Skip to main content

Coherence CVE-2018-20301

MEDIUM
Improper Input Validation (CWE-20)
2018-12-20 cve@mitre.org
6.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 20, 2018 - 09:29 nvd
MEDIUM 6.5

DescriptionNVD

An issue was discovered in Steve Pallen Coherence before 0.5.2 that is similar to a Mass Assignment vulnerability. In particular, "registration" endpoints (e.g., creating, editing, updating) allow users to update any coherence_fields data. For example, users can automatically confirm their accounts by sending the confirmed_at parameter with their registration request.

AnalysisAI

An issue was discovered in Steve Pallen Coherence before 0.5.2 that is similar to a Mass Assignment vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-20. An issue was discovered in Steve Pallen Coherence before 0.5.2 that is similar to a Mass Assignment vulnerability. In particular, "registration" endpoints (e.g., creating, editing, updating) allow users to update any coherence_fields data. For example, users can automatically confirm their accounts by sending the confirmed_at parameter with their registration request. Affected products include: Coherence Project Coherence. Version information: before 0.5.2.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2020-2555 CRITICAL POC
9.8 Jan 15

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Ra

CVE-2022-21420 CRITICAL
9.8 Apr 19

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Rated critical severity (CV

CVE-2020-2915 CRITICAL
9.8 Apr 15

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching, CacheStore, Invocation).

CVE-2021-2428 HIGH
8.1 Jul 21

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Rated high severity (CVSS 8

CVE-2021-37136 HIGH
7.5 Oct 19

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which

CVE-2021-2371 HIGH
7.5 Jul 21

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Rated high severity (CVSS 7

CVE-2021-2344 HIGH
7.5 Jul 21

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Rated high severity (CVSS 7

CVE-2021-2277 HIGH
7.5 Apr 22

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Rated high severity (CVSS 7

CVE-2020-25649 HIGH
7.5 Dec 03

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. Rated high seve

CVE-2020-14642 HIGH
7.5 Jul 15

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: CacheStore). Rated high severity (

CVE-2021-43797 MEDIUM
6.5 Dec 09

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performan

CVE-2021-21409 MEDIUM
5.9 Mar 30

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable h

Share

CVE-2018-20301 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy