andikahilmy

165 exploits Active since Aug 2013
CVE-2018-1337 NOMISEC CRITICAL STUB
Apache Directory LDAP API < 1.0.2 - Exposure of Sensitive Information via TLS Handshake Bypass
In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).
CVSS 9.8
CVE-2018-14718 NOMISEC CRITICAL STUB
FasterXML Jackson <2.9.7 - Code Injection
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
CVSS 9.8
CVE-2018-14719 NOMISEC CRITICAL WRITEUP
FasterXML jackson-databind 2.0.0-2.6.7.2 - Remote Code Execution via BlazeDS Polymorphic Deserialization
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
CVSS 9.8
CVE-2018-14720 NOMISEC CRITICAL STUB
FasterXML jackson-databind 2.6.0-2.6.7.1 - XML External Entity Injection via Polymorphic Deserialization
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
CVSS 9.8
CVE-2018-14721 NOMISEC CRITICAL STUB
FasterXML jackson-databind <2.9.7 - SSRF
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
CVSS 10.0
CVE-2018-17187 NOMISEC HIGH WRITEUP
Apache Qpid Proton-J 0.3-0.29.0 - Improper Certificate Validation in TLS Transport Wrapper
The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise.
CVSS 7.4
CVE-2018-19360 NOMISEC CRITICAL WORKING POC
FasterXML jackson-databind <2.9.8 - Code Injection
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CVSS 9.8
CVE-2018-19361 NOMISEC CRITICAL WORKING POC
FasterXML jackson-databind <2.9.8 - Deserialization
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
CVSS 9.8
CVE-2018-20227 NOMISEC HIGH STUB
RDF4J < 2.5.0 - Path Traversal via ZIP Archive Entry
RDF4J 2.4.2 allows Directory Traversal via ../ in an entry in a ZIP archive.
CVSS 7.5
CVE-2018-20318 NOMISEC CRITICAL WRITEUP
.weixin-java-tools <3.2.0 - Info Disclosure
An issue was discovered in weixin-java-tools v3.2.0. There is an XXE vulnerability in the getXmlDoc method of the BaseWxPayResult.java file.
CVSS 9.8
CVE-2018-5968 NOMISEC HIGH WORKING POC
FasterXML jackson-databind <2.8.11, 2.9.x<2.9.3 - RCE
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
CVSS 8.1
CVE-2018-7489 NOMISEC CRITICAL WORKING POC
jackson-databind < 2.7.9.3, 2.8.0-2.8.11.1, < 2.9.5 - Remote Code Execution via Deserialization Bypass
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CVSS 9.8
CVE-2018-8030 NOMISEC HIGH WORKING POC
Apache Qpid Broker-J 7.0.0-7.0.4 - Denial of Service via Oversized AMQP Message
A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to publish messages with size greater than allowed maximum message size limit (100MB by default). The broker crashes due to the defect. AMQP protocols 0-10 and 1.0 are not affected.
CVSS 7.5
CVE-2018-9159 NOMISEC MEDIUM WORKING POC
sparkjava/spark < 2.7.2 - Path Traversal via File URL
In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark.
CVSS 5.3
CVE-2017-15700 NOMISEC HIGH WRITEUP
Apache Sling Authentication Service 1.4.0 - Exposure of Sensitive Information via Login Form Redirect
A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method in Apache Sling Authentication Service 1.4.0 allows an attacker, through the Sling login form, to trick a victim to send over their credentials.
CVSS 8.8
CVE-2017-7957 NOMISEC HIGH STUB
Redhat Fuse < 1.4.9 - Improper Input Validation
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
CVSS 7.5
CVE-2017-7662 NOMISEC HIGH WORKING POC
Apache CXF Fediz <1.4.0-1.3.2 - CSRF
Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc. A CSRF (Cross Style Request Forgery) style vulnerability has been found in this web application in Apache CXF Fediz prior to 1.4.0 and 1.3.2, meaning that a malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active.
CVSS 8.8
CVE-2017-7661 NOMISEC HIGH WORKING POC
Apache CXF Fediz <1.4.0-1.2.4 - CSRF
Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3, Jetty 8 and Jetty 9 plugins in Apache CXF Fediz prior to 1.4.0, 1.3.2 and 1.2.4.
CVSS 8.8
CVE-2017-7561 NOMISEC HIGH WORKING POC
Red Hat JBoss EAP 3.0.7-3.0.25.Final - Server-Side Cache Poisoning via JAX-RS Component
Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.
CVSS 7.5
CVE-2017-7559 NOMISEC MEDIUM STUB
Undertow <2.0.0.Alpha2,<1.4.17.Final,<1.3.31.Final - SSRF
In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
CVSS 6.1
CVE-2017-5929 NOMISEC CRITICAL WORKING POC
Logback < 1.2.0 - Deserialization of Untrusted Data in SocketServer and ServerSocketReceiver
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
CVSS 9.8
CVE-2017-2666 NOMISEC MEDIUM STUB
Undertow < 1.3.31 - HTTP Request Smuggling via Invalid Request Line Characters
It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
CVSS 6.5
CVE-2017-2649 NOMISEC HIGH WRITEUP
Jenkins Active Directory Plugin <= 2.2 - Improper Certificate Validation
It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.
CVSS 8.1
CVE-2017-18640 NOMISEC HIGH WORKING POC
SnakeYAML < 1.26 - XML Entity Expansion via Alias Feature
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CVSS 7.5
CVE-2017-17485 NOMISEC CRITICAL WORKING POC
jackson-databind < 2.6.7.3, 2.9.0-2.9.3 - Unauthenticated Remote Code Execution via Malicious JSON Input
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVSS 9.8