Banking Credit Facilities Process Management
Monthly
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file.0.23 and prior 2.0.x versions. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file.0.23 and prior 2.0.x versions. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.
XStream is software for serializing Java objects to XML and back again. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file.0.22 and prior 2.0.x versions. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 41.1%.
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file.0.23 and prior 2.0.x versions. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file.0.23 and prior 2.0.x versions. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.
XStream is software for serializing Java objects to XML and back again. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file.0.22 and prior 2.0.x versions. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 41.1%.
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.