CVE-2013-4002 Description XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names. Mitigation We recommend upgrading to a version of this…
Read More
CVE-2013-2172 Description jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature." Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend…
Read More
CVE-2013-2160 Description The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2160 https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc Project Category n/a Tags data functional Date Disclosed 2013-08-19 Date Discovered 2013-02-19 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2013-2071 Description java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2071 https://bz.apache.org/bugzilla/show_bug.cgi?id=54178#c10 http://tools.cisco.com/security/center/viewAlert.x?alertId=29283 Project Category n/a Tags functional Date Disclosed 2013-06-01 Date Discovered 2013-02-19 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2013-2067 Description java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2067 http://mail-archives.apache.org/mod_mbox/tomcat-announce/201305.mbox/%3C518CB1D4.1020106@apache.org%3E Project Category n/a Tags operational Date Disclosed 2013-06-01 Date Discovered 2013-02-19 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2013-2035 Description Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2035 http://tools.cisco.com/security/center/viewAlert.x?alertId=32047 Project Category n/a Tags data Date Disclosed 2013-08-28 Date Discovered 2013-02-19 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2013-1879 Description Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving the "cron of a message." Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. `activemq-core` was moved to `activemq-client` in version 5.8 Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1879 https://issues.apache.org/jira/browse/AMQ-4397 https://exchange.xforce.ibmcloud.com/vulnerabilities/85586 Project Category n/a Tags data Date Disclosed 2013-07-18 Date Discovered 2013-02-19 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2013-1768 Description The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1768 http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0099.html Project Category n/a Tags data functional Date Disclosed 2013-07-11 Date Discovered 2013-02-19 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2013-0239 Description Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Workaround: A potential workaround is to not use a WS-SecurityPolicy that uses a plaintext `UsernameToken`. Documentation regarding this can be found at the link below: http://docs.oasis-open.org/ws-sx/security-policy/examples/ws-sp-usecases-examples.html#_Toc274723235 Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0239 https://cxf.apache.org/cve-2013-0239.html Project Category n/a Tags configuration functional Date Disclosed…
Read More
CVE-2012-5887 Description The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue or investigating other forms of authentication. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5887 http://tools.cisco.com/security/center/viewAlert.x?alertId=27343 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3439 Project Category n/a Tags functional Date Disclosed 2012-11-17 Date Discovered 2012-11-17 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us…
Read More
