The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes…
[org.apache.cxf:cxf-core] Cleartext Transmission of Sensitive Information in Apache CXF
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers t…
[nnabla] Sony Neural Network Libraries reliance on untrusted inputs prior to v1.0.10
nbla/logger.cpp in libnnabla.a in Sony Neural Network Libraries (aka nnabla) prior to v1.0.10 relies on the HOME environment variable, which might be untrusted.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-10844
https://github.com/sony/nnabla/…
[org.apache.commons:commons-compress] Uncontrolled Resource Consumption in Apache Commons Compress
Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many…
[github.com/protocolbuffers/protobuf] protobuf susceptible to buffer overflow
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.
References
https://nvd.nist.gov/vuln/detail/CVE-2015-5237
https://github.com/google/protobuf/issues/760
https://bugzilla.redhat.com/show_bug.cgi?id=1256426
https://l…
[org.apache.zookeeper:zookeeper] Missing Authorization in Apache ZooKeeper
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit chang…
[org.apache.santuario:xmlsec] Improper Input Validation in Apache Santuario XML Security
Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
References
https://nvd.nist.g…
[org.apache.santuario:xmlsec] Improper Input Validation in Apache Santuario XML Security
Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.
References
https://nvd.nist.gov/vuln/detail/CVE-2014-8152
https://exchange.xforce….
[org.opensaml:opensaml] Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) a…
[org.springframework:spring-web] Cross-Site Request Forgery in Spring Framework
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF…