Oracle Primavera Unifier vulnerabilities

95 known vulnerabilities affecting oracle/primavera_unifier.

Total CVEs

CISA KEV

actively exploited

Public exploits

Exploited in wild

Severity breakdown

CRITICAL20HIGH35MEDIUM38LOW2

Vulnerabilities

Page 1 of 5

CVE-2022-25169MEDIUMCVSS 5.5≥ 17.7, ≤ 17.12v18.8+3 more2022-05-16

CVE-2022-25169 [MEDIUM] CWE-770 CVE-2022-25169: The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amoun The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.

nvd

CVE-2022-30126MEDIUMCVSS 5.5≥ 17.7, ≤ 17.12v18.8+3 more2022-05-16

CVE-2022-30126 [MEDIUM] CVE-2022-30126: In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingCont In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0

nvd

CVE-2020-36518HIGHCVSS 7.5≥ 17.0, ≤ 17.12v18.0+3 more2022-03-11

CVE-2020-36518 [HIGH] CWE-787 CVE-2020-36518: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a lar jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

nvd

CVE-2021-44832MEDIUMCVSS 6.6Exploitedv18.8v19.12+2 more2021-12-28

CVE-2021-44832 [MEDIUM] CWE-20 CVE-2021-44832: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) a Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java

nvd

CVE-2021-45105MEDIUMCVSS 5.9v18.8v19.12+2 more2021-12-18

CVE-2021-45105 [MEDIUM] CWE-20 CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from u Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

nvd

CVE-2021-23450CRITICALCVSS 9.8≥ 17.7, ≤ 17.12v18.8+3 more2021-12-17

CVE-2021-23450 [HIGH] CWE-1321 CVE-2021-23450: All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.

nvd

CVE-2021-41182MEDIUMCVSS 6.1v17.7v17.8+9 more2021-10-26

CVE-2021-41182 [MEDIUM] CWE-79 CVE-2021-41182: jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the valu jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not acc

nvd

CVE-2021-41184MEDIUMCVSS 6.1≥ 17.7, ≤ 17.12v18.8+3 more2021-10-26

CVE-2021-41184 [MEDIUM] CWE-79 CVE-2021-41184: jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the valu jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the val

nvd

CVE-2021-42575CRITICALCVSS 9.8≥ 17.7, ≤ 17.12v18.8+3 more2021-10-18

CVE-2021-42575 [CRITICAL] CVE-2021-42575: The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with t The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.

nvd

CVE-2021-38153MEDIUMCVSS 5.9v18.8v19.12+2 more2021-09-22

CVE-2021-38153 [MEDIUM] CWE-203 CVE-2021-38153: Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerab Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0

nvd

CVE-2021-37714HIGHCVSS 7.5v20.12v21.122021-08-18

CVE-2021-37714 [HIGH] CWE-248 CVE-2021-37714: jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse u jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw a

nvd

CVE-2021-2351HIGHCVSS 7.5≥ 17.7, ≤ 17.12v18.8+3 more2021-07-21

CVE-2021-2351 [HIGH] CWE-327 CVE-2021-2351: Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versi Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a perso

nvd

CVE-2021-36373MEDIUMCVSS 5.5≥ 17.7, ≤ 17.12v18.8+2 more2021-07-14

CVE-2021-36373 [MEDIUM] CWE-130 CVE-2021-36373: When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amoun When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

nvd

CVE-2021-36374MEDIUMCVSS 5.5≥ 17.7, ≤ 17.12v18.8+2 more2021-07-14

CVE-2021-36374 [MEDIUM] CWE-130 CVE-2021-36374: When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apac

nvd

CVE-2021-35515HIGHCVSS 7.5≥ 17.7, ≤ 17.12v18.8+2 more2021-07-13

CVE-2021-35515 [HIGH] CWE-834 CVE-2021-35515: When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

nvd

CVE-2021-36090HIGHCVSS 7.5≥ 17.7, ≤ 17.12v18.8+2 more2021-07-13

CVE-2021-36090 [HIGH] CWE-130 CVE-2021-36090: When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memo When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

nvd

CVE-2021-35517HIGHCVSS 7.5≥ 17.7, ≤ 17.12v18.8+2 more2021-07-13

CVE-2021-35517 [HIGH] CWE-130 CVE-2021-35517: When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memo When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

nvd

CVE-2021-35516HIGHCVSS 7.5≥ 17.7, ≤ 17.12v18.8+2 more2021-07-13

CVE-2021-35516 [HIGH] CWE-130 CVE-2021-35516: When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memor When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

nvd

CVE-2021-31811MEDIUMCVSS 5.5≥ 17.7, ≤ 17.12v18.8+2 more2021-06-12

CVE-2021-31811 [MEDIUM] CWE-789 CVE-2021-31811: In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading th In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

nvd

CVE-2021-29425MEDIUMCVSS 4.8≥ 17.7, ≤ 17.12v18.8+3 more2021-04-13

CVE-2021-29425 [MEDIUM] CWE-20 CVE-2021-29425: In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper i In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to constru

nvd

1 / 5Next →