N1tLGFqv

1Shangai exchange multiple vulnerability
2
3# Nmap 7.80 scan initiated Sat Mar 21 17:59:13 2020 as: nmap --script vulners.nse --script=/usr/share/nmap/scripts/vulscan.nse --script-args vulscandb=allitems.csv -sV -iL target.txt -oN shangaiexchangeresults.txt
4Nmap scan report for 222.73.229.73
5Host is up (0.40s latency).
6Not shown: 998 filtered ports
7PORT    STATE SERVICE  VERSION
880/tcp  open  http     Apache httpd
9|_http-server-header: Apache
10| vulscan: allitems.csv:
11| [CVE-2001-0131,Candidate,"htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack.","BID:2182   |   URL:http://www.securityfocus.com/bid/2182   |   BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problems   |   URL:http://marc.info/?l=bugtraq&m=97916374410647&w=2   |   DEBIAN:DSA-021   |   URL:http://www.debian.org/security/2001/dsa-021   |   XF:linux-apache-symlink(5926)   |   URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/5926",Modified (20010430),"   ACCEPT(2) Baker, Cole  |     MODIFY(1) Frech  |     NOOP(3) Christey, Magdych, Wall","Frech> XF:linux-apache-symlink(5926)  |    Christey> XF:linux-apache-symlink  |    URL:http://xforce.iss.net/static/5926.php  |    Christey> http://archives.neohapsis.com/archives/vendor/2001-q1/0019.html  |    Christey> This item may have been re-introduced into the Apache source  |    code sometime during 2002]  CVE-2002-1233 has been created for  |    that version, which affects Apache 1.3.27 and other versions.  |    Christey> As a further clarification, CVE-2002-1233 is *only* for the  |    Debian-specific regression error.  |    Christey> DEBIAN:DSA-195  |    URL:http://www.debian.org/security/2002/dsa-195"
12| [CVE-2002-0563,Candidate,"The default configuration of Oracle 9i Application Server 1.0.2.x allows remote anonymous users to access sensitive services without authentication, including Dynamic Monitoring Services (1) dms0, (2) dms/DMSDump, (3) servlet/DMSDump, (4) servlet/Spy, (5) soap/servlet/Spy, and (6) dms/AggreSpy]  and Oracle Java Process Manager (7) oprocmgr-status and (8) oprocmgr-service, which can be used to control Java processes.","BID:4293   |   URL:http://www.securityfocus.com/bid/4293   |   BUGTRAQ:20020206 Hackproofing Oracle Application Server paper   |   URL:http://marc.info/?l=bugtraq&m=101301813117562&w=2   |   CERT:CA-2002-08   |   URL:http://www.cert.org/advisories/CA-2002-08.html   |   CERT-VN:VU#168795   |   URL:http://www.kb.cert.org/vuls/id/168795   |   CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf   |   MISC:http://www.appsecinc.com/Policy/PolicyCheck7024.html   |   MISC:http://www.nextgenss.com/papers/hpoas.pdf   |   OSVDB:13152   |   URL:http://www.osvdb.org/13152   |   OSVDB:705   |   URL:http://www.osvdb.org/705   |   SECTRACK:1009167   |   URL:http://securitytracker.com/id?1009167   |   XF:oracle-appserver-apache-services(8455)   |   URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/8455",Modified (20070207),"   ACCEPT(3) Alderson, Baker, Cole  |     MODIFY(1) Frech  |     NOOP(3) Cox, Foat, Wall","Frech> XF:oracle-appserver-apache-services(8455)"
13| [CVE-2009-0038,Candidate,"Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring]  or (5) the PATH_INFO to the default URI under console/portal/.","BID:34562   |   URL:http://www.securityfocus.com/bid/34562   |   BUGTRAQ:20090416 [DSECRG-09-019] Apache Geronimo - XSS vulnerabilities.txt   |   URL:http://www.securityfocus.com/archive/1/502734/100/0/threaded   |   CONFIRM:http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214   |   CONFIRM:http://issues.apache.org/jira/browse/GERONIMO-4597   |   MISC:http://dsecrg.com/pages/vul/show.php?id=119   |   SECUNIA:34715   |   URL:http://secunia.com/advisories/34715   |   VUPEN:ADV-2009-1089   |   URL:http://www.vupen.com/english/advisories/2009/1089",Assigned (20081215),"None (candidate not yet proposed)",""
14| [CVE-2010-3449,Candidate,"Cross-site request forgery (CSRF) vulnerability in Redback before 1.2.4, as used in Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1]  and Apache Continuum 1.3.6, 1.4.0, and 1.1 through 1.2.3.1
15| [CVE-2011-0533,Candidate,"Cross-site scripting (XSS) vulnerability in Apache Continuum 1.1 through 1.2.3.1, 1.3.6, and 1.4.0 Beta]  and Archiva 1.3.0 through 1.3.3 and 1.0 through 1.22 allows remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to the autoIncludeParameters setting for the extremecomponents table.","BID:46311   |   URL:http://www.securityfocus.com/bid/46311   |   BUGTRAQ:20110210 [SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability   |   URL:http://www.securityfocus.com/archive/1/516342/100/0/threaded   |   BUGTRAQ:20110216 [SECURITY] CVE-2011-0533: Apache Archiva cross-site scripting vulnerability   |   URL:http://www.securityfocus.com/archive/1/516474/100/0/threaded   |   CONFIRM:http://continuum.apache.org/security.html   |   CONFIRM:http://jira.codehaus.org/browse/CONTINUUM-2604   |   CONFIRM:http://svn.apache.org/viewvc?view=revision&revision=1066053   |   CONFIRM:http://svn.apache.org/viewvc?view=revision&revision=1066056   |   FULLDISC:20110211 [SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability   |   URL:http://seclists.org/fulldisclosure/2011/Feb/236   |   MLIST:[continuum-users] 20110210 [SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability   |   URL:http://mail-archives.apache.org/mod_mbox/continuum-users/201102.mbox/%3C981C0A79-5B7B-4053-84CC-3217870BE360@apache.org%3E   |   OSVDB:70925   |   URL:http://osvdb.org/70925   |   OVAL:oval:org.mitre.oval:def:12581   |   URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12581   |   SECTRACK:1025065   |   URL:http://securitytracker.com/id?1025065   |   SECUNIA:43261   |   URL:http://secunia.com/advisories/43261   |   SECUNIA:43334   |   URL:http://secunia.com/advisories/43334   |   SREASON:8091   |   URL:http://securityreason.com/securityalert/8091   |   VUPEN:ADV-2011-0373   |   URL:http://www.vupen.com/english/advisories/2011/0373   |   VUPEN:ADV-2011-0426   |   URL:http://www.vupen.com/english/advisories/2011/0426   |   XF:continuum-unspec-xss(65343)   |   URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/65343",Assigned (20110120),"None (candidate not yet proposed)",""
16| [CVE-2014-0085,Candidate,"JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated]  previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.","CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0085",Assigned (20131203),"None (candidate not yet proposed)",""
17| [CVE-2014-6271,Candidate,"GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka ""ShellShock.""  NOTE: the original fix for this issue was incorrect]  CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.","APPLE:APPLE-SA-2014-10-16-1   |   URL:http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html   |   BID:70103   |   URL:http://www.securityfocus.com/bid/70103   |   BUGTRAQ:20141001 NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities   |   URL:http://www.securityfocus.com/archive/1/533593/100/0/threaded   |   CERT:TA14-268A   |   URL:http://www.us-cert.gov/ncas/alerts/TA14-268A   |   CERT-VN:VU#252743   |   URL:http://www.kb.cert.org/vuls/id/252743   |   CISCO:20140926 GNU Bash Environmental Variable Command Injection Vulnerability   |   URL:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash   |   CONFIRM:http://advisories.mageia.org/MGASA-2014-0388.html   |   CONFIRM:http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673   |   CONFIRM:http://linux.oracle.com/errata/ELSA-2014-1293.html   |   CONFIRM:http://linux.oracle.com/errata/ELSA-2014-1294.html   |   CONFIRM:http://support.apple.com/kb/HT6495   |   CONFIRM:http://support.novell.com/security/cve/CVE-2014-6271.html   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685541   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685604   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685733   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685749   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685914   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686084   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686131   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686246   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686445   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686447   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686479   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686494   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21687079   |   CONFIRM:http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315   |   CONFIRM:http://www.novell.com/support/kb/doc.php?id=7015701   |   CONFIRM:http://www.novell.com/support/kb/doc.php?id=7015721   |   CONFIRM:http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html   |   CONFIRM:http://www.qnap.com/i/en/support/con_show.php?cid=61   |   CONFIRM:http://www.vmware.com/security/advisories/VMSA-2014-0010.html   |   CONFIRM:http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0   |   CONFIRM:https://access.redhat.com/articles/1200223   |   CONFIRM:https://access.redhat.com/node/1200223   |   CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1141597   |   CONFIRM:https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes   |   CONFIRM:https://kb.bluecoat.com/index?page=content&id=SA82   |   CONFIRM:https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648   |   CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10085   |   CONFIRM:https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/   |   CONFIRM:https://support.apple.com/kb/HT6535   |   CONFIRM:https://support.citrix.com/article/CTX200217   |   CONFIRM:https://support.citrix.com/article/CTX200223   |   CONFIRM:https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html   |   CONFIRM:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075   |   CONFIRM:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183   |   CONFIRM:https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts   |   CONFIRM:https://www.suse.com/support/shellshock/   |   DEBIAN:DSA-3032   |   URL:http://www.debian.org/security/2014/dsa-3032   |   EXPLOIT-DB:34879   |   URL:https://www.exploit-db.com/exploits/34879/   |   EXPLOIT-DB:37816   |   URL:https://www.exploit-db.com/exploits/37816/   |   EXPLOIT-DB:38849   |   URL:https://www.exploit-db.com/exploits/38849/   |   EXPLOIT-DB:39918   |   URL:https://www.exploit-db.com/exploits/39918/   |   EXPLOIT-DB:40619   |   URL:https://www.exploit-db.com/exploits/40619/   |   EXPLOIT-DB:40938   |   URL:https://www.exploit-db.com/exploits/40938/   |   EXPLOIT-DB:42938   |   URL:https://www.exploit-db.com/exploits/42938/   |   FULLDISC:20141001 FW: NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities   |   URL:http://seclists.org/fulldisclosure/2014/Oct/0   |   HP:HPSBGN03117   |   URL:http://marc.info/?l=bugtraq&m=141216207813411&w=2   |   HP:HPSBGN03138   |   URL:http://marc.info/?l=bugtraq&m=141330468527613&w=2   |   HP:HPSBGN03141   |   URL:http://marc.info/?l=bugtraq&m=141383304022067&w=2   |   HP:HPSBGN03142   |   URL:http://marc.info/?l=bugtraq&m=141383244821813&w=2   |   HP:HPSBGN03233   |   URL:http://marc.info/?l=bugtraq&m=142118135300698&w=2   |   HP:HPSBHF03119   |   URL:http://marc.info/?l=bugtraq&m=141216668515282&w=2   |   HP:HPSBHF03124   |   URL:http://marc.info/?l=bugtraq&m=141235957116749&w=2   |   HP:HPSBHF03125   |   URL:http://marc.info/?l=bugtraq&m=141345648114150&w=2   |   HP:HPSBHF03145   |   URL:http://marc.info/?l=bugtraq&m=141383465822787&w=2   |   HP:HPSBHF03146   |   URL:http://marc.info/?l=bugtraq&m=141383353622268&w=2   |   HP:HPSBMU03133   |   URL:http://marc.info/?l=bugtraq&m=141330425327438&w=2   |   HP:HPSBMU03143   |   URL:http://marc.info/?l=bugtraq&m=141383026420882&w=2   |   HP:HPSBMU03144   |   URL:http://marc.info/?l=bugtraq&m=141383081521087&w=2   |   HP:HPSBMU03165   |   URL:http://marc.info/?l=bugtraq&m=141577137423233&w=2   |   HP:HPSBMU03182   |   URL:http://marc.info/?l=bugtraq&m=141585637922673&w=2   |   HP:HPSBMU03217   |   URL:http://marc.info/?l=bugtraq&m=141879528318582&w=2   |   HP:HPSBMU03220   |   URL:http://marc.info/?l=bugtraq&m=142721162228379&w=2   |   HP:HPSBMU03245   |   URL:http://marc.info/?l=bugtraq&m=142358026505815&w=2   |   HP:HPSBMU03246   |   URL:http://marc.info/?l=bugtraq&m=142358078406056&w=2   |   HP:HPSBOV03228   |   URL:http://marc.info/?l=bugtraq&m=142113462216480&w=2   |   HP:HPSBST03122   |   URL:http://marc.info/?l=bugtraq&m=141319209015420&w=2   |   HP:HPSBST03129   |   URL:http://marc.info/?l=bugtraq&m=141383196021590&w=2   |   HP:HPSBST03131   |   URL:http://marc.info/?l=bugtraq&m=141383138121313&w=2   |   HP:HPSBST03148   |   URL:http://marc.info/?l=bugtraq&m=141694386919794&w=2   |   HP:HPSBST03154   |   URL:http://marc.info/?l=bugtraq&m=141577297623641&w=2   |   HP:HPSBST03155   |   URL:http://marc.info/?l=bugtraq&m=141576728022234&w=2   |   HP:HPSBST03157   |   URL:http://marc.info/?l=bugtraq&m=141450491804793&w=2   |   HP:HPSBST03181   |   URL:http://marc.info/?l=bugtraq&m=141577241923505&w=2   |   HP:HPSBST03195   |   URL:http://marc.info/?l=bugtraq&m=142805027510172&w=2   |   HP:HPSBST03196   |   URL:http://marc.info/?l=bugtraq&m=142719845423222&w=2   |   HP:HPSBST03265   |   URL:http://marc.info/?l=bugtraq&m=142546741516006&w=2   |   HP:SSRT101711   |   URL:http://marc.info/?l=bugtraq&m=142113462216480&w=2   |   HP:SSRT101739   |   URL:http://marc.info/?l=bugtraq&m=142118135300698&w=2   |   HP:SSRT101742   |   URL:http://marc.info/?l=bugtraq&m=142358026505815&w=2   |   HP:SSRT101816   |   URL:http://marc.info/?l=bugtraq&m=142719845423222&w=2   |   HP:SSRT101819   |   URL:http://marc.info/?l=bugtraq&m=142721162228379&w=2   |   HP:SSRT101827   |   URL:http://marc.info/?l=bugtraq&m=141879528318582&w=2   |   HP:SSRT101868   |   URL:http://marc.info/?l=bugtraq&m=142118135300698&w=2   |   JVN:JVN#55667175   |   URL:http://jvn.jp/en/jp/JVN55667175/index.html   |   JVNDB:JVNDB-2014-000126   |   URL:http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126   |   MANDRIVA:MDVSA-2015:164   |   URL:http://www.mandriva.com/security/advisories?name=MDVSA-2015:164   |   MISC:http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html   |   MISC:http://packetstormsecurity.com/files/128517/VMware-Security-Advisory-2014-0010.html   |   MISC:http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html   |   MISC:http://packetstormsecurity.com/files/128573/Apache-mod_cgi-Remote-Command-Execution.html   |   MISC:http://packetstormsecurity.com/files/137376/IPFire-Bash-Environment-Variable-Injection-Shellshock.html   |   REDHAT:RHSA-2014:1293   |   URL:http://rhn.redhat.com/errata/RHSA-2014-1293.html   |   REDHAT:RHSA-2014:1294   |   URL:http://rhn.redhat.com/errata/RHSA-2014-1294.html   |   REDHAT:RHSA-2014:1295   |   URL:http://rhn.redhat.com/errata/RHSA-2014-1295.html   |   REDHAT:RHSA-2014:1354   |   URL:http://rhn.redhat.com/errata/RHSA-2014-1354.html   |   SECUNIA:58200   |   URL:http://secunia.com/advisories/58200   |   SECUNIA:59272   |   URL:http://secunia.com/advisories/59272   |   SECUNIA:59737   |   URL:http://secunia.com/advisories/59737   |   SECUNIA:59907   |   URL:http://secunia.com/advisories/59907   |   SECUNIA:60024   |   URL:http://secunia.com/advisories/60024   |   SECUNIA:60034   |   URL:http://secunia.com/advisories/60034   |   SECUNIA:60044   |   URL:http://secunia.com/advisories/60044   |   SECUNIA:60055   |   URL:http://secunia.com/advisories/60055   |   SECUNIA:60063   |   URL:http://secunia.com/advisories/60063   |   SECUNIA:60193   |   URL:http://secunia.com/advisories/60193   |   SECUNIA:60325   |   URL:http://secunia.com/advisories/60325   |   SECUNIA:60433   |   URL:http://secunia.com/advisories/60433   |   SECUNIA:60947   |   URL:http://secunia.com/advisories/60947   |   SECUNIA:61065   |   URL:http://secunia.com/advisories/61065   |   SECUNIA:61128   |   URL:http://secunia.com/advisories/61128   |   SECUNIA:61129   |   URL:http://secunia.com/advisories/61129   |   SECUNIA:61188   |   URL:http://secunia.com/advisories/61188   |   SECUNIA:61283   |   URL:http://secunia.com/advisories/61283   |   SECUNIA:61287   |   URL:http://secunia.com/advisories/61287   |   SECUNIA:61291   |   URL:http://secunia.com/advisories/61291   |   SECUNIA:61312   |   URL:http://secunia.com/advisories/61312   |   SECUNIA:61313   |   URL:http://secunia.com/advisories/61313   |   SECUNIA:61328   |   URL:http://secunia.com/advisories/61328   |   SECUNIA:61442   |   URL:http://secunia.com/advisories/61442   |   SECUNIA:61471   |   URL:http://secunia.com/advisories/61471   |   SECUNIA:61485   |   URL:http://secunia.com/advisories/61485   |   SECUNIA:61503   |   URL:http://secunia.com/advisories/61503   |   SECUNIA:61542   |   URL:http://secunia.com/advisories/61542   |   SECUNIA:61547   |   URL:http://secunia.com/advisories/61547   |   SECUNIA:61550   |   URL:http://secunia.com/advisories/61550   |   SECUNIA:61552   |   URL:http://secunia.com/advisories/61552   |   SECUNIA:61565   |   URL:http://secunia.com/advisories/61565   |   SECUNIA:61603   |   URL:http://secunia.com/advisories/61603   |   SECUNIA:61633   |   URL:http://secunia.com/advisories/61633   |   SECUNIA:61641   |   URL:http://secunia.com/advisories/61641   |   SECUNIA:61643   |   URL:http://secunia.com/advisories/61643   |   SECUNIA:61654   |   URL:http://secunia.com/advisories/61654   |   SECUNIA:61676   |   URL:http://secunia.com/advisories/61676   |   SECUNIA:61700   |   URL:http://secunia.com/advisories/61700   |   SECUNIA:61703   |   URL:http://secunia.com/advisories/61703   |   SECUNIA:61711   |   URL:http://secunia.com/advisories/61711   |   SECUNIA:61715   |   URL:http://secunia.com/advisories/61715   |   SECUNIA:61780   |   URL:http://secunia.com/advisories/61780   |   SECUNIA:61816   |   URL:http://secunia.com/advisories/61816   |   SECUNIA:61855   |   URL:http://secunia.com/advisories/61855   |   SECUNIA:61857   |   URL:http://secunia.com/advisories/61857   |   SECUNIA:61873   |   URL:http://secunia.com/advisories/61873   |   SECUNIA:62228   |   URL:http://secunia.com/advisories/62228   |   SECUNIA:62312   |   URL:http://secunia.com/advisories/62312   |   SECUNIA:62343   |   URL:http://secunia.com/advisories/62343   |   SUSE:SUSE-SU-2014:1212   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00028.html   |   SUSE:SUSE-SU-2014:1213   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00029.html   |   SUSE:SUSE-SU-2014:1223   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00034.html   |   SUSE:SUSE-SU-2014:1260   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00049.html   |   SUSE:SUSE-SU-2014:1287   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html   |   SUSE:openSUSE-SU-2014:1226   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00037.html   |   SUSE:openSUSE-SU-2014:1238   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00040.html   |   SUSE:openSUSE-SU-2014:1254   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html   |   SUSE:openSUSE-SU-2014:1308   |   URL:http://lists.opensuse.org/opensuse-updates/2014-10/msg00023.html   |   SUSE:openSUSE-SU-2014:1310   |   URL:http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html   |   UBUNTU:USN-2362-1   |   URL:http://www.ubuntu.com/usn/USN-2362-1",Assigned (20140909),"None (candidate not yet proposed)",""
18| [CVE-2016-2166,Candidate,"The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.","BUGTRAQ:20160323 CVE-2016-2166: Apache Qpid Proton python binding silently ignores request for 'amqps' if SSL/TLS not supported   |   URL:http://www.securityfocus.com/archive/1/537864/100/0/threaded   |   CONFIRM:http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html   |   CONFIRM:https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git] h=a058585   |   CONFIRM:https://issues.apache.org/jira/browse/PROTON-1157   |   FEDORA:FEDORA-2016-e6e8436b98   |   URL:http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html   |   MISC:http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html   |   MLIST:[qpid-commits] 20190423 [qpid-site] branch asf-site updated: update site content for CVE-2019-0223   |   URL:https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E",Assigned (20160129),"None (candidate not yet proposed)",""
19| [CVE-2016-4462,Candidate,"By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage]  a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01","MLIST:[www-announce] 20161129 [SECURITY] CVE-2016-4462 OFBiz template remote code vulnerability   |   URL:http://git.net/ml/dev.ofbiz.apache.org/2016-11/msg00180.html",Assigned (20160502),"None (candidate not yet proposed)",""
20| [CVE-2016-5387,Candidate,"The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an ""httpoxy"" issue.  NOTE: the vendor states ""This mitigation has been assigned the identifier CVE-2016-5387""]  in other words, this is not a CVE ID for a vulnerability.","BID:91816   |   URL:http://www.securityfocus.com/bid/91816   |   CERT-VN:VU#797896   |   URL:http://www.kb.cert.org/vuls/id/797896   |   CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html   |   CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html   |   CONFIRM:http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html   |   CONFIRM:http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html   |   CONFIRM:https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us   |   CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149   |   CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722   |   CONFIRM:https://support.apple.com/HT208221   |   CONFIRM:https://www.apache.org/security/asf-httpoxy-response.txt   |   CONFIRM:https://www.tenable.com/security/tns-2017-04   |   DEBIAN:DSA-3623   |   URL:http://www.debian.org/security/2016/dsa-3623   |   FEDORA:FEDORA-2016-683d0b257b   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPQAPWQA774JPDRV4UIB2SZAX6D3UZCV/   |   FEDORA:FEDORA-2016-9fd9bfab9e   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NEKZAB7MTWVSMORHTEMCQNFFMIHCYF76/   |   FEDORA:FEDORA-2016-a29c65b00f   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6WCTE7443AYZ4EGELWLVNANA2WJCJIYI/   |   FEDORA:FEDORA-2016-df0726ae26   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TGNHXJJSWDXAOEYH5TMXDPQVJMQQJOAZ/   |   GENTOO:GLSA-201701-36   |   URL:https://security.gentoo.org/glsa/201701-36   |   MISC:https://httpoxy.org/   |   MLIST:[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html   |   URL:https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E   |   MLIST:[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html   |   URL:https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E   |   MLIST:[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html   |   URL:https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E   |   MLIST:[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html   |   URL:https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E   |   REDHAT:RHSA-2016:1420   |   URL:https://access.redhat.com/errata/RHSA-2016:1420   |   REDHAT:RHSA-2016:1421   |   URL:https://access.redhat.com/errata/RHSA-2016:1421   |   REDHAT:RHSA-2016:1422   |   URL:https://access.redhat.com/errata/RHSA-2016:1422   |   REDHAT:RHSA-2016:1624   |   URL:http://rhn.redhat.com/errata/RHSA-2016-1624.html   |   REDHAT:RHSA-2016:1625   |   URL:http://rhn.redhat.com/errata/RHSA-2016-1625.html   |   REDHAT:RHSA-2016:1635   |   URL:https://access.redhat.com/errata/RHSA-2016:1635   |   REDHAT:RHSA-2016:1636   |   URL:https://access.redhat.com/errata/RHSA-2016:1636   |   REDHAT:RHSA-2016:1648   |   URL:http://rhn.redhat.com/errata/RHSA-2016-1648.html   |   REDHAT:RHSA-2016:1649   |   URL:http://rhn.redhat.com/errata/RHSA-2016-1649.html   |   REDHAT:RHSA-2016:1650   |   URL:http://rhn.redhat.com/errata/RHSA-2016-1650.html   |   REDHAT:RHSA-2016:1851   |   URL:https://access.redhat.com/errata/RHSA-2016:1851   |   SECTRACK:1036330   |   URL:http://www.securitytracker.com/id/1036330   |   SUSE:openSUSE-SU-2016:1824   |   URL:http://lists.opensuse.org/opensuse-updates/2016-07/msg00059.html   |   UBUNTU:USN-3038-1   |   URL:http://www.ubuntu.com/usn/USN-3038-1",Assigned (20160610),"None (candidate not yet proposed)",""
21| [CVE-2016-5388,Candidate,"Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an ""httpoxy"" issue. NOTE: the vendor states ""A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388""]  in other words, this is not a CVE ID for a vulnerability.","BID:91818   |   URL:http://www.securityfocus.com/bid/91818   |   CERT-VN:VU#797896   |   URL:http://www.kb.cert.org/vuls/id/797896   |   CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html   |   CONFIRM:http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html   |   CONFIRM:https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us   |   CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149   |   CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759   |   CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722   |   CONFIRM:https://tomcat.apache.org/tomcat-7.0-doc/changelog.html   |   CONFIRM:https://www.apache.org/security/asf-httpoxy-response.txt   |   MISC:https://httpoxy.org/   |   MLIST:[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar   |   URL:https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E   |   MLIST:[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.   |   URL:https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E   |   MLIST:[activemq-issues] 20190925 [jira] [Created] (AMQ-7310) Security Vulnerabilities in Tomcat-websocket-api.jar   |   URL:https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d@%3Cissues.activemq.apache.org%3E   |   MLIST:[debian-lts-announce] 20190813 [SECURITY] [DLA 1883-1] tomcat8 security update   |   URL:https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html   |   REDHAT:RHSA-2016:1624   |   URL:http://rhn.redhat.com/errata/RHSA-2016-1624.html   |   REDHAT:RHSA-2016:1635   |   URL:https://access.redhat.com/errata/RHSA-2016:1635   |   REDHAT:RHSA-2016:1636   |   URL:https://access.redhat.com/errata/RHSA-2016:1636   |   REDHAT:RHSA-2016:2045   |   URL:http://rhn.redhat.com/errata/RHSA-2016-2045.html   |   REDHAT:RHSA-2016:2046   |   URL:http://rhn.redhat.com/errata/RHSA-2016-2046.html   |   SECTRACK:1036331   |   URL:http://www.securitytracker.com/id/1036331   |   SUSE:openSUSE-SU-2016:2252   |   URL:http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html",Assigned (20160610),"None (candidate not yet proposed)",""
22| [CVE-2016-6799,Candidate,"Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application]  any application installed on the device has the capability to read data logged by other applications.","BID:98365   |   URL:http://www.securityfocus.com/bid/98365   |   MLIST:[dev] 20170509 CVE-2016-6799: Internal system information leak   |   URL:https://lists.apache.org/thread.html/1f3e7b0319d64b455f73616f572acee36fbca31f87f5b2e509c45b69@%3Cdev.cordova.apache.org%3E",Assigned (20160812),"None (candidate not yet proposed)",""
23| [CVE-2017-15714,Candidate,"The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing that code through the URL. For example by appending this code ""__format=%27] alert(%27xss%27)"" to the URL an alert window would execute.","MLIST:[user] 20180103 [SECURITY] CVE-2017-15714 Apache OFBiz BIRT code vulnerability   |   URL:https://s.apache.org/UO3W",Assigned (20171021),"None (candidate not yet proposed)",""
24| [CVE-2017-17837,Candidate,"The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get's cut off after 10 characters (by default), so the impact might be limited. A fix got applied and released in Apache deltaspike-1.8.1.","CONFIRM:https://git-wip-us.apache.org/repos/asf?p=deltaspike.git] h=4e25023   |   CONFIRM:https://issues.apache.org/jira/browse/DELTASPIKE-1307",Assigned (20171222),"None (candidate not yet proposed)",""
25| [CVE-2018-11786,Candidate,"In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory]  it can be further locked down by defining a security manager policy that limits file system access to those directories beneath the Karaf home that are necessary for the system to run. However, this still allows anyone with ssh access to the Karaf process to read and write a large number of files as the Karaf process user.","CONFIRM:http://karaf.apache.org/security/cve-2018-11786.txt   |   CONFIRM:https://issues.apache.org/jira/browse/KARAF-5427   |   MLIST:[karaf-dev] 20180918 [SECURITY] New security advisory for CVE-2018-11786 released for Apache Karaf   |   URL:https://lists.apache.org/thread.html/5b7ac762c6bbe77ac5d9389f093fc6dbf196c36d788e3d7629e6c1d9@%3Cdev.karaf.apache.org%3E",Assigned (20180605),"None (candidate not yet proposed)",""
26| [CVE-2018-1199,Candidate,"Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1]  and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.","CONFIRM:https://pivotal.io/security/cve-2018-1199   |   MLIST:[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)   |   URL:https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe@%3Cissues.activemq.apache.org%3E   |   MLIST:[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar   |   URL:https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c@%3Cissues.activemq.apache.org%3E   |   MLIST:[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar   |   URL:https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E   |   REDHAT:RHSA-2018:2405   |   URL:https://access.redhat.com/errata/RHSA-2018:2405",Assigned (20171206),"None (candidate not yet proposed)",""
27| [CVE-2018-1336,Candidate,"An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.","BID:104898   |   URL:http://www.securityfocus.com/bid/104898   |   CONFIRM:https://security.netapp.com/advisory/ntap-20180817-0001/   |   CONFIRM:https://support.f5.com/csp/article/K73008537?utm_source=f5support&amp] utm_medium=RSS   |   DEBIAN:DSA-4281   |   URL:https://www.debian.org/security/2018/dsa-4281   |   MLIST:[debian-lts-announce] 20180902 [SECURITY] [DLA 1491-1] tomcat8 security update   |   URL:https://lists.debian.org/debian-lts-announce/2018/09/msg00001.html   |   MLIST:[tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/   |   URL:https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/   |   URL:https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/   |   URL:https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/   |   URL:https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/   |   URL:https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/   |   URL:https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/   |   URL:https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/   |   URL:https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/   |   URL:https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/   |   URL:https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/   |   URL:https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E   |   MLIST:[www-announce] 20180722 [SECURITY] CVE-2018-1336 Apache Tomcat - Denial of Service   |   URL:http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090435.GA60759%40minotaur.apache.org%3E   |   REDHAT:RHEA-2018:2188   |   URL:https://access.redhat.com/errata/RHEA-2018:2188   |   REDHAT:RHEA-2018:2189   |   URL:https://access.redhat.com/errata/RHEA-2018:2189   |   REDHAT:RHSA-2018:2700   |   URL:https://access.redhat.com/errata/RHSA-2018:2700   |   REDHAT:RHSA-2018:2701   |   URL:https://access.redhat.com/errata/RHSA-2018:2701   |   REDHAT:RHSA-2018:2740   |   URL:https://access.redhat.com/errata/RHSA-2018:2740   |   REDHAT:RHSA-2018:2741   |   URL:https://access.redhat.com/errata/RHSA-2018:2741   |   REDHAT:RHSA-2018:2742   |   URL:https://access.redhat.com/errata/RHSA-2018:2742   |   REDHAT:RHSA-2018:2743   |   URL:https://access.redhat.com/errata/RHSA-2018:2743   |   REDHAT:RHSA-2018:2921   |   URL:https://access.redhat.com/errata/RHSA-2018:2921   |   REDHAT:RHSA-2018:2930   |   URL:https://access.redhat.com/errata/RHSA-2018:2930   |   REDHAT:RHSA-2018:2939   |   URL:https://access.redhat.com/errata/RHSA-2018:2939   |   REDHAT:RHSA-2018:2945   |   URL:https://access.redhat.com/errata/RHSA-2018:2945   |   REDHAT:RHSA-2018:3768   |   URL:https://access.redhat.com/errata/RHSA-2018:3768   |   SECTRACK:1041375   |   URL:http://www.securitytracker.com/id/1041375   |   UBUNTU:USN-3723-1   |   URL:https://usn.ubuntu.com/3723-1/",Assigned (20171207),"None (candidate not yet proposed)",""
28| [CVE-2018-16890,Candidate,"libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.","BID:106947   |   URL:http://www.securityfocus.com/bid/106947   |   CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890   |   CONFIRM:https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190315-0001/   |   CONFIRM:https://support.f5.com/csp/article/K03314397?utm_source=f5support&amp] utm_medium=RSS   |   DEBIAN:DSA-4386   |   URL:https://www.debian.org/security/2019/dsa-4386   |   MISC:https://curl.haxx.se/docs/CVE-2018-16890.html   |   MISC:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html   |   MISC:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html   |   MLIST:[infra-devnull] 20190404 [GitHub] [incubator-openwhisk-runtime-ballerina] falkzoll commented on issue #15: Update to new base image jdk8u202-b08_openj9-0.12.1.   |   URL:https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E   |   REDHAT:RHSA-2019:3701   |   URL:https://access.redhat.com/errata/RHSA-2019:3701   |   UBUNTU:USN-3882-1   |   URL:https://usn.ubuntu.com/3882-1/",Assigned (20180911),"None (candidate not yet proposed)",""
29| [CVE-2018-8010,Candidate,"This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases only allow external entities and Xincludes that refer to local files / zookeeper resources below the Solr instance directory (using Solr's ResourceLoader)]  usage of absolute URLs is denied. Keep in mind, that external entities and XInclude are explicitly supported to better structure config files in large installations. Before Solr 6 this was no problem, as config files were not accessible through the APIs.","BID:104239   |   URL:http://www.securityfocus.com/bid/104239   |   MISC:https://mail-archives.apache.org/mod_mbox/www-announce/201805.mbox/%3C08a801d3f0f9%24df46d300%249dd47900%24%40apache.org%3E",Assigned (20180309),"None (candidate not yet proposed)",""
30| [CVE-2018-8039,Candidate,"It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty(""java.protocol.handler.pkgs"", ""com.sun.net.ssl.internal.www.protocol"")] '. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.","BID:106357   |   URL:http://www.securityfocus.com/bid/106357   |   CONFIRM:http://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2   |   CONFIRM:https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b   |   MISC:https://www.oracle.com/security-alerts/cpujan2020.html   |   MISC:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html   |   MLIST:[cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html   |   URL:https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E   |   MLIST:[cxf-user] 20180628 Apache CXF 3.2.6 and 3.1.16 are released   |   URL:https://lists.apache.org/thread.html/1f8ff31df204ad0374ab26ad333169e0387a5e7ec92422f337431866@%3Cdev.cxf.apache.org%3E   |   REDHAT:RHSA-2018:2276   |   URL:https://access.redhat.com/errata/RHSA-2018:2276   |   REDHAT:RHSA-2018:2277   |   URL:https://access.redhat.com/errata/RHSA-2018:2277   |   REDHAT:RHSA-2018:2279   |   URL:https://access.redhat.com/errata/RHSA-2018:2279   |   REDHAT:RHSA-2018:2423   |   URL:https://access.redhat.com/errata/RHSA-2018:2423   |   REDHAT:RHSA-2018:2424   |   URL:https://access.redhat.com/errata/RHSA-2018:2424   |   REDHAT:RHSA-2018:2425   |   URL:https://access.redhat.com/errata/RHSA-2018:2425   |   REDHAT:RHSA-2018:2428   |   URL:https://access.redhat.com/errata/RHSA-2018:2428   |   REDHAT:RHSA-2018:2643   |   URL:https://access.redhat.com/errata/RHSA-2018:2643   |   REDHAT:RHSA-2018:3768   |   URL:https://access.redhat.com/errata/RHSA-2018:3768   |   REDHAT:RHSA-2018:3817   |   URL:https://access.redhat.com/errata/RHSA-2018:3817   |   SECTRACK:1041199   |   URL:http://www.securitytracker.com/id/1041199",Assigned (20180309),"None (candidate not yet proposed)",""
31| [CVE-2019-0221,Candidate,"The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.","BID:108545   |   URL:http://www.securityfocus.com/bid/108545   |   BUGTRAQ:20191229 [SECURITY] [DSA 4596-1] tomcat8 security update   |   URL:https://seclists.org/bugtraq/2019/Dec/43   |   CONFIRM:https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190606-0001/   |   CONFIRM:https://support.f5.com/csp/article/K13184144?utm_source=f5support&amp] utm_medium=RSS   |   DEBIAN:DSA-4596   |   URL:https://www.debian.org/security/2019/dsa-4596   |   FEDORA:FEDORA-2019-1a3f878d27   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/   |   FEDORA:FEDORA-2019-d66febb5df   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/   |   FULLDISC:20190529 XSS in SSI printenv command - Apache Tomcat - CVE-2019-0221   |   URL:http://seclists.org/fulldisclosure/2019/May/50   |   MISC:https://www.oracle.com/security-alerts/cpujan2020.html   |   MISC:https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/   |   MLIST:[announce] 20200131 Apache Software Foundation Security Report: 2019   |   URL:https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E   |   MLIST:[debian-lts-announce] 20190530 [SECURITY] [DLA 1810-1] tomcat7 security update   |   URL:https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html   |   MLIST:[debian-lts-announce] 20190813 [SECURITY] [DLA 1883-1] tomcat8 security update   |   URL:https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html   |   MLIST:[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E   |   REDHAT:RHSA-2019:3929   |   URL:https://access.redhat.com/errata/RHSA-2019:3929   |   REDHAT:RHSA-2019:3931   |   URL:https://access.redhat.com/errata/RHSA-2019:3931   |   SUSE:openSUSE-SU-2019:1673   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html   |   SUSE:openSUSE-SU-2019:1808   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html   |   UBUNTU:USN-4128-1   |   URL:https://usn.ubuntu.com/4128-1/   |   UBUNTU:USN-4128-2   |   URL:https://usn.ubuntu.com/4128-2/",Assigned (20181114),"None (candidate not yet proposed)",""
32| [CVE-2019-0224,Candidate,"In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser]  only on its own browser.","BID:107631   |   URL:http://www.securityfocus.com/bid/107631   |   CONFIRM:https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224   |   MLIST:[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures   |   URL:https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1@%3Ccommits.jspwiki.apache.org%3E   |   MLIST:[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures   |   URL:https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E   |   MLIST:[jspwiki-dev] 20190326 [CVE-2019-0224] Apache JSPWiki Cross-site scripting vulnerability   |   URL:https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67@%3Cdev.jspwiki.apache.org%3E",Assigned (20181114),"None (candidate not yet proposed)",""
33| [CVE-2019-10081,Candidate,"HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with ""H2PushResource"", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.","BUGTRAQ:20190826 [SECURITY] [DSA 4509-1] apache2 security update   |   URL:https://seclists.org/bugtraq/2019/Aug/47   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190905-0003/   |   CONFIRM:https://support.f5.com/csp/article/K84341091?utm_source=f5support&amp] utm_medium=RSS   |   DEBIAN:DSA-4509   |   URL:https://www.debian.org/security/2019/dsa-4509   |   GENTOO:GLSA-201909-04   |   URL:https://security.gentoo.org/glsa/201909-04   |   MISC:https://httpd.apache.org/security/vulnerabilities_24.html   |   MISC:https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html   |   SUSE:openSUSE-SU-2019:2051   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html   |   UBUNTU:USN-4113-1   |   URL:https://usn.ubuntu.com/4113-1/",Assigned (20190326),"None (candidate not yet proposed)",""
34| [CVE-2019-11231,Candidate,"An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user]  however, authentication can be bypassed. According to the official documentation for installation step 10, an admin is required to upload all the files, including the .htaccess files, and run a health check. However, what is overlooked is that the Apache HTTP Server by default no longer enables the AllowOverride directive, leading to data/users/admin.xml password exposure. The passwords are hashed but this can be bypassed by starting with the data/other/authorization.xml API key. This allows one to target the session state, since they decided to roll their own implementation. The cookie_name is crafted information that can be leaked from the frontend (site name and version). If a someone leaks the API key and the admin username, then they can bypass authentication. To do so, they need to supply a cookie based on an SHA-1 computation of this known information. The vulnerability exists in the admin/theme-edit.php file. This file checks for forms submissions via POST requests, and for the csrf nonce. If the nonce sent is correct, then the file provided by the user is uploaded. There is a path traversal allowing write access outside the jailed themes directory root. Exploiting the traversal is not necessary because the .htaccess file is ignored. A contributing factor is that there isn't another check on the extension before saving the file, with the assumption that the parameter content is safe. This allows the creation of web accessible and executable files with arbitrary content.","MISC:http://packetstormsecurity.com/files/152961/GetSimpleCMS-3.3.15-Remote-Code-Execution.html   |   MISC:https://ssd-disclosure.com/?p=3899&preview=true",Assigned (20190414),"None (candidate not yet proposed)",""
35| [CVE-2019-12401,Candidate,"Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it&#8217] s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.","CONFIRM:https://security.netapp.com/advisory/ntap-20190926-0002/   |   MLIST:[lucene-dev] 20190911 [jira] [Commented] (SOLR-13750) [CVE-2019-12401] XML Bomb in Apache Solr versions prior to 5.0.0   |   URL:https://lists.apache.org/thread.html/0ec231c5ed8d242890e21806d25fdd47f80cc47cac278d2fc1c9c579@%3Cdev.lucene.apache.org%3E   |   MLIST:[www-announce] 20190909 [SECURITY] CVE-2019-12401: XML Bomb in Apache Solr versions prior to 5.0   |   URL:http://mail-archives.us.apache.org/mod_mbox/www-announce/201909.mbox/%3CCAECwjAXU4%3DkAo5DeUJw7Kvk67sgCmajAN7LGZQNjbjZ8gv%3DBdw%40mail.gmail.com%3E",Assigned (20190528),"None (candidate not yet proposed)",""
36| [CVE-2019-12405,Candidate,"Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password.","CONFIRM:https://support.f5.com/csp/article/K84141859   |   CONFIRM:https://support.f5.com/csp/article/K84141859?utm_source=f5support&amp] utm_medium=RSS   |   MLIST:[trafficcontrol-users] 20190906 CVE-2019-12405: Apache Traffic Control LDAP-based authentication vulnerability   |   URL:https://lists.apache.org/thread.html/e128e9d382f3b0d074e2b597ac58e1d92139394509d81ddbc9e3700e@%3Cusers.trafficcontrol.apache.org%3E",Assigned (20190528),"None (candidate not yet proposed)",""
37| [CVE-2019-12409,Candidate,"The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.","CONFIRM:https://support.f5.com/csp/article/K23720587?utm_source=f5support&amp] utm_medium=RSS   |   MLIST:[lucene-solr-user] 20191118 CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default   |   URL:https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d@%3Csolr-user.lucene.apache.org%3E",Assigned (20190528),"None (candidate not yet proposed)",""
38| [CVE-2019-12418,Candidate,"When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.","BUGTRAQ:20191229 [SECURITY] [DSA 4596-1] tomcat8 security update   |   URL:https://seclists.org/bugtraq/2019/Dec/43   |   CONFIRM:https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E   |   CONFIRM:https://security.netapp.com/advisory/ntap-20200107-0001/   |   CONFIRM:https://support.f5.com/csp/article/K10107360?utm_source=f5support&amp] utm_medium=RSS   |   DEBIAN:DSA-4596   |   URL:https://www.debian.org/security/2019/dsa-4596   |   MLIST:[debian-lts-announce] 20200127 [SECURITY] [DLA 2077-1] tomcat7 security update   |   URL:https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html   |   MLIST:[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E   |   SUSE:openSUSE-SU-2020:0038   |   URL:http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html   |   UBUNTU:USN-4251-1   |   URL:https://usn.ubuntu.com/4251-1/",Assigned (20190528),"None (candidate not yet proposed)",""
39| [CVE-2019-17570,Candidate,"An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.","BUGTRAQ:20200210 [SECURITY] [DSA 4619-1] libxmlrpc3-java security update   |   URL:https://seclists.org/bugtraq/2020/Feb/8   |   CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570]    |   CONFIRM:https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E   |   DEBIAN:DSA-4619   |   URL:https://www.debian.org/security/2020/dsa-4619   |   MLIST:[debian-lts-announce] 20200130 [SECURITY] [DLA 2078-1] libxmlrpc3-java security update   |   URL:https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html   |   MLIST:[oss-security] 20200124 RE: [CVE-2019-17570] xmlrpc-common untrusted deserialization   |   URL:http://www.openwall.com/lists/oss-security/2020/01/24/2   |   REDHAT:RHSA-2020:0310   |   URL:https://access.redhat.com/errata/RHSA-2020:0310",Assigned (20191014),"None (candidate not yet proposed)",""
40| [CVE-2019-3822,Candidate,"libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.","BID:106950   |   URL:http://www.securityfocus.com/bid/106950   |   CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822   |   CONFIRM:https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190315-0001/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190719-0004/   |   CONFIRM:https://support.f5.com/csp/article/K84141449   |   CONFIRM:https://support.f5.com/csp/article/K84141449?utm_source=f5support&amp] utm_medium=RSS   |   DEBIAN:DSA-4386   |   URL:https://www.debian.org/security/2019/dsa-4386   |   GENTOO:GLSA-201903-03   |   URL:https://security.gentoo.org/glsa/201903-03   |   MISC:https://curl.haxx.se/docs/CVE-2019-3822.html   |   MISC:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html   |   MISC:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html   |   MLIST:[infra-devnull] 20190404 [GitHub] [incubator-openwhisk-runtime-ballerina] falkzoll commented on issue #15: Update to new base image jdk8u202-b08_openj9-0.12.1.   |   URL:https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E   |   REDHAT:RHSA-2019:3701   |   URL:https://access.redhat.com/errata/RHSA-2019:3701   |   UBUNTU:USN-3882-1   |   URL:https://usn.ubuntu.com/3882-1/",Assigned (20190103),"None (candidate not yet proposed)",""
41| [CVE-2019-8331,Candidate,"In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.","BID:107375   |   URL:http://www.securityfocus.com/bid/107375   |   BUGTRAQ:20190509 dotCMS v5.1.1 Vulnerabilities   |   URL:https://seclists.org/bugtraq/2019/May/18   |   CONFIRM:https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/   |   CONFIRM:https://support.f5.com/csp/article/K24383845   |   CONFIRM:https://support.f5.com/csp/article/K24383845?utm_source=f5support&amp] utm_medium=RSS   |   FULLDISC:20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability   |   URL:http://seclists.org/fulldisclosure/2019/May/13   |   FULLDISC:20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability   |   URL:http://seclists.org/fulldisclosure/2019/May/11   |   FULLDISC:20190510 dotCMS v5.1.1 Vulnerabilities   |   URL:http://seclists.org/fulldisclosure/2019/May/10   |   MISC:http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html   |   MISC:https://github.com/twbs/bootstrap/pull/28236   |   MISC:https://github.com/twbs/bootstrap/releases/tag/v3.4.1   |   MISC:https://github.com/twbs/bootstrap/releases/tag/v4.3.1   |   MLIST:[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities   |   URL:https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E   |   MLIST:[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities   |   URL:https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E   |   MLIST:[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities   |   URL:https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E   |   MLIST:[flink-dev] 20190811 Apache flink 1.7.2 security issues   |   URL:https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E   |   MLIST:[flink-user] 20190811 Apache flink 1.7.2 security issues   |   URL:https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E   |   MLIST:[flink-user] 20190813 Apache flink 1.7.2 security issues   |   URL:https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E   |   MLIST:[flink-user] 20190813 Re: Apache flink 1.7.2 security issues   |   URL:https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E   |   MLIST:[superset-dev] 20190926 Re: [VOTE] Release Superset 0.34.1 based on Superset 0.34.1rc1   |   URL:https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@%3Cdev.superset.apache.org%3E   |   REDHAT:RHSA-2019:1456   |   URL:https://access.redhat.com/errata/RHSA-2019:1456   |   REDHAT:RHSA-2019:3023   |   URL:https://access.redhat.com/errata/RHSA-2019:3023   |   REDHAT:RHSA-2019:3024   |   URL:https://access.redhat.com/errata/RHSA-2019:3024",Assigned (20190213),"None (candidate not yet proposed)",""
42| [CVE-2019-9512,Candidate,"Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.","BUGTRAQ:20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:https://seclists.org/bugtraq/2019/Aug/24   |   BUGTRAQ:20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update   |   URL:https://seclists.org/bugtraq/2019/Aug/31   |   BUGTRAQ:20190825 [SECURITY] [DSA 4508-1] h2o security update   |   URL:https://seclists.org/bugtraq/2019/Aug/43   |   BUGTRAQ:20190910 [SECURITY] [DSA 4520-1] trafficserver security update   |   URL:https://seclists.org/bugtraq/2019/Sep/18   |   CERT-VN:VU#605641   |   URL:https://kb.cert.org/vuls/id/605641/   |   CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10296   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0001/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0004/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0005/   |   CONFIRM:https://support.f5.com/csp/article/K98053339   |   CONFIRM:https://support.f5.com/csp/article/K98053339?utm_source=f5support&amp] utm_medium=RSS   |   CONFIRM:https://www.synology.com/security/advisory/Synology_SA_19_33   |   DEBIAN:DSA-4503   |   URL:https://www.debian.org/security/2019/dsa-4503   |   DEBIAN:DSA-4508   |   URL:https://www.debian.org/security/2019/dsa-4508   |   DEBIAN:DSA-4520   |   URL:https://www.debian.org/security/2019/dsa-4520   |   FEDORA:FEDORA-2019-55d101a740   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/   |   FEDORA:FEDORA-2019-5a6a7bc12c   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/   |   FEDORA:FEDORA-2019-65db7ad6c7   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/   |   FEDORA:FEDORA-2019-6a2980de56   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/   |   FULLDISC:20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:http://seclists.org/fulldisclosure/2019/Aug/16   |   MISC:https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md   |   MLIST:[oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514   |   URL:http://www.openwall.com/lists/oss-security/2019/08/20/1   |   MLIST:[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E   |   MLIST:[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E   |   MLIST:[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E   |   REDHAT:RHSA-2019:2594   |   URL:https://access.redhat.com/errata/RHSA-2019:2594   |   REDHAT:RHSA-2019:2661   |   URL:https://access.redhat.com/errata/RHSA-2019:2661   |   REDHAT:RHSA-2019:2682   |   URL:https://access.redhat.com/errata/RHSA-2019:2682   |   REDHAT:RHSA-2019:2690   |   URL:https://access.redhat.com/errata/RHSA-2019:2690   |   REDHAT:RHSA-2019:2726   |   URL:https://access.redhat.com/errata/RHSA-2019:2726   |   REDHAT:RHSA-2019:2766   |   URL:https://access.redhat.com/errata/RHSA-2019:2766   |   REDHAT:RHSA-2019:2769   |   URL:https://access.redhat.com/errata/RHSA-2019:2769   |   REDHAT:RHSA-2019:2796   |   URL:https://access.redhat.com/errata/RHSA-2019:2796   |   REDHAT:RHSA-2019:2861   |   URL:https://access.redhat.com/errata/RHSA-2019:2861   |   REDHAT:RHSA-2019:2925   |   URL:https://access.redhat.com/errata/RHSA-2019:2925   |   REDHAT:RHSA-2019:2939   |   URL:https://access.redhat.com/errata/RHSA-2019:2939   |   REDHAT:RHSA-2019:2955   |   URL:https://access.redhat.com/errata/RHSA-2019:2955   |   REDHAT:RHSA-2019:2966   |   URL:https://access.redhat.com/errata/RHSA-2019:2966   |   REDHAT:RHSA-2019:3131   |   URL:https://access.redhat.com/errata/RHSA-2019:3131   |   REDHAT:RHSA-2019:3245   |   URL:https://access.redhat.com/errata/RHSA-2019:3245   |   REDHAT:RHSA-2019:3265   |   URL:https://access.redhat.com/errata/RHSA-2019:3265   |   REDHAT:RHSA-2019:3892   |   URL:https://access.redhat.com/errata/RHSA-2019:3892   |   REDHAT:RHSA-2019:3906   |   URL:https://access.redhat.com/errata/RHSA-2019:3906   |   REDHAT:RHSA-2019:4018   |   URL:https://access.redhat.com/errata/RHSA-2019:4018   |   REDHAT:RHSA-2019:4019   |   URL:https://access.redhat.com/errata/RHSA-2019:4019   |   REDHAT:RHSA-2019:4020   |   URL:https://access.redhat.com/errata/RHSA-2019:4020   |   REDHAT:RHSA-2019:4021   |   URL:https://access.redhat.com/errata/RHSA-2019:4021   |   REDHAT:RHSA-2019:4040   |   URL:https://access.redhat.com/errata/RHSA-2019:4040   |   REDHAT:RHSA-2019:4041   |   URL:https://access.redhat.com/errata/RHSA-2019:4041   |   REDHAT:RHSA-2019:4042   |   URL:https://access.redhat.com/errata/RHSA-2019:4042   |   REDHAT:RHSA-2019:4045   |   URL:https://access.redhat.com/errata/RHSA-2019:4045   |   REDHAT:RHSA-2019:4269   |   URL:https://access.redhat.com/errata/RHSA-2019:4269   |   REDHAT:RHSA-2019:4273   |   URL:https://access.redhat.com/errata/RHSA-2019:4273   |   REDHAT:RHSA-2019:4352   |   URL:https://access.redhat.com/errata/RHSA-2019:4352   |   REDHAT:RHSA-2020:0406   |   URL:https://access.redhat.com/errata/RHSA-2020:0406   |   REDHAT:RHSA-2020:0727   |   URL:https://access.redhat.com/errata/RHSA-2020:0727   |   SUSE:openSUSE-SU-2019:2000   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html   |   SUSE:openSUSE-SU-2019:2056   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html   |   SUSE:openSUSE-SU-2019:2072   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html   |   SUSE:openSUSE-SU-2019:2085   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html   |   SUSE:openSUSE-SU-2019:2114   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html   |   SUSE:openSUSE-SU-2019:2115   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html   |   SUSE:openSUSE-SU-2019:2130   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html",Assigned (20190301),"None (candidate not yet proposed)",""
43| [CVE-2019-9514,Candidate,"Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.","BUGTRAQ:20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:https://seclists.org/bugtraq/2019/Aug/24   |   BUGTRAQ:20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update   |   URL:https://seclists.org/bugtraq/2019/Aug/31   |   BUGTRAQ:20190825 [SECURITY] [DSA 4508-1] h2o security update   |   URL:https://seclists.org/bugtraq/2019/Aug/43   |   BUGTRAQ:20190910 [SECURITY] [DSA 4520-1] trafficserver security update   |   URL:https://seclists.org/bugtraq/2019/Sep/18   |   CERT-VN:VU#605641   |   URL:https://kb.cert.org/vuls/id/605641/   |   CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10296   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0001/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0004/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0005/   |   CONFIRM:https://support.f5.com/csp/article/K01988340   |   CONFIRM:https://support.f5.com/csp/article/K01988340?utm_source=f5support&amp] utm_medium=RSS   |   CONFIRM:https://www.synology.com/security/advisory/Synology_SA_19_33   |   DEBIAN:DSA-4503   |   URL:https://www.debian.org/security/2019/dsa-4503   |   DEBIAN:DSA-4508   |   URL:https://www.debian.org/security/2019/dsa-4508   |   DEBIAN:DSA-4520   |   URL:https://www.debian.org/security/2019/dsa-4520   |   FEDORA:FEDORA-2019-55d101a740   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/   |   FEDORA:FEDORA-2019-5a6a7bc12c   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/   |   FEDORA:FEDORA-2019-65db7ad6c7   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/   |   FEDORA:FEDORA-2019-6a2980de56   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/   |   FULLDISC:20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:http://seclists.org/fulldisclosure/2019/Aug/16   |   MISC:https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md   |   MLIST:[oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514   |   URL:http://www.openwall.com/lists/oss-security/2019/08/20/1   |   MLIST:[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E   |   MLIST:[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E   |   MLIST:[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E   |   REDHAT:RHSA-2019:2594   |   URL:https://access.redhat.com/errata/RHSA-2019:2594   |   REDHAT:RHSA-2019:2661   |   URL:https://access.redhat.com/errata/RHSA-2019:2661   |   REDHAT:RHSA-2019:2682   |   URL:https://access.redhat.com/errata/RHSA-2019:2682   |   REDHAT:RHSA-2019:2690   |   URL:https://access.redhat.com/errata/RHSA-2019:2690   |   REDHAT:RHSA-2019:2726   |   URL:https://access.redhat.com/errata/RHSA-2019:2726   |   REDHAT:RHSA-2019:2766   |   URL:https://access.redhat.com/errata/RHSA-2019:2766   |   REDHAT:RHSA-2019:2769   |   URL:https://access.redhat.com/errata/RHSA-2019:2769   |   REDHAT:RHSA-2019:2796   |   URL:https://access.redhat.com/errata/RHSA-2019:2796   |   REDHAT:RHSA-2019:2861   |   URL:https://access.redhat.com/errata/RHSA-2019:2861   |   REDHAT:RHSA-2019:2925   |   URL:https://access.redhat.com/errata/RHSA-2019:2925   |   REDHAT:RHSA-2019:2939   |   URL:https://access.redhat.com/errata/RHSA-2019:2939   |   REDHAT:RHSA-2019:2955   |   URL:https://access.redhat.com/errata/RHSA-2019:2955   |   REDHAT:RHSA-2019:2966   |   URL:https://access.redhat.com/errata/RHSA-2019:2966   |   REDHAT:RHSA-2019:3131   |   URL:https://access.redhat.com/errata/RHSA-2019:3131   |   REDHAT:RHSA-2019:3245   |   URL:https://access.redhat.com/errata/RHSA-2019:3245   |   REDHAT:RHSA-2019:3265   |   URL:https://access.redhat.com/errata/RHSA-2019:3265   |   REDHAT:RHSA-2019:3892   |   URL:https://access.redhat.com/errata/RHSA-2019:3892   |   REDHAT:RHSA-2019:3906   |   URL:https://access.redhat.com/errata/RHSA-2019:3906   |   REDHAT:RHSA-2019:4018   |   URL:https://access.redhat.com/errata/RHSA-2019:4018   |   REDHAT:RHSA-2019:4019   |   URL:https://access.redhat.com/errata/RHSA-2019:4019   |   REDHAT:RHSA-2019:4020   |   URL:https://access.redhat.com/errata/RHSA-2019:4020   |   REDHAT:RHSA-2019:4021   |   URL:https://access.redhat.com/errata/RHSA-2019:4021   |   REDHAT:RHSA-2019:4040   |   URL:https://access.redhat.com/errata/RHSA-2019:4040   |   REDHAT:RHSA-2019:4041   |   URL:https://access.redhat.com/errata/RHSA-2019:4041   |   REDHAT:RHSA-2019:4042   |   URL:https://access.redhat.com/errata/RHSA-2019:4042   |   REDHAT:RHSA-2019:4045   |   URL:https://access.redhat.com/errata/RHSA-2019:4045   |   REDHAT:RHSA-2019:4269   |   URL:https://access.redhat.com/errata/RHSA-2019:4269   |   REDHAT:RHSA-2019:4273   |   URL:https://access.redhat.com/errata/RHSA-2019:4273   |   REDHAT:RHSA-2019:4352   |   URL:https://access.redhat.com/errata/RHSA-2019:4352   |   REDHAT:RHSA-2020:0406   |   URL:https://access.redhat.com/errata/RHSA-2020:0406   |   REDHAT:RHSA-2020:0727   |   URL:https://access.redhat.com/errata/RHSA-2020:0727   |   SUSE:openSUSE-SU-2019:2000   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html   |   SUSE:openSUSE-SU-2019:2056   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html   |   SUSE:openSUSE-SU-2019:2072   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html   |   SUSE:openSUSE-SU-2019:2085   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html   |   SUSE:openSUSE-SU-2019:2114   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html   |   SUSE:openSUSE-SU-2019:2115   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html   |   SUSE:openSUSE-SU-2019:2130   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html",Assigned (20190301),"None (candidate not yet proposed)",""
44| [CVE-2019-9515,Candidate,"Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.","BUGTRAQ:20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:https://seclists.org/bugtraq/2019/Aug/24   |   BUGTRAQ:20190825 [SECURITY] [DSA 4508-1] h2o security update   |   URL:https://seclists.org/bugtraq/2019/Aug/43   |   BUGTRAQ:20190910 [SECURITY] [DSA 4520-1] trafficserver security update   |   URL:https://seclists.org/bugtraq/2019/Sep/18   |   CERT-VN:VU#605641   |   URL:https://kb.cert.org/vuls/id/605641/   |   CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10296   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0005/   |   CONFIRM:https://support.f5.com/csp/article/K50233772   |   CONFIRM:https://support.f5.com/csp/article/K50233772?utm_source=f5support&amp] utm_medium=RSS   |   CONFIRM:https://www.synology.com/security/advisory/Synology_SA_19_33   |   DEBIAN:DSA-4508   |   URL:https://www.debian.org/security/2019/dsa-4508   |   DEBIAN:DSA-4520   |   URL:https://www.debian.org/security/2019/dsa-4520   |   FEDORA:FEDORA-2019-5a6a7bc12c   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/   |   FEDORA:FEDORA-2019-6a2980de56   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/   |   FULLDISC:20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:http://seclists.org/fulldisclosure/2019/Aug/16   |   MISC:https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md   |   MLIST:[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E   |   MLIST:[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E   |   MLIST:[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E   |   REDHAT:RHSA-2019:2766   |   URL:https://access.redhat.com/errata/RHSA-2019:2766   |   REDHAT:RHSA-2019:2796   |   URL:https://access.redhat.com/errata/RHSA-2019:2796   |   REDHAT:RHSA-2019:2861   |   URL:https://access.redhat.com/errata/RHSA-2019:2861   |   REDHAT:RHSA-2019:2925   |   URL:https://access.redhat.com/errata/RHSA-2019:2925   |   REDHAT:RHSA-2019:2939   |   URL:https://access.redhat.com/errata/RHSA-2019:2939   |   REDHAT:RHSA-2019:2955   |   URL:https://access.redhat.com/errata/RHSA-2019:2955   |   REDHAT:RHSA-2019:3892   |   URL:https://access.redhat.com/errata/RHSA-2019:3892   |   REDHAT:RHSA-2019:4018   |   URL:https://access.redhat.com/errata/RHSA-2019:4018   |   REDHAT:RHSA-2019:4019   |   URL:https://access.redhat.com/errata/RHSA-2019:4019   |   REDHAT:RHSA-2019:4020   |   URL:https://access.redhat.com/errata/RHSA-2019:4020   |   REDHAT:RHSA-2019:4021   |   URL:https://access.redhat.com/errata/RHSA-2019:4021   |   REDHAT:RHSA-2019:4040   |   URL:https://access.redhat.com/errata/RHSA-2019:4040   |   REDHAT:RHSA-2019:4041   |   URL:https://access.redhat.com/errata/RHSA-2019:4041   |   REDHAT:RHSA-2019:4042   |   URL:https://access.redhat.com/errata/RHSA-2019:4042   |   REDHAT:RHSA-2019:4045   |   URL:https://access.redhat.com/errata/RHSA-2019:4045   |   REDHAT:RHSA-2019:4352   |   URL:https://access.redhat.com/errata/RHSA-2019:4352   |   REDHAT:RHSA-2020:0727   |   URL:https://access.redhat.com/errata/RHSA-2020:0727   |   SUSE:openSUSE-SU-2019:2114   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html   |   SUSE:openSUSE-SU-2019:2115   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html",Assigned (20190301),"None (candidate not yet proposed)",""
45| [CVE-2019-9517,Candidate,"Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint]  however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.","BUGTRAQ:20190826 [SECURITY] [DSA 4509-1] apache2 security update   |   URL:https://seclists.org/bugtraq/2019/Aug/47   |   CERT-VN:VU#605641   |   URL:https://kb.cert.org/vuls/id/605641/   |   CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10296   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0003/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0005/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190905-0003/   |   CONFIRM:https://support.f5.com/csp/article/K02591030   |   CONFIRM:https://support.f5.com/csp/article/K02591030?utm_source=f5support&amp
46| [CVE-2019-9518,Candidate,"Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.","BUGTRAQ:20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:https://seclists.org/bugtraq/2019/Aug/24   |   BUGTRAQ:20190910 [SECURITY] [DSA 4520-1] trafficserver security update   |   URL:https://seclists.org/bugtraq/2019/Sep/18   |   CERT-VN:VU#605641   |   URL:https://kb.cert.org/vuls/id/605641/   |   CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10296   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0005/   |   CONFIRM:https://support.f5.com/csp/article/K46011592   |   CONFIRM:https://support.f5.com/csp/article/K46011592?utm_source=f5support&amp] utm_medium=RSS   |   CONFIRM:https://www.synology.com/security/advisory/Synology_SA_19_33   |   DEBIAN:DSA-4520   |   URL:https://www.debian.org/security/2019/dsa-4520   |   FEDORA:FEDORA-2019-5a6a7bc12c   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/   |   FEDORA:FEDORA-2019-6a2980de56   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/   |   FULLDISC:20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:http://seclists.org/fulldisclosure/2019/Aug/16   |   MISC:https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md   |   MLIST:[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities   |   URL:https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E   |   MLIST:[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames   |   URL:https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d@%3Cannounce.trafficserver.apache.org%3E   |   MLIST:[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames   |   URL:https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107@%3Cdev.trafficserver.apache.org%3E   |   MLIST:[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames   |   URL:https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61@%3Cusers.trafficserver.apache.org%3E   |   REDHAT:RHSA-2019:2925   |   URL:https://access.redhat.com/errata/RHSA-2019:2925   |   REDHAT:RHSA-2019:2939   |   URL:https://access.redhat.com/errata/RHSA-2019:2939   |   REDHAT:RHSA-2019:2955   |   URL:https://access.redhat.com/errata/RHSA-2019:2955   |   REDHAT:RHSA-2019:3892   |   URL:https://access.redhat.com/errata/RHSA-2019:3892   |   REDHAT:RHSA-2019:4352   |   URL:https://access.redhat.com/errata/RHSA-2019:4352   |   REDHAT:RHSA-2020:0727   |   URL:https://access.redhat.com/errata/RHSA-2020:0727   |   SUSE:openSUSE-SU-2019:2114   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html   |   SUSE:openSUSE-SU-2019:2115   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html",Assigned (20190301),"None (candidate not yet proposed)",""
47| [CVE-2019-9853,Candidate,"LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7]  LibreOffice 6.3 series versions prior to 6.3.1.","CONFIRM:https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9853/   |   FEDORA:FEDORA-2019-4b0cc75996   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQGBRSD73KTDZ2MPAOL7FBWO3SQVYE5B/   |   FULLDISC:20200220 Open-Xchange Security Advisory 2020-02-19   |   URL:http://seclists.org/fulldisclosure/2020/Feb/23   |   MISC:http://packetstormsecurity.com/files/156474/Open-Xchange-App-Suite-Documents-Server-Side-Request-Forgery.html   |   MLIST:[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update   |   URL:https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html   |   MLIST:[openoffice-commits] 20191016 svn commit: r1051583 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html   |   URL:https://lists.apache.org/thread.html/3a5570ca5cd14ad08e24684c71cfeff3a507f108fe3cf30ba4f58226@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191016 svn commit: r1868517 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html   |   URL:https://lists.apache.org/thread.html/4ae0e6e52600f408d943ded079d314733ce188b04b04471464f89c4f@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191016 svn commit: r1868522 - /openoffice/ooo-site/trunk/content/security/bulletin.html   |   URL:https://lists.apache.org/thread.html/7394e6b5f78a878bd0c44e9bc9adf90b8cdf49e9adc0f287145aba9b@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1053264 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html   |   URL:https://lists.apache.org/thread.html/a5231ad45b030b54828c7b0b62a7e7d4b48481c7cb83ff628e07fa43@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1053267 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html   |   URL:https://lists.apache.org/thread.html/9dc85d9937ad7f101047c53f78c00e8ceb135eaeff7dcf4724b46f2c@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1053270 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html content/security/cves/CVE-XXXX-YYYY.html   |   URL:https://lists.apache.org/thread.html/27339e8a9a1e9bb47fbdb939b338256d0356250a1974aaf4d774f683@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1053271 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html content/security/cves/CVE-XXXX-YYYY.html   |   URL:https://lists.apache.org/thread.html/19c917f7c8a0d8f62142046fabfe3e2c7d6091ef1f92b99c6e79e24e@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1870322 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html   |   URL:https://lists.apache.org/thread.html/a540d1b6f9a7ebb206adba02839f654a6ee63a7b0976f559a847e49a@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1870324 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html   |   URL:https://lists.apache.org/thread.html/70da9481dca267405e1d79e53942264765ef3f55c9a563c3737e3926@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1870336 - in /openoffice/ooo-site/trunk/content/security/cves: CVE-2019-9853.html CVE-XXXX-YYYY.html   |   URL:https://lists.apache.org/thread.html/306a374361891eb17c6cffc99c3d7be1d3152a99c839d4231edc1631@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1870337 - in /openoffice/ooo-site/trunk/content/security/cves: CVE-2019-9853.html CVE-XXXX-YYYY.html   |   URL:https://lists.apache.org/thread.html/ca216900abd846f0220fe18b95f9f787bdbe0e87fa4eee822073cd69@%3Ccommits.openoffice.apache.org%3E   |   SUSE:openSUSE-SU-2019:2709   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00040.html",Assigned (20190317),"None (candidate not yet proposed)",""
48| 
49|_
50443/tcp open  ssl/http Apache httpd
51|_http-server-header: Apache
52| vulscan: allitems.csv:
53| [CVE-2001-0131,Candidate,"htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack.","BID:2182   |   URL:http://www.securityfocus.com/bid/2182   |   BUGTRAQ:20010110 Immunix OS Security update for lots of temp file problems   |   URL:http://marc.info/?l=bugtraq&m=97916374410647&w=2   |   DEBIAN:DSA-021   |   URL:http://www.debian.org/security/2001/dsa-021   |   XF:linux-apache-symlink(5926)   |   URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/5926",Modified (20010430),"   ACCEPT(2) Baker, Cole  |     MODIFY(1) Frech  |     NOOP(3) Christey, Magdych, Wall","Frech> XF:linux-apache-symlink(5926)  |    Christey> XF:linux-apache-symlink  |    URL:http://xforce.iss.net/static/5926.php  |    Christey> http://archives.neohapsis.com/archives/vendor/2001-q1/0019.html  |    Christey> This item may have been re-introduced into the Apache source  |    code sometime during 2002]  CVE-2002-1233 has been created for  |    that version, which affects Apache 1.3.27 and other versions.  |    Christey> As a further clarification, CVE-2002-1233 is *only* for the  |    Debian-specific regression error.  |    Christey> DEBIAN:DSA-195  |    URL:http://www.debian.org/security/2002/dsa-195"
54| [CVE-2002-0563,Candidate,"The default configuration of Oracle 9i Application Server 1.0.2.x allows remote anonymous users to access sensitive services without authentication, including Dynamic Monitoring Services (1) dms0, (2) dms/DMSDump, (3) servlet/DMSDump, (4) servlet/Spy, (5) soap/servlet/Spy, and (6) dms/AggreSpy]  and Oracle Java Process Manager (7) oprocmgr-status and (8) oprocmgr-service, which can be used to control Java processes.","BID:4293   |   URL:http://www.securityfocus.com/bid/4293   |   BUGTRAQ:20020206 Hackproofing Oracle Application Server paper   |   URL:http://marc.info/?l=bugtraq&m=101301813117562&w=2   |   CERT:CA-2002-08   |   URL:http://www.cert.org/advisories/CA-2002-08.html   |   CERT-VN:VU#168795   |   URL:http://www.kb.cert.org/vuls/id/168795   |   CONFIRM:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf   |   MISC:http://www.appsecinc.com/Policy/PolicyCheck7024.html   |   MISC:http://www.nextgenss.com/papers/hpoas.pdf   |   OSVDB:13152   |   URL:http://www.osvdb.org/13152   |   OSVDB:705   |   URL:http://www.osvdb.org/705   |   SECTRACK:1009167   |   URL:http://securitytracker.com/id?1009167   |   XF:oracle-appserver-apache-services(8455)   |   URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/8455",Modified (20070207),"   ACCEPT(3) Alderson, Baker, Cole  |     MODIFY(1) Frech  |     NOOP(3) Cox, Foat, Wall","Frech> XF:oracle-appserver-apache-services(8455)"
55| [CVE-2009-0038,Candidate,"Multiple cross-site scripting (XSS) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) ip, (3) username, or (4) description parameter to console/portal/Server/Monitoring]  or (5) the PATH_INFO to the default URI under console/portal/.","BID:34562   |   URL:http://www.securityfocus.com/bid/34562   |   BUGTRAQ:20090416 [DSECRG-09-019] Apache Geronimo - XSS vulnerabilities.txt   |   URL:http://www.securityfocus.com/archive/1/502734/100/0/threaded   |   CONFIRM:http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214   |   CONFIRM:http://issues.apache.org/jira/browse/GERONIMO-4597   |   MISC:http://dsecrg.com/pages/vul/show.php?id=119   |   SECUNIA:34715   |   URL:http://secunia.com/advisories/34715   |   VUPEN:ADV-2009-1089   |   URL:http://www.vupen.com/english/advisories/2009/1089",Assigned (20081215),"None (candidate not yet proposed)",""
56| [CVE-2010-3449,Candidate,"Cross-site request forgery (CSRF) vulnerability in Redback before 1.2.4, as used in Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1]  and Apache Continuum 1.3.6, 1.4.0, and 1.1 through 1.2.3.1
57| [CVE-2011-0533,Candidate,"Cross-site scripting (XSS) vulnerability in Apache Continuum 1.1 through 1.2.3.1, 1.3.6, and 1.4.0 Beta]  and Archiva 1.3.0 through 1.3.3 and 1.0 through 1.22 allows remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to the autoIncludeParameters setting for the extremecomponents table.","BID:46311   |   URL:http://www.securityfocus.com/bid/46311   |   BUGTRAQ:20110210 [SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability   |   URL:http://www.securityfocus.com/archive/1/516342/100/0/threaded   |   BUGTRAQ:20110216 [SECURITY] CVE-2011-0533: Apache Archiva cross-site scripting vulnerability   |   URL:http://www.securityfocus.com/archive/1/516474/100/0/threaded   |   CONFIRM:http://continuum.apache.org/security.html   |   CONFIRM:http://jira.codehaus.org/browse/CONTINUUM-2604   |   CONFIRM:http://svn.apache.org/viewvc?view=revision&revision=1066053   |   CONFIRM:http://svn.apache.org/viewvc?view=revision&revision=1066056   |   FULLDISC:20110211 [SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability   |   URL:http://seclists.org/fulldisclosure/2011/Feb/236   |   MLIST:[continuum-users] 20110210 [SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability   |   URL:http://mail-archives.apache.org/mod_mbox/continuum-users/201102.mbox/%3C981C0A79-5B7B-4053-84CC-3217870BE360@apache.org%3E   |   OSVDB:70925   |   URL:http://osvdb.org/70925   |   OVAL:oval:org.mitre.oval:def:12581   |   URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12581   |   SECTRACK:1025065   |   URL:http://securitytracker.com/id?1025065   |   SECUNIA:43261   |   URL:http://secunia.com/advisories/43261   |   SECUNIA:43334   |   URL:http://secunia.com/advisories/43334   |   SREASON:8091   |   URL:http://securityreason.com/securityalert/8091   |   VUPEN:ADV-2011-0373   |   URL:http://www.vupen.com/english/advisories/2011/0373   |   VUPEN:ADV-2011-0426   |   URL:http://www.vupen.com/english/advisories/2011/0426   |   XF:continuum-unspec-xss(65343)   |   URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/65343",Assigned (20110120),"None (candidate not yet proposed)",""
58| [CVE-2014-0085,Candidate,"JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated]  previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.","CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0085",Assigned (20131203),"None (candidate not yet proposed)",""
59| [CVE-2014-6271,Candidate,"GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka ""ShellShock.""  NOTE: the original fix for this issue was incorrect]  CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.","APPLE:APPLE-SA-2014-10-16-1   |   URL:http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html   |   BID:70103   |   URL:http://www.securityfocus.com/bid/70103   |   BUGTRAQ:20141001 NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities   |   URL:http://www.securityfocus.com/archive/1/533593/100/0/threaded   |   CERT:TA14-268A   |   URL:http://www.us-cert.gov/ncas/alerts/TA14-268A   |   CERT-VN:VU#252743   |   URL:http://www.kb.cert.org/vuls/id/252743   |   CISCO:20140926 GNU Bash Environmental Variable Command Injection Vulnerability   |   URL:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash   |   CONFIRM:http://advisories.mageia.org/MGASA-2014-0388.html   |   CONFIRM:http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673   |   CONFIRM:http://linux.oracle.com/errata/ELSA-2014-1293.html   |   CONFIRM:http://linux.oracle.com/errata/ELSA-2014-1294.html   |   CONFIRM:http://support.apple.com/kb/HT6495   |   CONFIRM:http://support.novell.com/security/cve/CVE-2014-6271.html   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=isg3T1021272   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=isg3T1021279   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=isg3T1021361   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004879   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004897   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004898   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004915   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685541   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685604   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685733   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685749   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21685914   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686084   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686131   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686246   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686445   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686447   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686479   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21686494   |   CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21687079   |   CONFIRM:http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096315   |   CONFIRM:http://www.novell.com/support/kb/doc.php?id=7015701   |   CONFIRM:http://www.novell.com/support/kb/doc.php?id=7015721   |   CONFIRM:http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html   |   CONFIRM:http://www.qnap.com/i/en/support/con_show.php?cid=61   |   CONFIRM:http://www.vmware.com/security/advisories/VMSA-2014-0010.html   |   CONFIRM:http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0   |   CONFIRM:https://access.redhat.com/articles/1200223   |   CONFIRM:https://access.redhat.com/node/1200223   |   CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1141597   |   CONFIRM:https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes   |   CONFIRM:https://kb.bluecoat.com/index?page=content&id=SA82   |   CONFIRM:https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648   |   CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10085   |   CONFIRM:https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/   |   CONFIRM:https://support.apple.com/kb/HT6535   |   CONFIRM:https://support.citrix.com/article/CTX200217   |   CONFIRM:https://support.citrix.com/article/CTX200223   |   CONFIRM:https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html   |   CONFIRM:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04497075   |   CONFIRM:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c04518183   |   CONFIRM:https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673&src=securityAlerts   |   CONFIRM:https://www.suse.com/support/shellshock/   |   DEBIAN:DSA-3032   |   URL:http://www.debian.org/security/2014/dsa-3032   |   EXPLOIT-DB:34879   |   URL:https://www.exploit-db.com/exploits/34879/   |   EXPLOIT-DB:37816   |   URL:https://www.exploit-db.com/exploits/37816/   |   EXPLOIT-DB:38849   |   URL:https://www.exploit-db.com/exploits/38849/   |   EXPLOIT-DB:39918   |   URL:https://www.exploit-db.com/exploits/39918/   |   EXPLOIT-DB:40619   |   URL:https://www.exploit-db.com/exploits/40619/   |   EXPLOIT-DB:40938   |   URL:https://www.exploit-db.com/exploits/40938/   |   EXPLOIT-DB:42938   |   URL:https://www.exploit-db.com/exploits/42938/   |   FULLDISC:20141001 FW: NEW VMSA-2014-0010 - VMware product updates address critical Bash security vulnerabilities   |   URL:http://seclists.org/fulldisclosure/2014/Oct/0   |   HP:HPSBGN03117   |   URL:http://marc.info/?l=bugtraq&m=141216207813411&w=2   |   HP:HPSBGN03138   |   URL:http://marc.info/?l=bugtraq&m=141330468527613&w=2   |   HP:HPSBGN03141   |   URL:http://marc.info/?l=bugtraq&m=141383304022067&w=2   |   HP:HPSBGN03142   |   URL:http://marc.info/?l=bugtraq&m=141383244821813&w=2   |   HP:HPSBGN03233   |   URL:http://marc.info/?l=bugtraq&m=142118135300698&w=2   |   HP:HPSBHF03119   |   URL:http://marc.info/?l=bugtraq&m=141216668515282&w=2   |   HP:HPSBHF03124   |   URL:http://marc.info/?l=bugtraq&m=141235957116749&w=2   |   HP:HPSBHF03125   |   URL:http://marc.info/?l=bugtraq&m=141345648114150&w=2   |   HP:HPSBHF03145   |   URL:http://marc.info/?l=bugtraq&m=141383465822787&w=2   |   HP:HPSBHF03146   |   URL:http://marc.info/?l=bugtraq&m=141383353622268&w=2   |   HP:HPSBMU03133   |   URL:http://marc.info/?l=bugtraq&m=141330425327438&w=2   |   HP:HPSBMU03143   |   URL:http://marc.info/?l=bugtraq&m=141383026420882&w=2   |   HP:HPSBMU03144   |   URL:http://marc.info/?l=bugtraq&m=141383081521087&w=2   |   HP:HPSBMU03165   |   URL:http://marc.info/?l=bugtraq&m=141577137423233&w=2   |   HP:HPSBMU03182   |   URL:http://marc.info/?l=bugtraq&m=141585637922673&w=2   |   HP:HPSBMU03217   |   URL:http://marc.info/?l=bugtraq&m=141879528318582&w=2   |   HP:HPSBMU03220   |   URL:http://marc.info/?l=bugtraq&m=142721162228379&w=2   |   HP:HPSBMU03245   |   URL:http://marc.info/?l=bugtraq&m=142358026505815&w=2   |   HP:HPSBMU03246   |   URL:http://marc.info/?l=bugtraq&m=142358078406056&w=2   |   HP:HPSBOV03228   |   URL:http://marc.info/?l=bugtraq&m=142113462216480&w=2   |   HP:HPSBST03122   |   URL:http://marc.info/?l=bugtraq&m=141319209015420&w=2   |   HP:HPSBST03129   |   URL:http://marc.info/?l=bugtraq&m=141383196021590&w=2   |   HP:HPSBST03131   |   URL:http://marc.info/?l=bugtraq&m=141383138121313&w=2   |   HP:HPSBST03148   |   URL:http://marc.info/?l=bugtraq&m=141694386919794&w=2   |   HP:HPSBST03154   |   URL:http://marc.info/?l=bugtraq&m=141577297623641&w=2   |   HP:HPSBST03155   |   URL:http://marc.info/?l=bugtraq&m=141576728022234&w=2   |   HP:HPSBST03157   |   URL:http://marc.info/?l=bugtraq&m=141450491804793&w=2   |   HP:HPSBST03181   |   URL:http://marc.info/?l=bugtraq&m=141577241923505&w=2   |   HP:HPSBST03195   |   URL:http://marc.info/?l=bugtraq&m=142805027510172&w=2   |   HP:HPSBST03196   |   URL:http://marc.info/?l=bugtraq&m=142719845423222&w=2   |   HP:HPSBST03265   |   URL:http://marc.info/?l=bugtraq&m=142546741516006&w=2   |   HP:SSRT101711   |   URL:http://marc.info/?l=bugtraq&m=142113462216480&w=2   |   HP:SSRT101739   |   URL:http://marc.info/?l=bugtraq&m=142118135300698&w=2   |   HP:SSRT101742   |   URL:http://marc.info/?l=bugtraq&m=142358026505815&w=2   |   HP:SSRT101816   |   URL:http://marc.info/?l=bugtraq&m=142719845423222&w=2   |   HP:SSRT101819   |   URL:http://marc.info/?l=bugtraq&m=142721162228379&w=2   |   HP:SSRT101827   |   URL:http://marc.info/?l=bugtraq&m=141879528318582&w=2   |   HP:SSRT101868   |   URL:http://marc.info/?l=bugtraq&m=142118135300698&w=2   |   JVN:JVN#55667175   |   URL:http://jvn.jp/en/jp/JVN55667175/index.html   |   JVNDB:JVNDB-2014-000126   |   URL:http://jvndb.jvn.jp/jvndb/JVNDB-2014-000126   |   MANDRIVA:MDVSA-2015:164   |   URL:http://www.mandriva.com/security/advisories?name=MDVSA-2015:164   |   MISC:http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html   |   MISC:http://packetstormsecurity.com/files/128517/VMware-Security-Advisory-2014-0010.html   |   MISC:http://packetstormsecurity.com/files/128567/CA-Technologies-GNU-Bash-Shellshock.html   |   MISC:http://packetstormsecurity.com/files/128573/Apache-mod_cgi-Remote-Command-Execution.html   |   MISC:http://packetstormsecurity.com/files/137376/IPFire-Bash-Environment-Variable-Injection-Shellshock.html   |   REDHAT:RHSA-2014:1293   |   URL:http://rhn.redhat.com/errata/RHSA-2014-1293.html   |   REDHAT:RHSA-2014:1294   |   URL:http://rhn.redhat.com/errata/RHSA-2014-1294.html   |   REDHAT:RHSA-2014:1295   |   URL:http://rhn.redhat.com/errata/RHSA-2014-1295.html   |   REDHAT:RHSA-2014:1354   |   URL:http://rhn.redhat.com/errata/RHSA-2014-1354.html   |   SECUNIA:58200   |   URL:http://secunia.com/advisories/58200   |   SECUNIA:59272   |   URL:http://secunia.com/advisories/59272   |   SECUNIA:59737   |   URL:http://secunia.com/advisories/59737   |   SECUNIA:59907   |   URL:http://secunia.com/advisories/59907   |   SECUNIA:60024   |   URL:http://secunia.com/advisories/60024   |   SECUNIA:60034   |   URL:http://secunia.com/advisories/60034   |   SECUNIA:60044   |   URL:http://secunia.com/advisories/60044   |   SECUNIA:60055   |   URL:http://secunia.com/advisories/60055   |   SECUNIA:60063   |   URL:http://secunia.com/advisories/60063   |   SECUNIA:60193   |   URL:http://secunia.com/advisories/60193   |   SECUNIA:60325   |   URL:http://secunia.com/advisories/60325   |   SECUNIA:60433   |   URL:http://secunia.com/advisories/60433   |   SECUNIA:60947   |   URL:http://secunia.com/advisories/60947   |   SECUNIA:61065   |   URL:http://secunia.com/advisories/61065   |   SECUNIA:61128   |   URL:http://secunia.com/advisories/61128   |   SECUNIA:61129   |   URL:http://secunia.com/advisories/61129   |   SECUNIA:61188   |   URL:http://secunia.com/advisories/61188   |   SECUNIA:61283   |   URL:http://secunia.com/advisories/61283   |   SECUNIA:61287   |   URL:http://secunia.com/advisories/61287   |   SECUNIA:61291   |   URL:http://secunia.com/advisories/61291   |   SECUNIA:61312   |   URL:http://secunia.com/advisories/61312   |   SECUNIA:61313   |   URL:http://secunia.com/advisories/61313   |   SECUNIA:61328   |   URL:http://secunia.com/advisories/61328   |   SECUNIA:61442   |   URL:http://secunia.com/advisories/61442   |   SECUNIA:61471   |   URL:http://secunia.com/advisories/61471   |   SECUNIA:61485   |   URL:http://secunia.com/advisories/61485   |   SECUNIA:61503   |   URL:http://secunia.com/advisories/61503   |   SECUNIA:61542   |   URL:http://secunia.com/advisories/61542   |   SECUNIA:61547   |   URL:http://secunia.com/advisories/61547   |   SECUNIA:61550   |   URL:http://secunia.com/advisories/61550   |   SECUNIA:61552   |   URL:http://secunia.com/advisories/61552   |   SECUNIA:61565   |   URL:http://secunia.com/advisories/61565   |   SECUNIA:61603   |   URL:http://secunia.com/advisories/61603   |   SECUNIA:61633   |   URL:http://secunia.com/advisories/61633   |   SECUNIA:61641   |   URL:http://secunia.com/advisories/61641   |   SECUNIA:61643   |   URL:http://secunia.com/advisories/61643   |   SECUNIA:61654   |   URL:http://secunia.com/advisories/61654   |   SECUNIA:61676   |   URL:http://secunia.com/advisories/61676   |   SECUNIA:61700   |   URL:http://secunia.com/advisories/61700   |   SECUNIA:61703   |   URL:http://secunia.com/advisories/61703   |   SECUNIA:61711   |   URL:http://secunia.com/advisories/61711   |   SECUNIA:61715   |   URL:http://secunia.com/advisories/61715   |   SECUNIA:61780   |   URL:http://secunia.com/advisories/61780   |   SECUNIA:61816   |   URL:http://secunia.com/advisories/61816   |   SECUNIA:61855   |   URL:http://secunia.com/advisories/61855   |   SECUNIA:61857   |   URL:http://secunia.com/advisories/61857   |   SECUNIA:61873   |   URL:http://secunia.com/advisories/61873   |   SECUNIA:62228   |   URL:http://secunia.com/advisories/62228   |   SECUNIA:62312   |   URL:http://secunia.com/advisories/62312   |   SECUNIA:62343   |   URL:http://secunia.com/advisories/62343   |   SUSE:SUSE-SU-2014:1212   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00028.html   |   SUSE:SUSE-SU-2014:1213   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00029.html   |   SUSE:SUSE-SU-2014:1223   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00034.html   |   SUSE:SUSE-SU-2014:1260   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00049.html   |   SUSE:SUSE-SU-2014:1287   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00004.html   |   SUSE:openSUSE-SU-2014:1226   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00037.html   |   SUSE:openSUSE-SU-2014:1238   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00040.html   |   SUSE:openSUSE-SU-2014:1254   |   URL:http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00044.html   |   SUSE:openSUSE-SU-2014:1308   |   URL:http://lists.opensuse.org/opensuse-updates/2014-10/msg00023.html   |   SUSE:openSUSE-SU-2014:1310   |   URL:http://lists.opensuse.org/opensuse-updates/2014-10/msg00025.html   |   UBUNTU:USN-2362-1   |   URL:http://www.ubuntu.com/usn/USN-2362-1",Assigned (20140909),"None (candidate not yet proposed)",""
60| [CVE-2016-2166,Candidate,"The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.","BUGTRAQ:20160323 CVE-2016-2166: Apache Qpid Proton python binding silently ignores request for 'amqps' if SSL/TLS not supported   |   URL:http://www.securityfocus.com/archive/1/537864/100/0/threaded   |   CONFIRM:http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html   |   CONFIRM:https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git] h=a058585   |   CONFIRM:https://issues.apache.org/jira/browse/PROTON-1157   |   FEDORA:FEDORA-2016-e6e8436b98   |   URL:http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html   |   MISC:http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html   |   MLIST:[qpid-commits] 20190423 [qpid-site] branch asf-site updated: update site content for CVE-2019-0223   |   URL:https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E",Assigned (20160129),"None (candidate not yet proposed)",""
61| [CVE-2016-4462,Candidate,"By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage]  a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01","MLIST:[www-announce] 20161129 [SECURITY] CVE-2016-4462 OFBiz template remote code vulnerability   |   URL:http://git.net/ml/dev.ofbiz.apache.org/2016-11/msg00180.html",Assigned (20160502),"None (candidate not yet proposed)",""
62| [CVE-2016-5387,Candidate,"The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an ""httpoxy"" issue.  NOTE: the vendor states ""This mitigation has been assigned the identifier CVE-2016-5387""]  in other words, this is not a CVE ID for a vulnerability.","BID:91816   |   URL:http://www.securityfocus.com/bid/91816   |   CERT-VN:VU#797896   |   URL:http://www.kb.cert.org/vuls/id/797896   |   CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html   |   CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html   |   CONFIRM:http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html   |   CONFIRM:http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html   |   CONFIRM:https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us   |   CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149   |   CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722   |   CONFIRM:https://support.apple.com/HT208221   |   CONFIRM:https://www.apache.org/security/asf-httpoxy-response.txt   |   CONFIRM:https://www.tenable.com/security/tns-2017-04   |   DEBIAN:DSA-3623   |   URL:http://www.debian.org/security/2016/dsa-3623   |   FEDORA:FEDORA-2016-683d0b257b   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPQAPWQA774JPDRV4UIB2SZAX6D3UZCV/   |   FEDORA:FEDORA-2016-9fd9bfab9e   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NEKZAB7MTWVSMORHTEMCQNFFMIHCYF76/   |   FEDORA:FEDORA-2016-a29c65b00f   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6WCTE7443AYZ4EGELWLVNANA2WJCJIYI/   |   FEDORA:FEDORA-2016-df0726ae26   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TGNHXJJSWDXAOEYH5TMXDPQVJMQQJOAZ/   |   GENTOO:GLSA-201701-36   |   URL:https://security.gentoo.org/glsa/201701-36   |   MISC:https://httpoxy.org/   |   MLIST:[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html   |   URL:https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E   |   MLIST:[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html   |   URL:https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E   |   MLIST:[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html   |   URL:https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E   |   MLIST:[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html   |   URL:https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E   |   REDHAT:RHSA-2016:1420   |   URL:https://access.redhat.com/errata/RHSA-2016:1420   |   REDHAT:RHSA-2016:1421   |   URL:https://access.redhat.com/errata/RHSA-2016:1421   |   REDHAT:RHSA-2016:1422   |   URL:https://access.redhat.com/errata/RHSA-2016:1422   |   REDHAT:RHSA-2016:1624   |   URL:http://rhn.redhat.com/errata/RHSA-2016-1624.html   |   REDHAT:RHSA-2016:1625   |   URL:http://rhn.redhat.com/errata/RHSA-2016-1625.html   |   REDHAT:RHSA-2016:1635   |   URL:https://access.redhat.com/errata/RHSA-2016:1635   |   REDHAT:RHSA-2016:1636   |   URL:https://access.redhat.com/errata/RHSA-2016:1636   |   REDHAT:RHSA-2016:1648   |   URL:http://rhn.redhat.com/errata/RHSA-2016-1648.html   |   REDHAT:RHSA-2016:1649   |   URL:http://rhn.redhat.com/errata/RHSA-2016-1649.html   |   REDHAT:RHSA-2016:1650   |   URL:http://rhn.redhat.com/errata/RHSA-2016-1650.html   |   REDHAT:RHSA-2016:1851   |   URL:https://access.redhat.com/errata/RHSA-2016:1851   |   SECTRACK:1036330   |   URL:http://www.securitytracker.com/id/1036330   |   SUSE:openSUSE-SU-2016:1824   |   URL:http://lists.opensuse.org/opensuse-updates/2016-07/msg00059.html   |   UBUNTU:USN-3038-1   |   URL:http://www.ubuntu.com/usn/USN-3038-1",Assigned (20160610),"None (candidate not yet proposed)",""
63| [CVE-2016-5388,Candidate,"Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an ""httpoxy"" issue. NOTE: the vendor states ""A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388""]  in other words, this is not a CVE ID for a vulnerability.","BID:91818   |   URL:http://www.securityfocus.com/bid/91818   |   CERT-VN:VU#797896   |   URL:http://www.kb.cert.org/vuls/id/797896   |   CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html   |   CONFIRM:http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html   |   CONFIRM:https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us   |   CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149   |   CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759   |   CONFIRM:https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722   |   CONFIRM:https://tomcat.apache.org/tomcat-7.0-doc/changelog.html   |   CONFIRM:https://www.apache.org/security/asf-httpoxy-response.txt   |   MISC:https://httpoxy.org/   |   MLIST:[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar   |   URL:https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E   |   MLIST:[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.   |   URL:https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E   |   MLIST:[activemq-issues] 20190925 [jira] [Created] (AMQ-7310) Security Vulnerabilities in Tomcat-websocket-api.jar   |   URL:https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d@%3Cissues.activemq.apache.org%3E   |   MLIST:[debian-lts-announce] 20190813 [SECURITY] [DLA 1883-1] tomcat8 security update   |   URL:https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html   |   REDHAT:RHSA-2016:1624   |   URL:http://rhn.redhat.com/errata/RHSA-2016-1624.html   |   REDHAT:RHSA-2016:1635   |   URL:https://access.redhat.com/errata/RHSA-2016:1635   |   REDHAT:RHSA-2016:1636   |   URL:https://access.redhat.com/errata/RHSA-2016:1636   |   REDHAT:RHSA-2016:2045   |   URL:http://rhn.redhat.com/errata/RHSA-2016-2045.html   |   REDHAT:RHSA-2016:2046   |   URL:http://rhn.redhat.com/errata/RHSA-2016-2046.html   |   SECTRACK:1036331   |   URL:http://www.securitytracker.com/id/1036331   |   SUSE:openSUSE-SU-2016:2252   |   URL:http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html",Assigned (20160610),"None (candidate not yet proposed)",""
64| [CVE-2016-6799,Candidate,"Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application]  any application installed on the device has the capability to read data logged by other applications.","BID:98365   |   URL:http://www.securityfocus.com/bid/98365   |   MLIST:[dev] 20170509 CVE-2016-6799: Internal system information leak   |   URL:https://lists.apache.org/thread.html/1f3e7b0319d64b455f73616f572acee36fbca31f87f5b2e509c45b69@%3Cdev.cordova.apache.org%3E",Assigned (20160812),"None (candidate not yet proposed)",""
65| [CVE-2017-15714,Candidate,"The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing that code through the URL. For example by appending this code ""__format=%27] alert(%27xss%27)"" to the URL an alert window would execute.","MLIST:[user] 20180103 [SECURITY] CVE-2017-15714 Apache OFBiz BIRT code vulnerability   |   URL:https://s.apache.org/UO3W",Assigned (20171021),"None (candidate not yet proposed)",""
66| [CVE-2017-17837,Candidate,"The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get's cut off after 10 characters (by default), so the impact might be limited. A fix got applied and released in Apache deltaspike-1.8.1.","CONFIRM:https://git-wip-us.apache.org/repos/asf?p=deltaspike.git] h=4e25023   |   CONFIRM:https://issues.apache.org/jira/browse/DELTASPIKE-1307",Assigned (20171222),"None (candidate not yet proposed)",""
67| [CVE-2018-11786,Candidate,"In Apache Karaf prior to 4.2.0 release, if the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory]  it can be further locked down by defining a security manager policy that limits file system access to those directories beneath the Karaf home that are necessary for the system to run. However, this still allows anyone with ssh access to the Karaf process to read and write a large number of files as the Karaf process user.","CONFIRM:http://karaf.apache.org/security/cve-2018-11786.txt   |   CONFIRM:https://issues.apache.org/jira/browse/KARAF-5427   |   MLIST:[karaf-dev] 20180918 [SECURITY] New security advisory for CVE-2018-11786 released for Apache Karaf   |   URL:https://lists.apache.org/thread.html/5b7ac762c6bbe77ac5d9389f093fc6dbf196c36d788e3d7629e6c1d9@%3Cdev.karaf.apache.org%3E",Assigned (20180605),"None (candidate not yet proposed)",""
68| [CVE-2018-1199,Candidate,"Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1]  and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.","CONFIRM:https://pivotal.io/security/cve-2018-1199   |   MLIST:[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)   |   URL:https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe@%3Cissues.activemq.apache.org%3E   |   MLIST:[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar   |   URL:https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c@%3Cissues.activemq.apache.org%3E   |   MLIST:[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar   |   URL:https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E   |   REDHAT:RHSA-2018:2405   |   URL:https://access.redhat.com/errata/RHSA-2018:2405",Assigned (20171206),"None (candidate not yet proposed)",""
69| [CVE-2018-1336,Candidate,"An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.","BID:104898   |   URL:http://www.securityfocus.com/bid/104898   |   CONFIRM:https://security.netapp.com/advisory/ntap-20180817-0001/   |   CONFIRM:https://support.f5.com/csp/article/K73008537?utm_source=f5support&amp] utm_medium=RSS   |   DEBIAN:DSA-4281   |   URL:https://www.debian.org/security/2018/dsa-4281   |   MLIST:[debian-lts-announce] 20180902 [SECURITY] [DLA 1491-1] tomcat8 security update   |   URL:https://lists.debian.org/debian-lts-announce/2018/09/msg00001.html   |   MLIST:[tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/   |   URL:https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/   |   URL:https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/   |   URL:https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/   |   URL:https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/   |   URL:https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/   |   URL:https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/   |   URL:https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/   |   URL:https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/   |   URL:https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/   |   URL:https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/   |   URL:https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E   |   MLIST:[www-announce] 20180722 [SECURITY] CVE-2018-1336 Apache Tomcat - Denial of Service   |   URL:http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090435.GA60759%40minotaur.apache.org%3E   |   REDHAT:RHEA-2018:2188   |   URL:https://access.redhat.com/errata/RHEA-2018:2188   |   REDHAT:RHEA-2018:2189   |   URL:https://access.redhat.com/errata/RHEA-2018:2189   |   REDHAT:RHSA-2018:2700   |   URL:https://access.redhat.com/errata/RHSA-2018:2700   |   REDHAT:RHSA-2018:2701   |   URL:https://access.redhat.com/errata/RHSA-2018:2701   |   REDHAT:RHSA-2018:2740   |   URL:https://access.redhat.com/errata/RHSA-2018:2740   |   REDHAT:RHSA-2018:2741   |   URL:https://access.redhat.com/errata/RHSA-2018:2741   |   REDHAT:RHSA-2018:2742   |   URL:https://access.redhat.com/errata/RHSA-2018:2742   |   REDHAT:RHSA-2018:2743   |   URL:https://access.redhat.com/errata/RHSA-2018:2743   |   REDHAT:RHSA-2018:2921   |   URL:https://access.redhat.com/errata/RHSA-2018:2921   |   REDHAT:RHSA-2018:2930   |   URL:https://access.redhat.com/errata/RHSA-2018:2930   |   REDHAT:RHSA-2018:2939   |   URL:https://access.redhat.com/errata/RHSA-2018:2939   |   REDHAT:RHSA-2018:2945   |   URL:https://access.redhat.com/errata/RHSA-2018:2945   |   REDHAT:RHSA-2018:3768   |   URL:https://access.redhat.com/errata/RHSA-2018:3768   |   SECTRACK:1041375   |   URL:http://www.securitytracker.com/id/1041375   |   UBUNTU:USN-3723-1   |   URL:https://usn.ubuntu.com/3723-1/",Assigned (20171207),"None (candidate not yet proposed)",""
70| [CVE-2018-16890,Candidate,"libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.","BID:106947   |   URL:http://www.securityfocus.com/bid/106947   |   CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890   |   CONFIRM:https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190315-0001/   |   CONFIRM:https://support.f5.com/csp/article/K03314397?utm_source=f5support&amp] utm_medium=RSS   |   DEBIAN:DSA-4386   |   URL:https://www.debian.org/security/2019/dsa-4386   |   MISC:https://curl.haxx.se/docs/CVE-2018-16890.html   |   MISC:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html   |   MISC:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html   |   MLIST:[infra-devnull] 20190404 [GitHub] [incubator-openwhisk-runtime-ballerina] falkzoll commented on issue #15: Update to new base image jdk8u202-b08_openj9-0.12.1.   |   URL:https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E   |   REDHAT:RHSA-2019:3701   |   URL:https://access.redhat.com/errata/RHSA-2019:3701   |   UBUNTU:USN-3882-1   |   URL:https://usn.ubuntu.com/3882-1/",Assigned (20180911),"None (candidate not yet proposed)",""
71| [CVE-2018-8010,Candidate,"This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases only allow external entities and Xincludes that refer to local files / zookeeper resources below the Solr instance directory (using Solr's ResourceLoader)]  usage of absolute URLs is denied. Keep in mind, that external entities and XInclude are explicitly supported to better structure config files in large installations. Before Solr 6 this was no problem, as config files were not accessible through the APIs.","BID:104239   |   URL:http://www.securityfocus.com/bid/104239   |   MISC:https://mail-archives.apache.org/mod_mbox/www-announce/201805.mbox/%3C08a801d3f0f9%24df46d300%249dd47900%24%40apache.org%3E",Assigned (20180309),"None (candidate not yet proposed)",""
72| [CVE-2018-8039,Candidate,"It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty(""java.protocol.handler.pkgs"", ""com.sun.net.ssl.internal.www.protocol"")] '. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.","BID:106357   |   URL:http://www.securityfocus.com/bid/106357   |   CONFIRM:http://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2   |   CONFIRM:https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b   |   MISC:https://www.oracle.com/security-alerts/cpujan2020.html   |   MISC:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html   |   MLIST:[cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html   |   URL:https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E   |   MLIST:[cxf-user] 20180628 Apache CXF 3.2.6 and 3.1.16 are released   |   URL:https://lists.apache.org/thread.html/1f8ff31df204ad0374ab26ad333169e0387a5e7ec92422f337431866@%3Cdev.cxf.apache.org%3E   |   REDHAT:RHSA-2018:2276   |   URL:https://access.redhat.com/errata/RHSA-2018:2276   |   REDHAT:RHSA-2018:2277   |   URL:https://access.redhat.com/errata/RHSA-2018:2277   |   REDHAT:RHSA-2018:2279   |   URL:https://access.redhat.com/errata/RHSA-2018:2279   |   REDHAT:RHSA-2018:2423   |   URL:https://access.redhat.com/errata/RHSA-2018:2423   |   REDHAT:RHSA-2018:2424   |   URL:https://access.redhat.com/errata/RHSA-2018:2424   |   REDHAT:RHSA-2018:2425   |   URL:https://access.redhat.com/errata/RHSA-2018:2425   |   REDHAT:RHSA-2018:2428   |   URL:https://access.redhat.com/errata/RHSA-2018:2428   |   REDHAT:RHSA-2018:2643   |   URL:https://access.redhat.com/errata/RHSA-2018:2643   |   REDHAT:RHSA-2018:3768   |   URL:https://access.redhat.com/errata/RHSA-2018:3768   |   REDHAT:RHSA-2018:3817   |   URL:https://access.redhat.com/errata/RHSA-2018:3817   |   SECTRACK:1041199   |   URL:http://www.securitytracker.com/id/1041199",Assigned (20180309),"None (candidate not yet proposed)",""
