The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Bea Systems WebLogic Server

security vulnerability CVE-2018-17197

Apache Tika: infinite loop via SQLite3Parser

Synthesis of the vulnerability

An attacker can trigger an infinite loop via SQLite3Parser of Apache Tika, in order to trigger a denial of service.
Severity: 2/4.
Creation date: 17/07/2019.
Identifiers: cpujul2019, CVE-2018-17197, VIGILANCE-VUL-29790.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can trigger an infinite loop via SQLite3Parser of Apache Tika, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

cybersecurity bulletin CVE-2007-2694 CVE-2007-2695 CVE-2007-2696

WebLogic, Tuxedo: several vulnerabilities

Synthesis of the vulnerability

An attacker can exploit several vulnerabilities of WebLogic Server/Express and Tuxedo.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 11.
Creation date: 15/05/2007.
Revision date: 29/05/2019.
Identifiers: BEA05-80.02, BEA07-158.00, BEA07-159.00, BEA07-160.00, BEA07-161.00, BEA07-162.00, BEA07-163.00, BEA07-164.00, BEA07-164.01, BEA07-165.00, BEA07-168.00, BEA07-169.00, BEA07-80.03, BEA08-159.01, BEA08-80.04, BID-23979, CVE-2007-2694, CVE-2007-2695, CVE-2007-2696, CVE-2007-2697, CVE-2007-2698, CVE-2007-2699, CVE-2007-2700, CVE-2007-2701, CVE-2007-2704, CVE-2007-2705, CVE-2008-0902, VIGILANCE-VUL-6816.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can exploit several vulnerabilities of WebLogic Server/Express and Tuxedo.

Several Cross Site Scripting vulnerabilities can be exploited. [severity:3/4; BEA05-80.02, BEA07-80.03, BEA08-80.04, CVE-2007-2694, CVE-2008-0902]

The cnsbind, cnsunbind and cnsls commands of Tuxedo can display sensitive information. [severity:3/4; BEA07-158.00]

Some queries via WebLogic HttpClusterServlet ou HttpProxyServlet, configured with the SecureProxy parameter, can be executed with elevated privileges. [severity:3/4; BEA07-159.00, BEA08-159.01, CVE-2007-2695]

The JMS backend does not perform security access checks. [severity:3/4; BEA07-160.00, CVE-2007-2696]

The LDAP server does not limit the connection trial number. [severity:3/4; BEA07-161.00, CVE-2007-2697]

The administration console can display some sensitive attributes in clear text. [severity:3/4; BEA07-162.00, CVE-2007-2698]

The WLSR script generated from configToScript contains a clear text password. [severity:3/4; BEA07-163.00, CVE-2007-2700]

All Deployers can deploy an application even if Domain Security Policies restricts this. [severity:3/4; BEA07-164.00, BEA07-164.01, CVE-2007-2699]

A WebLogic JMS Bridge can transfer a message to a protected queue. [severity:3/4; BEA07-165.00, CVE-2007-2701]

An attacker can generate a denial of service by connecting to a SSL port in a half-closed state. [severity:3/4; BEA07-168.00, CVE-2007-2704]

RSA signatures are incorrectly verified when exponent is 3 (VIGILANCE-VUL-6140). [severity:3/4; BEA07-169.00, CVE-2007-2705]
Full Vigil@nce bulletin... (Free trial)

threat bulletin CVE-2019-12086

jackson-databind: file reading

Synthesis of the vulnerability

An attacker can read a file from a client using jackson-databind, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 21/05/2019.
Identifiers: 5048, cpujul2019, cpuoct2019, CVE-2019-12086, DLA-1798-1, DSA-4452-1, FEDORA-2019-ae6a703b8f, FEDORA-2019-fb23eccc03, RHSA-2019:2935-01, RHSA-2019:2936-01, RHSA-2019:2937-01, RHSA-2019:2938-01, RHSA-2019:3044-01, RHSA-2019:3045-01, RHSA-2019:3046-01, RHSA-2019:3050-01, VIGILANCE-VUL-29375.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can read a file from a client using jackson-databind, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

cybersecurity threat CVE-2018-2587 CVE-2018-2628 CVE-2018-2739

Oracle Fusion Middleware: vulnerabilities of April 2018

Synthesis of the vulnerability

Several vulnerabilities were announced in Oracle products.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 10.
Creation date: 18/04/2018.
Revision date: 19/04/2019.
Identifiers: cpuapr2018, CVE-2018-2587, CVE-2018-2628, CVE-2018-2739, CVE-2018-2760, CVE-2018-2765, CVE-2018-2770, CVE-2018-2791, CVE-2018-2828, CVE-2018-2834, CVE-2018-2879, VIGILANCE-VUL-25897.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle products.
Full Vigil@nce bulletin... (Free trial)

