Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2013-0422

Summary
Assigner-oracle
Assigner Org ID-43595867-4340-4103-b7a2-9a5208d29a85
Published At-10 Jan, 2013 | 21:23
Updated At-30 Jul, 2025 | 01:46
Rejected At-
Credits

Oracle JRE Remote Code Execution Vulnerability

A vulnerability in the way Java restricts the permissions of Java applets could allow an attacker to execute commands on a vulnerable system.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Known Exploited Vulnerabilities (KEV)
cisa.gov
Vendor:
Oracle CorporationOracle
Product:Java Runtime Environment (JRE)
Added At:25 May, 2022
Due At:15 Jun, 2022

Oracle JRE Remote Code Execution Vulnerability

A vulnerability in the way Java restricts the permissions of Java applets could allow an attacker to execute commands on a vulnerable system.

Used in Ransomware

:

Unknown

CWE

:
CWE-264

Required Action:

Apply updates per vendor instructions.

Additional Notes:

https://nvd.nist.gov/vuln/detail/CVE-2013-0422
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:oracle
Assigner Org ID:43595867-4340-4103-b7a2-9a5208d29a85
Published At:10 Jan, 2013 | 21:23
Updated At:30 Jul, 2025 | 01:46
Rejected At:
▼CVE Numbering Authority (CNA)

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://rhn.redhat.com/errata/RHSA-2013-0156.html
vendor-advisory
x_refsource_REDHAT
http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
x_refsource_MISC
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
vendor-advisory
x_refsource_MANDRIVA
http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/
x_refsource_MISC
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html
vendor-advisory
x_refsource_SUSE
http://rhn.redhat.com/errata/RHSA-2013-0165.html
vendor-advisory
x_refsource_REDHAT
http://www.kb.cert.org/vuls/id/625617
third-party-advisory
x_refsource_CERT-VN
http://www.us-cert.gov/cas/techalerts/TA13-010A.html
third-party-advisory
x_refsource_CERT
https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
x_refsource_MISC
http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
x_refsource_MISC
https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us
x_refsource_MISC
http://www.ubuntu.com/usn/USN-1693-1
vendor-advisory
x_refsource_UBUNTU
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018
x_refsource_CONFIRM
http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
x_refsource_MISC
https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013
x_refsource_MISC
http://seclists.org/bugtraq/2013/Jan/48
mailing-list
x_refsource_BUGTRAQ
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
x_refsource_CONFIRM
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
x_refsource_MISC
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
x_refsource_MISC
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0156.html
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
Resource:
x_refsource_MISC
Hyperlink: http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
Resource:
vendor-advisory
x_refsource_MANDRIVA
Hyperlink: http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/
Resource:
x_refsource_MISC
Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html
Resource:
vendor-advisory
x_refsource_SUSE
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0165.html
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: http://www.kb.cert.org/vuls/id/625617
Resource:
third-party-advisory
x_refsource_CERT-VN
Hyperlink: http://www.us-cert.gov/cas/techalerts/TA13-010A.html
Resource:
third-party-advisory
x_refsource_CERT
Hyperlink: https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
Resource:
x_refsource_MISC
Hyperlink: http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
Resource:
x_refsource_MISC
Hyperlink: https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us
Resource:
x_refsource_MISC
Hyperlink: http://www.ubuntu.com/usn/USN-1693-1
Resource:
vendor-advisory
x_refsource_UBUNTU
Hyperlink: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018
Resource:
x_refsource_CONFIRM
Hyperlink: http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
Resource:
x_refsource_MISC
Hyperlink: https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013
Resource:
x_refsource_MISC
Hyperlink: http://seclists.org/bugtraq/2013/Jan/48
Resource:
mailing-list
x_refsource_BUGTRAQ
Hyperlink: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Resource:
x_refsource_CONFIRM
Hyperlink: http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
Resource:
x_refsource_MISC
Hyperlink: http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://rhn.redhat.com/errata/RHSA-2013-0156.html
vendor-advisory
x_refsource_REDHAT
x_transferred
http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
x_refsource_MISC
x_transferred
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
vendor-advisory
x_refsource_MANDRIVA
x_transferred
http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/
x_refsource_MISC
x_transferred
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html
vendor-advisory
x_refsource_SUSE
x_transferred
http://rhn.redhat.com/errata/RHSA-2013-0165.html
vendor-advisory
x_refsource_REDHAT
x_transferred
http://www.kb.cert.org/vuls/id/625617
third-party-advisory
x_refsource_CERT-VN
x_transferred
http://www.us-cert.gov/cas/techalerts/TA13-010A.html
third-party-advisory
x_refsource_CERT
x_transferred
https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
x_refsource_MISC
x_transferred
http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
x_refsource_MISC
x_transferred
https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us
x_refsource_MISC
x_transferred
http://www.ubuntu.com/usn/USN-1693-1
vendor-advisory
x_refsource_UBUNTU
x_transferred
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018
x_refsource_CONFIRM
x_transferred
http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
x_refsource_MISC
x_transferred
https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013
x_refsource_MISC
x_transferred
http://seclists.org/bugtraq/2013/Jan/48
mailing-list
x_refsource_BUGTRAQ
x_transferred
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
x_refsource_CONFIRM
x_transferred
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
x_refsource_MISC
x_transferred
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
x_refsource_MISC
x_transferred
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0156.html
Resource:
vendor-advisory
x_refsource_REDHAT
x_transferred
Hyperlink: http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
Resource:
vendor-advisory
x_refsource_MANDRIVA
x_transferred
Hyperlink: http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html
Resource:
vendor-advisory
x_refsource_SUSE
x_transferred
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0165.html
Resource:
vendor-advisory
x_refsource_REDHAT
x_transferred
Hyperlink: http://www.kb.cert.org/vuls/id/625617
Resource:
third-party-advisory
x_refsource_CERT-VN
x_transferred
Hyperlink: http://www.us-cert.gov/cas/techalerts/TA13-010A.html
Resource:
third-party-advisory
x_refsource_CERT
x_transferred
Hyperlink: https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://www.ubuntu.com/usn/USN-1693-1
Resource:
vendor-advisory
x_refsource_UBUNTU
x_transferred
Hyperlink: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://seclists.org/bugtraq/2013/Jan/48
Resource:
mailing-list
x_refsource_BUGTRAQ
x_transferred
Hyperlink: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-284CWE-284 Improper Access Control
Type: CWE
CWE ID: CWE-284
Description: CWE-284 Improper Access Control
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
kev
dateAdded:
2022-05-25
reference:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0422
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
CVE-2013-0422 added to CISA KEV2022-05-25 00:00:00
Event: CVE-2013-0422 added to CISA KEV
Date: 2022-05-25 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:secalert_us@oracle.com
Published At:10 Jan, 2013 | 21:55
Updated At:11 Apr, 2025 | 00:51

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
2022-05-252022-06-15Oracle JRE Remote Code Execution VulnerabilityApply updates per vendor instructions.
Date Added: 2022-05-25
Due Date: 2022-06-15
Vulnerability Name: Oracle JRE Remote Code Execution Vulnerability
Required Action: Apply updates per vendor instructions.
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.010.0HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 10.0
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
CPE Matches
Oracle Corporation
oracle
>>jdk>>1.7.0
cpe:2.3:a:oracle:jdk:1.7.0:-:*:*:*:*:*:*
Oracle Corporation
oracle
>>jdk>>1.7.0
cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*
Oracle Corporation
oracle
>>jdk>>1.7.0
cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*
Oracle Corporation
oracle
>>jdk>>1.7.0
cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*
Oracle Corporation
oracle
>>jdk>>1.7.0
cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*
Oracle Corporation
oracle
>>jdk>>1.7.0
cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*
Oracle Corporation
oracle
>>jdk>>1.7.0
cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*
Oracle Corporation
oracle
>>jdk>>1.7.0
cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*
Oracle Corporation
oracle
>>jdk>>1.7.0
cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*
Oracle Corporation
oracle
>>jdk>>1.7.0
cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*
Oracle Corporation
oracle
>>jre>>1.7.0
cpe:2.3:a:oracle:jre:1.7.0:-:*:*:*:*:*:*
Oracle Corporation
oracle
>>jre>>1.7.0
cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
Oracle Corporation
oracle
>>jre>>1.7.0
cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*
Oracle Corporation
oracle
>>jre>>1.7.0
cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
Oracle Corporation
oracle
>>jre>>1.7.0
cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
Oracle Corporation
oracle
>>jre>>1.7.0
cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
Oracle Corporation
oracle
>>jre>>1.7.0
cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
Oracle Corporation
oracle
>>jre>>1.7.0
cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
Oracle Corporation
oracle
>>jre>>1.7.0
cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*
Oracle Corporation
oracle
>>jre>>1.7.0
cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*
Canonical Ltd.
canonical
>>ubuntu_linux>>12.10
cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
openSUSE
opensuse
>>opensuse>>12.2
cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-264Primarynvd@nist.gov
CWE-284Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-264
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-284
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.htmlsecalert_us@oracle.com
Not Applicable
http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/secalert_us@oracle.com
Broken Link
http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.htmlsecalert_us@oracle.com
Third Party Advisory
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/secalert_us@oracle.com
Third Party Advisory
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/secalert_us@oracle.com
Broken Link
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.htmlsecalert_us@oracle.com
Mailing List
Third Party Advisory
http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.htmlsecalert_us@oracle.com
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0156.htmlsecalert_us@oracle.com
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0165.htmlsecalert_us@oracle.com
Third Party Advisory
http://seclists.org/bugtraq/2013/Jan/48secalert_us@oracle.com
Mailing List
Third Party Advisory
http://www.kb.cert.org/vuls/id/625617secalert_us@oracle.com
Third Party Advisory
US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095secalert_us@oracle.com
Not Applicable
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.htmlsecalert_us@oracle.com
Vendor Advisory
http://www.ubuntu.com/usn/USN-1693-1secalert_us@oracle.com
Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA13-010A.htmlsecalert_us@oracle.com
Third Party Advisory
US Government Resource
https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdfsecalert_us@oracle.com
Broken Link
https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013secalert_us@oracle.com
Not Applicable
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018secalert_us@oracle.com
Third Party Advisory
https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_ussecalert_us@oracle.com
Not Applicable
http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.htmlaf854a3a-2127-422b-91ae-364da2661108
Not Applicable
http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/af854a3a-2127-422b-91ae-364da2661108
Broken Link
http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/af854a3a-2127-422b-91ae-364da2661108
Broken Link
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.htmlaf854a3a-2127-422b-91ae-364da2661108
Mailing List
Third Party Advisory
http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0156.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0165.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://seclists.org/bugtraq/2013/Jan/48af854a3a-2127-422b-91ae-364da2661108
Mailing List
Third Party Advisory
http://www.kb.cert.org/vuls/id/625617af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095af854a3a-2127-422b-91ae-364da2661108
Not Applicable
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.htmlaf854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
http://www.ubuntu.com/usn/USN-1693-1af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA13-010A.htmlaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
US Government Resource
https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdfaf854a3a-2127-422b-91ae-364da2661108
Broken Link
https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013af854a3a-2127-422b-91ae-364da2661108
Not Applicable
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_usaf854a3a-2127-422b-91ae-364da2661108
Not Applicable
Hyperlink: http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
Source: secalert_us@oracle.com
Resource:
Not Applicable
Hyperlink: http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/
Source: secalert_us@oracle.com
Resource:
Broken Link
Hyperlink: http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
Source: secalert_us@oracle.com
Resource:
Third Party Advisory
Hyperlink: http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
Source: secalert_us@oracle.com
Resource:
Third Party Advisory
Hyperlink: http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Source: secalert_us@oracle.com
Resource:
Broken Link
Third Party Advisory
Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html
Source: secalert_us@oracle.com
Resource:
Mailing List
Third Party Advisory
Hyperlink: http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
Source: secalert_us@oracle.com
Resource:
Third Party Advisory
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0156.html
Source: secalert_us@oracle.com
Resource:
Third Party Advisory
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0165.html
Source: secalert_us@oracle.com
Resource:
Third Party Advisory
Hyperlink: http://seclists.org/bugtraq/2013/Jan/48
Source: secalert_us@oracle.com
Resource:
Mailing List
Third Party Advisory
Hyperlink: http://www.kb.cert.org/vuls/id/625617
Source: secalert_us@oracle.com
Resource:
Third Party Advisory
US Government Resource
Hyperlink: http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
Source: secalert_us@oracle.com
Resource:
Not Applicable
Hyperlink: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Source: secalert_us@oracle.com
Resource:
Vendor Advisory
Hyperlink: http://www.ubuntu.com/usn/USN-1693-1
Source: secalert_us@oracle.com
Resource:
Third Party Advisory
Hyperlink: http://www.us-cert.gov/cas/techalerts/TA13-010A.html
Source: secalert_us@oracle.com
Resource:
Third Party Advisory
US Government Resource
Hyperlink: https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
Source: secalert_us@oracle.com
Resource:
Broken Link
Hyperlink: https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013
Source: secalert_us@oracle.com
Resource:
Not Applicable
Hyperlink: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018
Source: secalert_us@oracle.com
Resource:
Third Party Advisory
Hyperlink: https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us
Source: secalert_us@oracle.com
Resource:
Not Applicable
Hyperlink: http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Not Applicable
Hyperlink: http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link
Hyperlink: http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link
Third Party Advisory
Hyperlink: http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Mailing List
Third Party Advisory
Hyperlink: http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0156.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://rhn.redhat.com/errata/RHSA-2013-0165.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://seclists.org/bugtraq/2013/Jan/48
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Mailing List
Third Party Advisory
Hyperlink: http://www.kb.cert.org/vuls/id/625617
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
US Government Resource
Hyperlink: http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Not Applicable
Hyperlink: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: http://www.ubuntu.com/usn/USN-1693-1
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: http://www.us-cert.gov/cas/techalerts/TA13-010A.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
US Government Resource
Hyperlink: https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link
Hyperlink: https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Not Applicable
Hyperlink: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Not Applicable

Change History

0
Information is not available yet

Similar CVEs

1609Records found
CVE-2013-4316
Matching Score-10
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-10
Assigner-Red Hat, Inc.
CVSS Score-10||HIGH
EPSS-7.07% / 91.13%
||
7 Day CHG~0.00%
Published-30 Sep, 2013 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

Action-Not Available
Vendor-n/aThe Apache Software FoundationOracle Corporation
Product-strutsflexcube_private_bankingmysql_enterprise_monitorwebcenter_sitesn/a
CWE ID-CWE-284
Improper Access Control
CVE-2012-1723
Matching Score-10
Assigner-Oracle
ShareView Details
Matching Score-10
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-94.08% / 99.89%
||
7 Day CHG~0.00%
Published-16 Jun, 2012 | 21:00
Updated-30 Jul, 2025 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-03-24||Apply updates per vendor instructions.

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

Action-Not Available
Vendor-n/aRed Hat, Inc.Oracle Corporation
Product-enterprise_linux_desktopenterprise_linux_server_ausenterprise_linux_eusenterprise_linux_workstationicedtea6jdkjreenterprise_linux_servern/aJava SE
CWE ID-CWE-284
Improper Access Control
CVE-2012-5076
Matching Score-10
Assigner-Oracle
ShareView Details
Matching Score-10
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-92.50% / 99.73%
||
7 Day CHG~0.00%
Published-16 Oct, 2012 | 21:29
Updated-30 Jul, 2025 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-04-18||Apply updates per vendor instructions.

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS.

Action-Not Available
Vendor-n/aOracle CorporationSUSE
Product-linux_enterprise_desktopjren/aJava SE
CWE ID-CWE-284
Improper Access Control
CVE-2012-4681
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-94.14% / 99.90%
||
7 Day CHG~0.00%
Published-28 Aug, 2012 | 00:00
Updated-30 Jul, 2025 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-03-24||Apply updates per vendor instructions.

Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

Action-Not Available
Vendor-n/aRed Hat, Inc.Oracle Corporation
Product-enterprise_linux_desktopenterprise_linux_eusenterprise_linux_workstationjdkjreenterprise_linux_servern/aJava SE
CWE ID-CWE-284
Improper Access Control
CVE-2011-3544
Matching Score-10
Assigner-Oracle
ShareView Details
Matching Score-10
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-93.04% / 99.77%
||
7 Day CHG~0.00%
Published-19 Oct, 2011 | 21:00
Updated-30 Jul, 2025 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-03-24||Apply updates per vendor instructions.

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.

Action-Not Available
Vendor-n/aSUSERed Hat, Inc.Oracle CorporationCanonical Ltd.
Product-ubuntu_linuxlinux_enterprise_javajrelinux_enterprise_serversatellite_with_embedded_oraclejdkn/aJava SE JDK and JRE
CWE ID-CWE-284
Improper Access Control
CVE-2019-2729
Matching Score-10
Assigner-Oracle
ShareView Details
Matching Score-10
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-94.36% / 99.96%
||
7 Day CHG~0.00%
Published-19 Jun, 2019 | 22:24
Updated-15 Oct, 2024 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-communications_diameter_signaling_routerstoragetek_tape_analytics_sw_toolpeoplesoft_enterprise_peopletoolsweblogic_serverrapid_planningtape_library_acslscommunications_network_integrityidentity_managerhyperion_infrastructure_technologyWebLogic Server
CWE ID-CWE-284
Improper Access Control
CVE-2016-3427
Matching Score-10
Assigner-Oracle
ShareView Details
Matching Score-10
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-93.63% / 99.83%
||
7 Day CHG~0.00%
Published-21 Apr, 2016 | 10:00
Updated-30 Jul, 2025 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-06-02||Apply updates per vendor instructions.

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.

Action-Not Available
Vendor-n/aOracle CorporationThe Apache Software FoundationSUSENetApp, Inc.Red Hat, Inc.openSUSECanonical Ltd.Debian GNU/Linux
Product-oncommand_workflow_automationoncommand_performance_managerlinux_enterprise_serveroncommand_shiftmanager_proxyenterprise_linux_server_eusoncommand_unified_managerjdkoncommand_reportmanagere-series_santricity_web_servicesdebian_linuxlinuxvasa_provider_for_clustered_data_ontape-series_santricity_management_plug-insenterprise_linux_server_ausstoragegridjrockitleapopensuseenterprise_linux_desktope-series_santricity_storage_managersatelliteenterprise_linux_serverenterprise_linux_euslinux_enterprise_module_for_legacyopenstack_cloudlinux_enterprise_desktoplinux_enterprise_software_development_kitoncommand_insightoncommand_balanceubuntu_linuxoncommand_cloud_managerenterprise_linux_server_tusenterprise_linux_workstationjrecassandravirtual_storage_consolen/aJava SE and JRockit
CWE ID-CWE-284
Improper Access Control
CVE-2019-0219
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-10.74% / 93.04%
||
7 Day CHG~0.00%
Published-14 Jan, 2020 | 14:18
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI.

Action-Not Available
Vendor-The Apache Software FoundationOracle Corporation
Product-instantis_enterprisetrackretail_xstore_point_of_servicecordova_inappbrowserCordova
CVE-2019-0160
Matching Score-8
Assigner-Intel Corporation
ShareView Details
Matching Score-8
Assigner-Intel Corporation
CVSS Score-8.7||HIGH
EPSS-0.73% / 71.81%
||
7 Day CHG~0.00%
Published-27 Mar, 2019 | 19:20
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Buffer overflow in system firmware for EDK II may allow unauthenticated user to potentially enable escalation of privilege and/or denial of service via network access.

Action-Not Available
Vendor-tianocoren/aRed Hat, Inc.openSUSEFedora Project
Product-enterprise_linux_serverenterprise_linux_server_ausenterprise_linuxfedoraedk_iienterprise_linux_eusenterprise_linux_server_tusleapExtensible Firmware Interface Development Kit (EDK II)
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE ID-CWE-787
Out-of-bounds Write
CVE-2010-3116
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-10||HIGH
EPSS-12.28% / 93.60%
||
7 Day CHG~0.00%
Published-24 Aug, 2010 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple use-after-free vulnerabilities in WebKit, as used in Apple Safari before 4.1.3 and 5.0.x before 5.0.3, Google Chrome before 5.0.375.127, and webkitgtk before 1.2.6, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to improper handling of MIME types by plug-ins.

Action-Not Available
Vendor-webkitgtkn/aApple Inc.Canonical Ltd.Google LLC
Product-ubuntu_linuxiphone_ossafarichromewebkitgtkn/a
CWE ID-CWE-416
Use After Free
CVE-2016-1659
Matching Score-8
Assigner-Chrome
ShareView Details
Matching Score-8
Assigner-Chrome
CVSS Score-9.8||CRITICAL
EPSS-2.37% / 84.31%
||
7 Day CHG~0.00%
Published-18 Apr, 2016 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple unspecified vulnerabilities in Google Chrome before 50.0.2661.75 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.

Action-Not Available
Vendor-n/aopenSUSESUSEGoogle LLCDebian GNU/LinuxCanonical Ltd.
Product-leapubuntu_linuxchromedebian_linuxlinux_enterprisen/a
CVE-2011-4862
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-10||HIGH
EPSS-92.58% / 99.73%
||
7 Day CHG~0.00%
Published-25 Dec, 2011 | 01:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.

Action-Not Available
Vendor-heimdal_projectn/aSUSEDebian GNU/LinuxGNUFedora ProjectMIT (Massachusetts Institute of Technology)openSUSEFreeBSD Foundation
Product-fedorafreebsddebian_linuxopensuselinux_enterprise_software_development_kitlinux_enterprise_serverinetutilskrb5-appllinux_enterprise_desktopheimdaln/a
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2010-3114
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-10||HIGH
EPSS-0.62% / 69.23%
||
7 Day CHG~0.00%
Published-24 Aug, 2010 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The text-editing implementation in Google Chrome before 5.0.375.127, and webkitgtk before 1.2.6, does not check a node type before performing a cast, which has unspecified impact and attack vectors related to (1) DeleteSelectionCommand.cpp, (2) InsertLineBreakCommand.cpp, or (3) InsertParagraphSeparatorCommand.cpp in WebCore/editing/.

Action-Not Available
Vendor-webkitgtkn/aCanonical Ltd.Google LLC
Product-ubuntu_linuxchromewebkitgtkn/a
CVE-2016-1662
Matching Score-8
Assigner-Chrome
ShareView Details
Matching Score-8
Assigner-Chrome
CVSS Score-9.8||CRITICAL
EPSS-15.29% / 94.35%
||
7 Day CHG-0.52%
Published-14 May, 2016 | 21:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

extensions/renderer/gc_callback.cc in Google Chrome before 50.0.2661.94 does not prevent fallback execution once the Garbage Collection callback has started, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via unknown vectors.

Action-Not Available
Vendor-n/aRed Hat, Inc.Google LLCopenSUSE
Product-enterprise_linux_workstation_supplementaryopensuseenterprise_linux_server_supplementarychromeenterprise_linux_server_supplementary_eusenterprise_linux_desktop_supplementaryn/a
CVE-2019-0230
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-93.84% / 99.86%
||
7 Day CHG~0.00%
Published-14 Sep, 2020 | 16:41
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Action-Not Available
Vendor-n/aThe Apache Software FoundationOracle Corporation
Product-financial_services_data_integration_hubstrutsmysql_enterprise_monitorfinancial_services_market_risk_measurement_and_managementcommunications_policy_managementApache Struts
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2001-0499
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-10||HIGH
EPSS-74.94% / 98.82%
||
7 Day CHG~0.00%
Published-27 Jul, 2001 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Buffer overflow in Transparent Network Substrate (TNS) Listener in Oracle 8i 8.1.7 and earlier allows remote attackers to gain privileges via a long argument to the commands (1) STATUS, (2) PING, (3) SERVICES, (4) TRC_FILE, (5) SAVE_CONFIG, or (6) RELOAD.

Action-Not Available
Vendor-n/aOracle Corporation
Product-oracle8in/a
CVE-2019-0228
Matching Score-8
Assigner-Apache Software Foundation
ShareView Details
Matching Score-8
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-7.83% / 91.62%
||
7 Day CHG~0.00%
Published-17 Apr, 2019 | 14:07
Updated-04 Aug, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

Action-Not Available
Vendor-n/aThe Apache Software FoundationFedora ProjectOracle Corporation
Product-banking_trade_finance_process_managementpeoplesoft_enterprise_peopletoolsbanking_supply_chain_financepdfboxcommunications_messaging_serverhyperion_financial_reportingfedoraretail_xstore_point_of_servicejamesbanking_corporate_lending_process_managementcommunications_session_report_managerwebcenter_sitesbanking_credit_facilities_process_managementbanking_virtual_account_managementApache PDFBox
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2011-2767
Matching Score-8
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-8
Assigner-Debian GNU/Linux
CVSS Score-9.8||CRITICAL
EPSS-4.88% / 89.16%
||
7 Day CHG~0.00%
Published-26 Aug, 2018 | 16:00
Updated-06 Aug, 2024 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.

Action-Not Available
Vendor-n/aCanonical Ltd.The Apache Software FoundationDebian GNU/LinuxRed Hat, Inc.
Product-mod_perlubuntu_linuxenterprise_linux_serverdebian_linuxenterprise_linux_workstationenterprise_linuxenterprise_linux_desktopmod_perl 2.0 through 2.0.10
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2018-8784
Matching Score-8
Assigner-Check Point Software Ltd.
ShareView Details
Matching Score-8
Assigner-Check Point Software Ltd.
CVSS Score-9.8||CRITICAL
EPSS-14.66% / 94.22%
||
7 Day CHG~0.00%
Published-29 Nov, 2018 | 17:00
Updated-17 Sep, 2024 | 01:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FreeRDP prior to version 2.0.0-rc4 contains a Heap-Based Buffer Overflow in function zgfx_decompress_segment() that results in a memory corruption and probably even a remote code execution.

Action-Not Available
Vendor-Canonical Ltd.FreeRDPCheck Point Software Technologies Ltd.
Product-freerdpubuntu_linuxFreeRDP
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE ID-CWE-787
Out-of-bounds Write
CVE-2018-8797
Matching Score-8
Assigner-Check Point Software Ltd.
ShareView Details
Matching Score-8
Assigner-Check Point Software Ltd.
CVSS Score-9.8||CRITICAL
EPSS-6.79% / 90.93%
||
7 Day CHG~0.00%
Published-05 Feb, 2019 | 20:00
Updated-16 Sep, 2024 | 22:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rdesktop versions up to and including v1.8.3 contain a Heap-Based Buffer Overflow in function process_plane() that results in a memory corruption and probably even a remote code execution.

Action-Not Available
Vendor-rdesktopDebian GNU/LinuxCheck Point Software Technologies Ltd.openSUSE
Product-rdesktopdebian_linuxleaprdesktop
CWE ID-CWE-122
Heap-based Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CVE-2010-2302
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-10||HIGH
EPSS-5.17% / 89.50%
||
7 Day CHG~0.00%
Published-15 Jun, 2010 | 17:48
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Use-after-free vulnerability in WebCore in WebKit in Google Chrome before 5.0.375.70 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via vectors involving remote fonts in conjunction with shadow DOM trees, aka rdar problem 8007953. NOTE: this might overlap CVE-2010-1771.

Action-Not Available
Vendor-n/aopenSUSESUSEGoogle LLC
Product-opensusesuse_linux_enterprise_serverchromesuse_linux_enterprise_desktopn/a
CWE ID-CWE-416
Use After Free
CVE-2010-1866
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.48% / 80.21%
||
7 Day CHG~0.00%
Published-07 May, 2010 | 22:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The dechunk filter in PHP 5.3 through 5.3.2, when decoding an HTTP chunked encoding stream, allows context-dependent attackers to cause a denial of service (crash) and possibly trigger memory corruption via a negative chunk size, which bypasses a signed comparison, related to an integer overflow in the chunk size decoder.

Action-Not Available
Vendor-n/aThe PHP GroupopenSUSESUSE
Product-phpopensuselinux_enterprisen/a
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2018-8800
Matching Score-8
Assigner-Check Point Software Ltd.
ShareView Details
Matching Score-8
Assigner-Check Point Software Ltd.
CVSS Score-9.8||CRITICAL
EPSS-6.79% / 90.93%
||
7 Day CHG~0.00%
Published-05 Feb, 2019 | 20:00
Updated-16 Sep, 2024 | 23:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rdesktop versions up to and including v1.8.3 contain a Heap-Based Buffer Overflow in function ui_clip_handle_data() that results in a memory corruption and probably even a remote code execution.

Action-Not Available
Vendor-rdesktopDebian GNU/LinuxCheck Point Software Technologies Ltd.openSUSE
Product-rdesktopdebian_linuxleaprdesktop
CWE ID-CWE-122
Heap-based Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CVE-2018-8088
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.84% / 73.69%
||
7 Day CHG~0.00%
Published-20 Mar, 2018 | 00:00
Updated-05 Aug, 2024 | 06:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x series.

Action-Not Available
Vendor-qosn/aOracle CorporationRed Hat, Inc.
Product-enterprise_linux_servervirtualizationenterprise_linux_server_ausenterprise_linux_workstationenterprise_linuxvirtualization_hostslf4jgoldengate_stream_analyticsenterprise_linux_eusgoldengate_application_adaptersenterprise_linux_server_tusjboss_enterprise_application_platformenterprise_linux_desktoputilities_frameworkn/a
CVE-2011-2288
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-10||HIGH
EPSS-2.19% / 83.69%
||
7 Day CHG-0.01%
Published-21 Jul, 2011 | 00:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in Sun Integrated Lights Out Manager (ILOM) in SysFW 8.1.0.a and earlier for various Oracle SPARC T3, SPARC Netra T3, Sun Blade, and Sun Fire servers allows remote attackers to affect confidentiality, integrity, and availability, related to ILOM.

Action-Not Available
Vendor-n/aOracle Corporation
Product-sysfwnetra_sparc_t3-1bnetra_sparc_t3-1sparc_t3-1sparc_t3-4sparc_t3-1bsparc_t3-2n/a
CVE-2007-2126
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-10||HIGH
EPSS-1.06% / 76.69%
||
7 Day CHG~0.00%
Published-18 Apr, 2007 | 18:00
Updated-07 Aug, 2024 | 13:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in Oracle E-Business Suite 11.5.10CU2 has unknown impact and remote attack vectors in the (1) Common Applications (APPS01) and (2) iProcurement (APPS02).

Action-Not Available
Vendor-n/aOracle Corporation
Product-e-business_suiten/a
CVE-2018-8793
Matching Score-8
Assigner-Check Point Software Ltd.
ShareView Details
Matching Score-8
Assigner-Check Point Software Ltd.
CVSS Score-9.8||CRITICAL
EPSS-8.09% / 91.79%
||
7 Day CHG~0.00%
Published-05 Feb, 2019 | 20:00
Updated-17 Sep, 2024 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rdesktop versions up to and including v1.8.3 contain a Heap-Based Buffer Overflow in function cssp_read_tsrequest() that results in a memory corruption and probably even a remote code execution.

Action-Not Available
Vendor-rdesktopDebian GNU/LinuxCheck Point Software Technologies Ltd.openSUSE
Product-rdesktopdebian_linuxleaprdesktop
CWE ID-CWE-122
Heap-based Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CVE-2018-9019
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.00% / 82.88%
||
7 Day CHG~0.00%
Published-22 May, 2018 | 20:00
Updated-05 Aug, 2024 | 07:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php.

Action-Not Available
Vendor-n/aDolibarr ERP & CRMOracle Corporation
Product-dolibarrdata_integratorn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-4346
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.67% / 70.36%
||
7 Day CHG~0.00%
Published-22 May, 2016 | 01:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Integer overflow in the str_pad function in ext/standard/string.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow.

Action-Not Available
Vendor-n/aThe PHP GroupopenSUSE
Product-leapopensusephpn/a
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2016-1580
Matching Score-8
Assigner-Canonical Ltd.
ShareView Details
Matching Score-8
Assigner-Canonical Ltd.
CVSS Score-9.8||CRITICAL
EPSS-1.65% / 81.27%
||
7 Day CHG-0.33%
Published-13 May, 2016 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The setup_snappy_os_mounts function in the ubuntu-core-launcher package before 1.0.27.1 improperly determines the mount point of bind mounts when using snaps, which might allow remote attackers to obtain sensitive information or gain privileges via a snap with a name starting with "ubuntu-core."

