Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many…
[github.com/protocolbuffers/protobuf] protobuf susceptible to buffer overflow
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.
References
https://nvd.nist.gov/vuln/detail/CVE-2015-5237
https://github.com/google/protobuf/issues/760
https://bugzilla.redhat.com/show_bug.cgi?id=1256426
https://l…
[org.apache.zookeeper:zookeeper] Missing Authorization in Apache ZooKeeper
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit chang…
[org.apache.santuario:xmlsec] Improper Input Validation in Apache Santuario XML Security
Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.
References
https://nvd.nist.gov/vuln/detail/CVE-2014-8152
https://exchange.xforce….
[org.apache.santuario:xmlsec] Improper Input Validation in Apache Santuario XML Security
Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
References
https://nvd.nist.g…
[org.opensaml:opensaml] Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) a…
[org.springframework:spring-web] Cross-Site Request Forgery in Spring Framework
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF…
[org.springframework:spring-webmvc] Cross-Site Request Forgery in Spring Framework
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CS…
[org.springframework:spring-oxm] Missing XML Validation in Spring Framework
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and con…
[org.springframework:spring-oxm] Cross-Site Request Forgery in Spring Framework
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF atta…