computer threat bulletin CVE-2019-10909 CVE-2019-11358

jQuery, Symfony: Cross Site Scripting via templates

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 18/04/2019.
Identifiers: bulletinoct2019, CERTFR-2019-AVI-180, cpuoct2019, CVE-2019-10909, CVE-2019-11358, DLA-1777-1, DLA-1777-2, DLA-1778-1, DLA-1797-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4434-1, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, openSUSE-SU-2019:1839-1, openSUSE-SU-2019:1872-1, RHSA-2019:1456-01, Synology-SA-19:19, TYPO3-CORE-SA-2019-009, TYPO3-CORE-SA-2019-010, TYPO3-CORE-SA-2019-011, TYPO3-CORE-SA-2019-012, TYPO3-CORE-SA-2019-013, TYPO3-PSA-2019-004, TYPO3-PSA-2019-005, TYPO3-PSA-2019-006, VIGILANCE-VUL-29070.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2019-11358

jQuery Core: privilege escalation via Object.prototype Pollution

Synthesis of the vulnerability

An attacker can bypass restrictions via Object.prototype Pollution of jQuery Core, in order to escalate his privileges.
Severity: 2/4.
Creation date: 11/04/2019.
Identifiers: bulletinoct2019, cpujul2019, cpuoct2019, CVE-2019-11358, DLA-1797-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4460-1, EZSA-2019-005, FEDORA-2019-2a0ce0c58c, FEDORA-2019-a06dffab1c, FEDORA-2019-f563e66380, NTAP-20190919-0001, openSUSE-SU-2019:1839-1, openSUSE-SU-2019:1872-1, RHSA-2019:1456-01, Synology-SA-19:19, VIGILANCE-VUL-29030.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass restrictions via Object.prototype Pollution of jQuery Core, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

cybersecurity announce CVE-2018-11307

jackson-databind: information disclosure via Default Typing

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Default Typing of jackson-databind, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 04/03/2019.
Identifiers: cpujan2019, cpujul2019, CVE-2018-11307, DLA-1703-1, DSA-4452-1, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28642.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass access restrictions to data via Default Typing of jackson-databind, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

weakness announce CVE-2019-1559

OpenSSL 1.0.2: information disclosure via 0-byte Record Padding Oracle

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via 0-byte Record Padding Oracle of OpenSSL 1.0.2, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 26/02/2019.
Identifiers: bulletinapr2019, bulletinjul2019, CERTFR-2019-AVI-080, CERTFR-2019-AVI-132, CERTFR-2019-AVI-214, CERTFR-2019-AVI-325, cpuapr2019, cpujul2019, cpuoct2019, CVE-2019-1559, DLA-1701-1, DSA-4400-1, FEDORA-2019-00c25b9379, ibm10876638, ibm10886237, ibm10886659, JSA10949, openSUSE-SU-2019:1076-1, openSUSE-SU-2019:1105-1, openSUSE-SU-2019:1173-1, openSUSE-SU-2019:1175-1, openSUSE-SU-2019:1432-1, openSUSE-SU-2019:1637-1, RHBUG-1683804, RHBUG-1683807, RHSA-2019:2304-01, RHSA-2019:2471-01, SB10282, SSA:2019-057-01, SSB-439005, STORM-2019-001, SUSE-SU-2019:0572-1, SUSE-SU-2019:0600-1, SUSE-SU-2019:0658-1, SUSE-SU-2019:0803-1, SUSE-SU-2019:0818-1, SUSE-SU-2019:1362-1, SUSE-SU-2019:14091-1, SUSE-SU-2019:14092-1, SUSE-SU-2019:1553-1, SUSE-SU-2019:1608-1, SYMSA1490, TNS-2019-02, USN-3899-1, VIGILANCE-VUL-28600.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass access restrictions to data via 0-byte Record Padding Oracle of OpenSSL 1.0.2, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer threat alert CVE-2018-12023

jackson-databind: code execution via Oracle JDBC Driver Deserialization

Synthesis of the vulnerability

An attacker can use a vulnerability via Oracle JDBC Driver Deserialization of jackson-databind, in order to run code.
Severity: 3/4.
Creation date: 19/02/2019.
Identifiers: 5048, cpujan2019, cpujul2019, CVE-2018-12023, DLA-1703-1, DSA-4452-1, FEDORA-2019-df57551f6d, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28553.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use a vulnerability via Oracle JDBC Driver Deserialization of jackson-databind, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2018-14718

jackson-databind: code execution via slf4j-ext

Synthesis of the vulnerability

An attacker can use a vulnerability via slf4j-ext of jackson-databind, in order to run code.
Severity: 3/4.
Creation date: 19/02/2019.
Identifiers: 5048, cpuapr2019, cpujan2019, CVE-2018-14718, DLA-1703-1, DSA-4452-1, FEDORA-2019-df57551f6d, RHSA-2019:0782-01, VIGILANCE-VUL-28550.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use a vulnerability via slf4j-ext of jackson-databind, in order to run code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Bea Systems WebLogic Server: