CVE-2021-44832

>= 8.0.0.0 and <= 8.5.1.0

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code

6.6MEDIUM

CVE-2021-45105

>= 8.3.0.0 and <= 8.5.1.0

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from sel

5.9MEDIUM

CVE-2021-21703

>= 8.0.0.0 and <= 8.5.0.2

In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main F

7.8HIGH

CVE-2021-37137

>= 8.0.0.0 and <= 8.5.0.2

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also

7.5HIGH

CVE-2021-37136

>= 8.0.0.0 and <= 8.5.0.2

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects th

7.5HIGH

CVE-2021-42340

>= 8.0.0.0 and <= 8.5.0.2

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71

7.5HIGH

CVE-2021-34429

>= 8.0.0.0 and <= 8.5.0.2

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to acce

5.3MEDIUM

CVE-2021-33037

>= 8.0.0.0 and <= 8.5.0.2

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding reque

5.3MEDIUM

CVE-2021-30640

>= 8.0.0 and <= 8.5.0

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or

6.5MEDIUM

CVE-2021-21783

>= 8.0.0 and <= 8.5.0

A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP

9.8CRITICAL

CVE-2021-21702

>= 8.0.0 and <= 8.5.0

In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP serve

5.3MEDIUM

CVE-2020-36189

>= 8.0.0 and <= 8.5.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com

8.1HIGH

CVE-2020-35490

>= 8.0.0 and <= 8.5.0

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-17521

all versions

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of

5.5MEDIUM

CVE-2020-14788

>= 8.0.0.0 and <= 8.4.0.5

Vulnerability in the Oracle Communications Diameter Signaling Router (DSR) product of Oracle Communications (component: User Inter

6.1MEDIUM

CVE-2020-14787

>= 8.0.0.0 and <= 8.4.0.5

Vulnerability in the Oracle Communications Diameter Signaling Router (DSR) product of Oracle Communications (component: User Inter

5.4MEDIUM

CVE-2020-7069

>= 8.0.0 and <= 8.5.0

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() fu

5.4MEDIUM

CVE-2020-24750

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com

8.1HIGH

CVE-2020-13920

>= 8.0.0 and <= 8.2.2

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It

5.9MEDIUM

CVE-2020-11998

>= 8.0.0 and <= 8.5.0

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer,

9.8CRITICAL

CVE-2020-24616

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.

8.1HIGH

CVE-2020-8622

>= 8.0.0 and <= 8.5.0

In BIND 9.0.0 - 9.11.21, 9.12.0 - 9.16.5, 9.17.0 - 9.17.3, also affects 9.9.3-S1 - 9.11.21-S1 of the BIND 9 Supported Preview Edit

6.5MEDIUM

CVE-2020-11994

>= 8.0.0 and <= 8.5.0

Server-Side Template Injection and arbitrary file disclosure on Camel templating components

7.5HIGH

CVE-2020-14195

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-14060

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oad

8.1HIGH

CVE-2020-14062

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com

8.1HIGH

CVE-2020-14061

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to ora

8.1HIGH

CVE-2020-12723

>= 8.0.0 and <= 8.5.0

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls

7.5HIGH

CVE-2020-10878

>= 8.0.0 and <= 8.5.0

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular

8.6HIGH

CVE-2020-10543

>= 8.0.0 and <= 8.5.0

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an i

8.2HIGH

CVE-2020-9484

>= 8.0.0.0 and <= 8.4.0.5

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attack

7.0HIGH

CVE-2020-1941

>= 8.0.0 and <= 8.2.2

In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.

6.1MEDIUM

CVE-2020-11973

>= 8.0.0 and <= 8.5.0

Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are aff

9.8CRITICAL

CVE-2020-11972

>= 8.0.0 and <= 8.2.2

Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are

9.8CRITICAL

CVE-2020-11971

>= 8.0.0 and <= 8.2.2

Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users

7.5HIGH

CVE-2020-1945

>= 8.0.0 and <= 8.2.2

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.

6.3MEDIUM

CVE-2020-10683

>= 8.0.0 and <= 8.2.2

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. H

9.8CRITICAL

CVE-2020-7067

>= 8.0.0.0 and <= 8.4.0.5

In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), u

7.5HIGH

CVE-2020-11619

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.1HIGH

CVE-2020-1954

>= 8.0.0 and <= 8.2.2

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘cr

5.3MEDIUM

CVE-2020-11113

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-11112

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-11111

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-10969

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to jav

8.8HIGH

CVE-2020-10968

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-10673

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com

8.8HIGH

CVE-2020-10672

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

8.8HIGH

CVE-2020-9548

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.

9.8CRITICAL

CVE-2020-9546

>= 8.0.0 and <= 8.2.2

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org

9.8CRITICAL

CVE-2020-7060

>= 8.0 and <= 8.4

When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7

6.5MEDIUM

CVE-2020-7059

>= 8.0 and <= 8.4

When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x be

6.5MEDIUM

CVE-2020-5397

>= 8.0.0 and <= 8.2.2

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring

5.3MEDIUM

CVE-2020-5398

>= 8.0.0 and <= 8.2.2

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an applica

7.5HIGH

CVE-2019-12423

>= 8.0.0 and <= 8.2.2

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can

7.5HIGH

CVE-2020-2555

>= 8.0.0 and <= 8.2.2

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported ve

9.8CRITICAL

CVE-2019-2904

>= 8.0.0.0 and <= 8.4.0.5

Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that

9.8CRITICAL

CVE-2019-17359

>= 8.0.0 and <= 8.2.2

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMe

7.5HIGH

CVE-2019-17091

>= 8.0.0.0 and <= 8.4.0.5

faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaSe

6.1MEDIUM

CVE-2019-14439

all versions

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is ena

7.5HIGH

CVE-2019-14379

all versions

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.

9.8CRITICAL

CVE-2019-10173

>= 8.0.0 and <= 8.2.2

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the sec

9.8CRITICAL

CVE-2019-2729

all versions

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions

9.8CRITICAL

CVE-2019-11358

all versions

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Objec

6.1MEDIUM

CVE-2019-0222

all versions

In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unrespons

7.5HIGH

CVE-2019-1559

all versions

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to

5.9MEDIUM

CVE-2019-2399

< 8.3

Vulnerability in the Oracle Communications Diameter Signaling Router (DSR) component of Oracle Communications Applications (subcom

6.5MEDIUM

CVE-2018-15756

all versions

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on t

7.5HIGH

CVE-2018-1000613

all versions

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-47

9.8CRITICAL

CVE-2018-11039

< 8.3

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applica

5.9MEDIUM

CVE-2018-8013

< 8.3

In Apache Batik 1.x before 1.10, when deserializing subclass of AbstractDocument, the class takes a string from the inputStream

9.8CRITICAL

CVE-2018-1258

< 8.3

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when

8.8HIGH

CVE-2018-1257

< 8.3

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows application

6.5MEDIUM

CVE-2018-1275

< 8.3

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications

9.8CRITICAL

CVE-2018-1272

< 8.3

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side

7.5HIGH

CVE-2018-1271

< 8.3

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications

5.9MEDIUM

CVE-2018-1270

< 8.3

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications

9.8CRITICAL

CVE-2017-15095

< 8.3

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenti

9.8CRITICAL

CVE-2017-5715

all versions

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of i

5.6MEDIUM

CVE-2016-0762

>= 8.0.0 and <= 8.5.0

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and

5.9MEDIUM

CVE-2017-9841

>= 8.0.0 and <= 8.5.0

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HT

9.8CRITICAL