CVE-2015-6644 Description Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 24106146. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6644 https://github.com/bcgit/bc-java/issues/177 https://bugzilla.redhat.com/show_bug.cgi?id=1444015 Project Category n/a Tags data Date Disclosed 2016-01-06 Date Discovered 2015-08-21 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable?  Contact us so we can help you.

CVE-2015-5346 Description Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5346 http://tomcat.apache.org/security-9.html https://bugzilla.redhat.com/show_bug.cgi?id=1311085 Project Category n/a Tags data Date Disclosed 2016-02-25 Date Discovered 2015-07-01 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable?  Contact us so we can…

CVE-2015-5345 Description The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5345 http://tomcat.apache.org/security-9.html https://bz.apache.org/bugzilla/show_bug.cgi?id=58660#c0 Project Category n/a Tags data Date Disclosed 2016-02-25 Date Discovered 2015-07-01 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable?  Contact us so we can help you.

CVE-2015-5254 Description Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control. Related…

CVE-2015-5174 Description Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5174 https://bugs.mageia.org/show_bug.cgi?id=17847 Project Category n/a Tags data Date Disclosed 2016-02-25 Date Discovered 2015-07-01 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable?  Contact us so…

CVE-2015-1796 Description The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. If upgrading is not feasible, follow the workaround(s) stated on the reference pages. Reference(s): (https://wiki.shibboleth.net/confluence/display/SHIB2/20150225+Security+Advisory+Examples) (https://shibboleth.net/community/advisories/secadv_20150225.txt) Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1796 https://issues.shibboleth.net/jira/browse/JXT-116 https://shibboleth.net/community/advisories/secadv_20150225.txt https://wiki.shibboleth.net/confluence/display/SHIB2/20150225+Security+Advisory+Examples https://bugzilla.redhat.com/show_bug.cgi?id=1196619 Project Category n/a Tags data Date Disclosed 2015-07-08 Date Discovered 2015-02-17…