Oracle Insurance Rules Palette vulnerabilities

34 known vulnerabilities affecting oracle/insurance_rules_palette.

Total CVEs

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL4HIGH21MEDIUM8LOW1

Vulnerabilities

Page 1 of 2

CVE-2021-2351HIGHCVSS 7.5v11.0.2v11.1.0+3 more2021-07-21

CVE-2021-2351 [HIGH] CWE-327 CVE-2021-2351: Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versi Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a perso

nvd

CVE-2021-22118HIGHCVSS 7.8v11.0.2v11.1.0+3 more2021-05-27

CVE-2021-22118 [HIGH] CWE-269 CVE-2021-22118: In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux app In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with mult

nvd

CVE-2021-29425MEDIUMCVSS 4.8v11.0.2v11.1.0+3 more2021-04-13

CVE-2021-29425 [MEDIUM] CWE-20 CVE-2021-29425: In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper i In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to constru

nvd

CVE-2020-36179HIGHCVSS 8.1≥ 11.1.0, ≤ 11.3.0v11.0.22021-01-07

CVE-2020-36179 [HIGH] CWE-502 CVE-2020-36179: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

nvd

CVE-2020-36183HIGHCVSS 8.1≥ 11.1.0, ≤ 11.3.0v11.0.22021-01-07

CVE-2020-36183 [HIGH] CWE-502 CVE-2020-36183: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

nvd

CVE-2020-36182HIGHCVSS 8.1≥ 11.1.0, ≤ 11.3.0v11.0.22021-01-07

CVE-2020-36182 [HIGH] CWE-502 CVE-2020-36182: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

nvd

CVE-2020-36180HIGHCVSS 8.1≥ 11.1.0, ≤ 11.3.0v11.0.22021-01-07

CVE-2020-36180 [HIGH] CWE-502 CVE-2020-36180: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

nvd

CVE-2020-36189HIGHCVSS 8.1≥ 11.1.0, ≤ 11.3.0v11.0.22021-01-06

CVE-2020-36189 [HIGH] CWE-502 CVE-2020-36189: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

nvd

CVE-2020-36184HIGHCVSS 8.1≥ 11.1.0, ≤ 11.3.0v11.0.22021-01-06

CVE-2020-36184 [HIGH] CWE-502 CVE-2020-36184: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

nvd

CVE-2020-36186HIGHCVSS 8.1≥ 11.1.0, ≤ 11.3.0v11.0.22021-01-06

CVE-2020-36186 [HIGH] CWE-502 CVE-2020-36186: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

nvd

CVE-2020-36187HIGHCVSS 8.1≥ 11.1.0, ≤ 11.3.0v11.0.22021-01-06

CVE-2020-36187 [HIGH] CWE-502 CVE-2020-36187: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

nvd

CVE-2020-36181HIGHCVSS 8.1≥ 11.1.0, ≤ 11.3.0v11.0.22021-01-06

CVE-2020-36181 [HIGH] CWE-502 CVE-2020-36181: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

nvd

CVE-2020-36188HIGHCVSS 8.1≥ 11.1.0, ≤ 11.3.0v11.0.22021-01-06

CVE-2020-36188 [HIGH] CWE-502 CVE-2020-36188: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

nvd

CVE-2020-36185HIGHCVSS 8.1≥ 11.1.0, ≤ 11.3.0v11.0.22021-01-06

CVE-2020-36185 [HIGH] CWE-502 CVE-2020-36185: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

nvd

CVE-2020-35728HIGHCVSS 8.1≥ 11.1.0, ≤ 11.3.0v11.0.22020-12-27

CVE-2020-35728 [HIGH] CWE-502 CVE-2020-35728: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadg FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

nvd

CVE-2020-25649HIGHCVSS 7.5≥ 11.1.0, ≤ 11.3.0v11.0.22020-12-03

CVE-2020-25649 [HIGH] CWE-611 CVE-2020-25649: A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured prope A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

nvd

CVE-2020-5421MEDIUMCVSS 6.5≥ 11.1.0, ≤ 11.3.0v10.2.0+2 more2020-09-19

CVE-2020-5421 [MEDIUM] CVE-2020-5421: In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and olde In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

nvd

CVE-2020-10683CRITICALCVSS 9.8≥ 11.1.0, ≤ 11.3.0v10.2.0+2 more2020-05-01

CVE-2020-10683 [CRITICAL] CWE-611 CVE-2020-10683: dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, whi dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

nvd

CVE-2020-9488LOWCVSS 3.7v10.2.0.37v10.2.4.12+3 more2020-04-27

CVE-2020-9488 [LOW] CWE-295 CVE-2020-9488: Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allo Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

nvd

CVE-2020-5398HIGHCVSS 7.5v10.2.0v10.2.4+3 more2020-01-17

CVE-2020-5398 [HIGH] CWE-79 CVE-2020-5398: In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0 In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

nvd

1 / 2Next →