Action-Not Available
Vendor-n/aCanonical Ltd.
Product-ubuntu_linuxubuntu-core-launchern/a
CVE-2016-2807
Matching Score-8
Assigner-Mozilla Corporation
ShareView Details
Matching Score-8
Assigner-Mozilla Corporation
CVSS Score-8.8||HIGH
EPSS-1.31% / 79.01%
||
7 Day CHG~0.00%
Published-30 Apr, 2016 | 17:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 46.0, Firefox ESR 38.x before 38.8, and Firefox ESR 45.x before 45.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

Action-Not Available
Vendor-n/aMozilla CorporationopenSUSESUSE
Product-leapfirefoxlinux_enterpriseopensusen/a
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2018-8785
Matching Score-8
Assigner-Check Point Software Ltd.
ShareView Details
Matching Score-8
Assigner-Check Point Software Ltd.
CVSS Score-9.8||CRITICAL
EPSS-14.66% / 94.22%
||
7 Day CHG~0.00%
Published-29 Nov, 2018 | 17:00
Updated-16 Sep, 2024 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FreeRDP prior to version 2.0.0-rc4 contains a Heap-Based Buffer Overflow in function zgfx_decompress() that results in a memory corruption and probably even a remote code execution.

Action-Not Available
Vendor-Canonical Ltd.FreeRDPCheck Point Software Technologies Ltd.
Product-freerdpubuntu_linuxFreeRDP
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE ID-CWE-787
Out-of-bounds Write
CVE-2018-8787
Matching Score-8
Assigner-Check Point Software Ltd.
ShareView Details
Matching Score-8
Assigner-Check Point Software Ltd.
CVSS Score-9.8||CRITICAL
EPSS-16.00% / 94.50%
||
7 Day CHG~0.00%
Published-29 Nov, 2018 | 17:00
Updated-16 Sep, 2024 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FreeRDP prior to version 2.0.0-rc4 contains an Integer Overflow that leads to a Heap-Based Buffer Overflow in function gdi_Bitmap_Decompress() and results in a memory corruption and probably even a remote code execution.

Action-Not Available
Vendor-Canonical Ltd.FreeRDPCheck Point Software Technologies Ltd.Red Hat, Inc.Debian GNU/Linux
Product-enterprise_linux_serverubuntu_linuxdebian_linuxfreerdpenterprise_linux_server_ausenterprise_linux_workstationenterprise_linux_eusenterprise_linux_server_tusenterprise_linux_desktopFreeRDP
CWE ID-CWE-680
Integer Overflow to Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-1999-1125
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-10||HIGH
EPSS-0.94% / 75.21%
||
7 Day CHG~0.00%
Published-12 Sep, 2001 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle account, which allows any local or remote attacker who obtains access to the oracle account to gain privileges or modify arbitrary files by modifying the configuration file.

Action-Not Available
Vendor-n/aOracle Corporation
Product-http_servern/a
CVE-2010-0840
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-92.55% / 99.73%
||
7 Day CHG~0.00%
Published-01 Apr, 2010 | 16:00
Updated-30 Jul, 2025 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-06-15||Apply updates per vendor instructions.

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) "a similar trust issue with interfaces," aka "Trusted Methods Chaining Remote Code Execution Vulnerability."

Action-Not Available
Vendor-n/aopenSUSEOracle CorporationCanonical Ltd.
Product-ubuntu_linuxopensusejren/aJava Runtime Environment (JRE)
CVE-2016-2315
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-25.72% / 96.03%
||
7 Day CHG~0.00%
Published-08 Apr, 2016 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.

Action-Not Available
Vendor-git-scmn/aopenSUSESUSE
Product-leapopensuselinux_enterprise_software_development_kitopenstack_cloudsuse_linux_enterprise_servergitlinux_enterprise_serverlinux_enterprise_debuginfon/a
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2018-8786
Matching Score-8
Assigner-Check Point Software Ltd.
ShareView Details
Matching Score-8
Assigner-Check Point Software Ltd.
CVSS Score-9.8||CRITICAL
EPSS-21.92% / 95.55%
||
7 Day CHG~0.00%
Published-29 Nov, 2018 | 17:00
Updated-17 Sep, 2024 | 01:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FreeRDP prior to version 2.0.0-rc4 contains an Integer Truncation that leads to a Heap-Based Buffer Overflow in function update_read_bitmap_update() and results in a memory corruption and probably even a remote code execution.

Action-Not Available
Vendor-Canonical Ltd.FreeRDPCheck Point Software Technologies Ltd.Fedora ProjectRed Hat, Inc.Debian GNU/Linux
Product-enterprise_linux_serverubuntu_linuxdebian_linuxenterprise_linux_server_eusfreerdpenterprise_linux_server_ausenterprise_linux_workstationfedoraenterprise_linux_server_tusenterprise_linux_desktopFreeRDP
CWE ID-CWE-680
Integer Overflow to Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CWE ID-CWE-681
Incorrect Conversion between Numeric Types
CVE-2016-2148
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-15.84% / 94.48%
||
7 Day CHG~0.00%
Published-09 Feb, 2017 | 15:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.

Action-Not Available
Vendor-busyboxn/aDebian GNU/LinuxCanonical Ltd.
Product-ubuntu_linuxdebian_linuxbusyboxn/a
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-0888
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-10||HIGH
EPSS-3.08% / 86.24%
||
7 Day CHG~0.00%
Published-13 Apr, 2010 | 22:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Sun Ray Server Software component in Oracle Sun Product Suite 4.0, 4.1, and 4.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Device Services.

Action-Not Available
Vendor-n/aOracle Corporation
Product-sun_products_suiten/a
CVE-2016-3468
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-9.8||CRITICAL
EPSS-3.38% / 86.88%
||
7 Day CHG~0.00%
Published-21 Jul, 2016 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Oracle Agile Engineering Data Management component in Oracle Supply Chain Products Suite 6.1.3.0 and 6.2.0.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Install.

Action-Not Available
Vendor-n/aOracle Corporation
Product-agile_engineering_data_managementn/a
CVE-2010-1205
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-17.03% / 94.72%
||
7 Day CHG~0.00%
Published-30 Jun, 2010 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row.

Action-Not Available
Vendor-libpngn/aMozilla CorporationSUSECanonical Ltd.Debian GNU/LinuxGoogle LLCFedora ProjectVMware (Broadcom Inc.)openSUSEApple Inc.
Product-ubuntu_linuxfedorafirefoxiphone_osthunderbirditunessafariseamonkeyworkstationchromeopensusedebian_linuxmac_os_x_serverlinux_enterprise_serverplayerlibpngmac_os_xn/a
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2018-8794
Matching Score-8
Assigner-Check Point Software Ltd.
ShareView Details
Matching Score-8
Assigner-Check Point Software Ltd.
CVSS Score-9.8||CRITICAL
EPSS-6.07% / 90.38%
||
7 Day CHG~0.00%
Published-05 Feb, 2019 | 20:00
Updated-17 Sep, 2024 | 00:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rdesktop versions up to and including v1.8.3 contain an Integer Overflow that leads to an Out-Of-Bounds Write in function process_bitmap_updates() and results in a memory corruption and possibly even a remote code execution.

Action-Not Available
Vendor-rdesktopDebian GNU/LinuxCheck Point Software Technologies Ltd.openSUSE
Product-rdesktopdebian_linuxleaprdesktop
CWE ID-CWE-680
Integer Overflow to Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2014-6549
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-10||HIGH
EPSS-1.07% / 76.83%
||
7 Day CHG~0.00%
Published-21 Jan, 2015 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.

Action-Not Available
Vendor-n/aOracle Corporation
Product-jrejdkn/a
CVE-2016-1629
Matching Score-8
Assigner-Chrome
ShareView Details
Matching Score-8
Assigner-Chrome
CVSS Score-9.8||CRITICAL
EPSS-3.09% / 86.26%
||
7 Day CHG~0.00%
Published-21 Feb, 2016 | 18:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Google Chrome before 48.0.2564.116 allows remote attackers to bypass the Blink Same Origin Policy and a sandbox protection mechanism via unspecified vectors.

Action-Not Available
Vendor-n/aopenSUSEGoogle LLCDebian GNU/LinuxNovell
Product-leapopensusesuse_package_hub_for_suse_linux_enterprisechromedebian_linuxn/a
CVE-2016-1585
Matching Score-8
Assigner-Canonical Ltd.
ShareView Details
Matching Score-8
Assigner-Canonical Ltd.
CVSS Score-3.9||LOW
EPSS-0.08% / 23.82%
||
7 Day CHG~0.00%
Published-22 Apr, 2019 | 15:35
Updated-02 May, 2025 | 14:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AppArmor mount rules grant excessive permissions

In all versions of AppArmor mount rules are accidentally widened when compiled.

Action-Not Available
Vendor-AppArmorCanonical Ltd.
Product-apparmorapparmor
CVE-2024-6107
Matching Score-8
Assigner-Canonical Ltd.
ShareView Details
Matching Score-8
Assigner-Canonical Ltd.
CVSS Score-9.6||CRITICAL
EPSS-0.05% / 16.40%
||
7 Day CHG+0.02%
Published-21 Jul, 2025 | 08:52
Updated-27 Aug, 2025 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the corresponding snaps.

Action-Not Available
Vendor-Canonical Ltd.
Product-metal_as_a_serviceMAAS
CWE ID-CWE-287
Improper Authentication
CVE-2010-0071
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-10||HIGH
EPSS-12.52% / 93.67%
||
7 Day CHG~0.00%
Published-13 Jan, 2010 | 01:00
Updated-07 Aug, 2024 | 00:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Listener component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

Action-Not Available
Vendor-n/aOracle Corporation
Product-database_servern/a
CVE-2010-0073
Matching Score-8
Assigner-Oracle
ShareView Details
Matching Score-8
Assigner-Oracle
CVSS Score-10||HIGH
EPSS-2.93% / 85.88%
||
7 Day CHG~0.00%
Published-14 Apr, 2010 | 17:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the WebLogic Server in Oracle WebLogic Server 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, and 10.3.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

Action-Not Available
Vendor-n/aOracle Corporation
Product-weblogic_servern/a
CVE-2018-7318
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-25.32% / 95.99%
||
7 Day CHG~0.00%
Published-22 Feb, 2018 | 19:00
Updated-05 Aug, 2024 | 06:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL Injection exists in the CheckList 1.1.1 component for Joomla! via the title_search, tag_search, name_search, description_search, or filter_order parameter.

Action-Not Available
Vendor-belitsoftn/aOracle Corporation
Product-checklistdata_integratorn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2010-0159
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-10||HIGH
EPSS-2.15% / 83.54%
||
7 Day CHG~0.00%
Published-21 Feb, 2010 | 17:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the nsBlockFrame::StealFrame function in layout/generic/nsBlockFrame.cpp, and unspecified other vectors.

Action-Not Available
Vendor-n/aMozilla CorporationDebian GNU/LinuxCanonical Ltd.
Product-ubuntu_linuxdebian_linuxfirefoxthunderbirdseamonkeyn/a
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 32
  • 33
  • Next
Details not found