 7.5≥ 17.1, ≤ 17.32020-11-12

CVE-2019-17566 [HIGH] CWE-918 CVE-2019-17566: Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by th Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

nvd

CVE-2020-13943MEDIUMCVSS 4.3v17.1v17.2+1 more2020-10-12

CVE-2020-13943 [MEDIUM] CVE-2020-13943: If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a p

nvd

CVE-2020-11984CRITICALCVSS 9.8PoCv17.1v17.2+1 more2020-08-07

CVE-2020-11984 [CRITICAL] CWE-120 CVE-2020-11984: Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

nvd

CVE-2020-11993HIGHCVSS 7.5v17.1v17.2+1 more2020-08-07

CVE-2020-11993 [HIGH] CWE-444 CVE-2020-11993: Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

nvd

CVE-2020-9490HIGHCVSS 7.5v17.1v17.2+1 more2020-08-07

CVE-2020-9490 [HIGH] CWE-444 CVE-2020-9490: Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' heade Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

nvd

CVE-2020-13934HIGHCVSS 7.5v17.1v17.2+1 more2020-07-14

CVE-2020-13934 [HIGH] CWE-401 CVE-2020-13934: An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8. An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

nvd

CVE-2020-13935HIGHCVSS 7.5PoCv17.1v17.2+1 more2020-07-14

CVE-2020-13935 [HIGH] CWE-835 CVE-2020-13935: The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10 The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

nvd

CVE-2020-9484HIGHCVSS 7.0PoC≥ 17.1, ≤ 17.32020-05-20

CVE-2020-9484 [HIGH] CWE-502 CVE-2020-9484: When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7. When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassN

nvd

CVE-2020-11655HIGHCVSS 7.5v17.1v17.2+1 more2020-04-09

CVE-2020-11655 [HIGH] CWE-665 CVE-2020-11655: SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malfo SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.

nvd

CVE-2020-1927MEDIUMCVSS 6.1≥ 17.1, ≤ 17.32020-04-02

CVE-2020-1927 [MEDIUM] CWE-601 CVE-2020-1927: In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to b In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.

nvd

CVE-2020-1934MEDIUMCVSS 5.3≥ 17.1, ≤ 17.32020-04-01

CVE-2020-1934 [MEDIUM] CWE-908 CVE-2020-1934: In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.

nvd

CVE-2020-1938CRITICALCVSS 9.8KEVPoC≥ 17.1, ≤ 17.32020-02-24

CVE-2020-1938 [CRITICAL] CVE-2020-1938: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8

nvd

CVE-2020-1935MEDIUMCVSS 4.8≥ 17.1, ≤ 17.32020-02-24

CVE-2020-1935 [MEDIUM] CWE-444 CVE-2020-1935: In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing cod In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encodi

nvd

CVE-2019-17569MEDIUMCVSS 4.8≥ 17.1, ≤ 17.32020-02-24

CVE-2019-17569 [MEDIUM] CWE-444 CVE-2019-17569: The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 int The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the inval

nvd

CVE-2019-0219CRITICALCVSS 9.8v17.1v17.2+1 more2020-01-14

CVE-2019-0219 [CRITICAL] CVE-2019-0219: A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the m A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI.

nvd

← Previous2 / 3Next →