73| [CVE-2019-0221,Candidate,"The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.","BID:108545   |   URL:http://www.securityfocus.com/bid/108545   |   BUGTRAQ:20191229 [SECURITY] [DSA 4596-1] tomcat8 security update   |   URL:https://seclists.org/bugtraq/2019/Dec/43   |   CONFIRM:https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190606-0001/   |   CONFIRM:https://support.f5.com/csp/article/K13184144?utm_source=f5support&amp] utm_medium=RSS   |   DEBIAN:DSA-4596   |   URL:https://www.debian.org/security/2019/dsa-4596   |   FEDORA:FEDORA-2019-1a3f878d27   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/   |   FEDORA:FEDORA-2019-d66febb5df   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/   |   FULLDISC:20190529 XSS in SSI printenv command - Apache Tomcat - CVE-2019-0221   |   URL:http://seclists.org/fulldisclosure/2019/May/50   |   MISC:https://www.oracle.com/security-alerts/cpujan2020.html   |   MISC:https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/   |   MLIST:[announce] 20200131 Apache Software Foundation Security Report: 2019   |   URL:https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E   |   MLIST:[debian-lts-announce] 20190530 [SECURITY] [DLA 1810-1] tomcat7 security update   |   URL:https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html   |   MLIST:[debian-lts-announce] 20190813 [SECURITY] [DLA 1883-1] tomcat8 security update   |   URL:https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html   |   MLIST:[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E   |   REDHAT:RHSA-2019:3929   |   URL:https://access.redhat.com/errata/RHSA-2019:3929   |   REDHAT:RHSA-2019:3931   |   URL:https://access.redhat.com/errata/RHSA-2019:3931   |   SUSE:openSUSE-SU-2019:1673   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html   |   SUSE:openSUSE-SU-2019:1808   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html   |   UBUNTU:USN-4128-1   |   URL:https://usn.ubuntu.com/4128-1/   |   UBUNTU:USN-4128-2   |   URL:https://usn.ubuntu.com/4128-2/",Assigned (20181114),"None (candidate not yet proposed)",""
74| [CVE-2019-0224,Candidate,"In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser]  only on its own browser.","BID:107631   |   URL:http://www.securityfocus.com/bid/107631   |   CONFIRM:https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224   |   MLIST:[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures   |   URL:https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1@%3Ccommits.jspwiki.apache.org%3E   |   MLIST:[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures   |   URL:https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E   |   MLIST:[jspwiki-dev] 20190326 [CVE-2019-0224] Apache JSPWiki Cross-site scripting vulnerability   |   URL:https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67@%3Cdev.jspwiki.apache.org%3E",Assigned (20181114),"None (candidate not yet proposed)",""
75| [CVE-2019-10081,Candidate,"HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with ""H2PushResource"", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.","BUGTRAQ:20190826 [SECURITY] [DSA 4509-1] apache2 security update   |   URL:https://seclists.org/bugtraq/2019/Aug/47   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190905-0003/   |   CONFIRM:https://support.f5.com/csp/article/K84341091?utm_source=f5support&amp] utm_medium=RSS   |   DEBIAN:DSA-4509   |   URL:https://www.debian.org/security/2019/dsa-4509   |   GENTOO:GLSA-201909-04   |   URL:https://security.gentoo.org/glsa/201909-04   |   MISC:https://httpd.apache.org/security/vulnerabilities_24.html   |   MISC:https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html   |   SUSE:openSUSE-SU-2019:2051   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html   |   UBUNTU:USN-4113-1   |   URL:https://usn.ubuntu.com/4113-1/",Assigned (20190326),"None (candidate not yet proposed)",""
76| [CVE-2019-11231,Candidate,"An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user]  however, authentication can be bypassed. According to the official documentation for installation step 10, an admin is required to upload all the files, including the .htaccess files, and run a health check. However, what is overlooked is that the Apache HTTP Server by default no longer enables the AllowOverride directive, leading to data/users/admin.xml password exposure. The passwords are hashed but this can be bypassed by starting with the data/other/authorization.xml API key. This allows one to target the session state, since they decided to roll their own implementation. The cookie_name is crafted information that can be leaked from the frontend (site name and version). If a someone leaks the API key and the admin username, then they can bypass authentication. To do so, they need to supply a cookie based on an SHA-1 computation of this known information. The vulnerability exists in the admin/theme-edit.php file. This file checks for forms submissions via POST requests, and for the csrf nonce. If the nonce sent is correct, then the file provided by the user is uploaded. There is a path traversal allowing write access outside the jailed themes directory root. Exploiting the traversal is not necessary because the .htaccess file is ignored. A contributing factor is that there isn't another check on the extension before saving the file, with the assumption that the parameter content is safe. This allows the creation of web accessible and executable files with arbitrary content.","MISC:http://packetstormsecurity.com/files/152961/GetSimpleCMS-3.3.15-Remote-Code-Execution.html   |   MISC:https://ssd-disclosure.com/?p=3899&preview=true",Assigned (20190414),"None (candidate not yet proposed)",""
77| [CVE-2019-12401,Candidate,"Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it&#8217] s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.","CONFIRM:https://security.netapp.com/advisory/ntap-20190926-0002/   |   MLIST:[lucene-dev] 20190911 [jira] [Commented] (SOLR-13750) [CVE-2019-12401] XML Bomb in Apache Solr versions prior to 5.0.0   |   URL:https://lists.apache.org/thread.html/0ec231c5ed8d242890e21806d25fdd47f80cc47cac278d2fc1c9c579@%3Cdev.lucene.apache.org%3E   |   MLIST:[www-announce] 20190909 [SECURITY] CVE-2019-12401: XML Bomb in Apache Solr versions prior to 5.0   |   URL:http://mail-archives.us.apache.org/mod_mbox/www-announce/201909.mbox/%3CCAECwjAXU4%3DkAo5DeUJw7Kvk67sgCmajAN7LGZQNjbjZ8gv%3DBdw%40mail.gmail.com%3E",Assigned (20190528),"None (candidate not yet proposed)",""
78| [CVE-2019-12405,Candidate,"Improper authentication is possible in Apache Traffic Control versions 3.0.0 and 3.0.1 if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password.","CONFIRM:https://support.f5.com/csp/article/K84141859   |   CONFIRM:https://support.f5.com/csp/article/K84141859?utm_source=f5support&amp] utm_medium=RSS   |   MLIST:[trafficcontrol-users] 20190906 CVE-2019-12405: Apache Traffic Control LDAP-based authentication vulnerability   |   URL:https://lists.apache.org/thread.html/e128e9d382f3b0d074e2b597ac58e1d92139394509d81ddbc9e3700e@%3Cusers.trafficcontrol.apache.org%3E",Assigned (20190528),"None (candidate not yet proposed)",""
79| [CVE-2019-12409,Candidate,"The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.","CONFIRM:https://support.f5.com/csp/article/K23720587?utm_source=f5support&amp] utm_medium=RSS   |   MLIST:[lucene-solr-user] 20191118 CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default   |   URL:https://lists.apache.org/thread.html/6640c7e370fce2b74e466a605a46244ccc40666ad9e3064a4e04a85d@%3Csolr-user.lucene.apache.org%3E",Assigned (20190528),"None (candidate not yet proposed)",""
80| [CVE-2019-12418,Candidate,"When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.","BUGTRAQ:20191229 [SECURITY] [DSA 4596-1] tomcat8 security update   |   URL:https://seclists.org/bugtraq/2019/Dec/43   |   CONFIRM:https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E   |   CONFIRM:https://security.netapp.com/advisory/ntap-20200107-0001/   |   CONFIRM:https://support.f5.com/csp/article/K10107360?utm_source=f5support&amp] utm_medium=RSS   |   DEBIAN:DSA-4596   |   URL:https://www.debian.org/security/2019/dsa-4596   |   MLIST:[debian-lts-announce] 20200127 [SECURITY] [DLA 2077-1] tomcat7 security update   |   URL:https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html   |   MLIST:[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E   |   MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/   |   URL:https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E   |   SUSE:openSUSE-SU-2020:0038   |   URL:http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html   |   UBUNTU:USN-4251-1   |   URL:https://usn.ubuntu.com/4251-1/",Assigned (20190528),"None (candidate not yet proposed)",""
81| [CVE-2019-17570,Candidate,"An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.","BUGTRAQ:20200210 [SECURITY] [DSA 4619-1] libxmlrpc3-java security update   |   URL:https://seclists.org/bugtraq/2020/Feb/8   |   CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570]    |   CONFIRM:https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E   |   DEBIAN:DSA-4619   |   URL:https://www.debian.org/security/2020/dsa-4619   |   MLIST:[debian-lts-announce] 20200130 [SECURITY] [DLA 2078-1] libxmlrpc3-java security update   |   URL:https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html   |   MLIST:[oss-security] 20200124 RE: [CVE-2019-17570] xmlrpc-common untrusted deserialization   |   URL:http://www.openwall.com/lists/oss-security/2020/01/24/2   |   REDHAT:RHSA-2020:0310   |   URL:https://access.redhat.com/errata/RHSA-2020:0310",Assigned (20191014),"None (candidate not yet proposed)",""
82| [CVE-2019-3822,Candidate,"libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.","BID:106950   |   URL:http://www.securityfocus.com/bid/106950   |   CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822   |   CONFIRM:https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190315-0001/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190719-0004/   |   CONFIRM:https://support.f5.com/csp/article/K84141449   |   CONFIRM:https://support.f5.com/csp/article/K84141449?utm_source=f5support&amp] utm_medium=RSS   |   DEBIAN:DSA-4386   |   URL:https://www.debian.org/security/2019/dsa-4386   |   GENTOO:GLSA-201903-03   |   URL:https://security.gentoo.org/glsa/201903-03   |   MISC:https://curl.haxx.se/docs/CVE-2019-3822.html   |   MISC:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html   |   MISC:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html   |   MLIST:[infra-devnull] 20190404 [GitHub] [incubator-openwhisk-runtime-ballerina] falkzoll commented on issue #15: Update to new base image jdk8u202-b08_openj9-0.12.1.   |   URL:https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E   |   REDHAT:RHSA-2019:3701   |   URL:https://access.redhat.com/errata/RHSA-2019:3701   |   UBUNTU:USN-3882-1   |   URL:https://usn.ubuntu.com/3882-1/",Assigned (20190103),"None (candidate not yet proposed)",""
83| [CVE-2019-8331,Candidate,"In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.","BID:107375   |   URL:http://www.securityfocus.com/bid/107375   |   BUGTRAQ:20190509 dotCMS v5.1.1 Vulnerabilities   |   URL:https://seclists.org/bugtraq/2019/May/18   |   CONFIRM:https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/   |   CONFIRM:https://support.f5.com/csp/article/K24383845   |   CONFIRM:https://support.f5.com/csp/article/K24383845?utm_source=f5support&amp] utm_medium=RSS   |   FULLDISC:20190510 Re: dotCMS v5.1.1 HTML Injection & XSS Vulnerability   |   URL:http://seclists.org/fulldisclosure/2019/May/13   |   FULLDISC:20190510 dotCMS v5.1.1 HTML Injection & XSS Vulnerability   |   URL:http://seclists.org/fulldisclosure/2019/May/11   |   FULLDISC:20190510 dotCMS v5.1.1 Vulnerabilities   |   URL:http://seclists.org/fulldisclosure/2019/May/10   |   MISC:http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html   |   MISC:https://github.com/twbs/bootstrap/pull/28236   |   MISC:https://github.com/twbs/bootstrap/releases/tag/v3.4.1   |   MISC:https://github.com/twbs/bootstrap/releases/tag/v4.3.1   |   MLIST:[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities   |   URL:https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E   |   MLIST:[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities   |   URL:https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E   |   MLIST:[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities   |   URL:https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E   |   MLIST:[flink-dev] 20190811 Apache flink 1.7.2 security issues   |   URL:https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E   |   MLIST:[flink-user] 20190811 Apache flink 1.7.2 security issues   |   URL:https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E   |   MLIST:[flink-user] 20190813 Apache flink 1.7.2 security issues   |   URL:https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E   |   MLIST:[flink-user] 20190813 Re: Apache flink 1.7.2 security issues   |   URL:https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E   |   MLIST:[superset-dev] 20190926 Re: [VOTE] Release Superset 0.34.1 based on Superset 0.34.1rc1   |   URL:https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@%3Cdev.superset.apache.org%3E   |   REDHAT:RHSA-2019:1456   |   URL:https://access.redhat.com/errata/RHSA-2019:1456   |   REDHAT:RHSA-2019:3023   |   URL:https://access.redhat.com/errata/RHSA-2019:3023   |   REDHAT:RHSA-2019:3024   |   URL:https://access.redhat.com/errata/RHSA-2019:3024",Assigned (20190213),"None (candidate not yet proposed)",""
84| [CVE-2019-9512,Candidate,"Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.","BUGTRAQ:20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:https://seclists.org/bugtraq/2019/Aug/24   |   BUGTRAQ:20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update   |   URL:https://seclists.org/bugtraq/2019/Aug/31   |   BUGTRAQ:20190825 [SECURITY] [DSA 4508-1] h2o security update   |   URL:https://seclists.org/bugtraq/2019/Aug/43   |   BUGTRAQ:20190910 [SECURITY] [DSA 4520-1] trafficserver security update   |   URL:https://seclists.org/bugtraq/2019/Sep/18   |   CERT-VN:VU#605641   |   URL:https://kb.cert.org/vuls/id/605641/   |   CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10296   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0001/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0004/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0005/   |   CONFIRM:https://support.f5.com/csp/article/K98053339   |   CONFIRM:https://support.f5.com/csp/article/K98053339?utm_source=f5support&amp] utm_medium=RSS   |   CONFIRM:https://www.synology.com/security/advisory/Synology_SA_19_33   |   DEBIAN:DSA-4503   |   URL:https://www.debian.org/security/2019/dsa-4503   |   DEBIAN:DSA-4508   |   URL:https://www.debian.org/security/2019/dsa-4508   |   DEBIAN:DSA-4520   |   URL:https://www.debian.org/security/2019/dsa-4520   |   FEDORA:FEDORA-2019-55d101a740   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/   |   FEDORA:FEDORA-2019-5a6a7bc12c   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/   |   FEDORA:FEDORA-2019-65db7ad6c7   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/   |   FEDORA:FEDORA-2019-6a2980de56   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/   |   FULLDISC:20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:http://seclists.org/fulldisclosure/2019/Aug/16   |   MISC:https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md   |   MLIST:[oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514   |   URL:http://www.openwall.com/lists/oss-security/2019/08/20/1   |   MLIST:[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E   |   MLIST:[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E   |   MLIST:[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E   |   REDHAT:RHSA-2019:2594   |   URL:https://access.redhat.com/errata/RHSA-2019:2594   |   REDHAT:RHSA-2019:2661   |   URL:https://access.redhat.com/errata/RHSA-2019:2661   |   REDHAT:RHSA-2019:2682   |   URL:https://access.redhat.com/errata/RHSA-2019:2682   |   REDHAT:RHSA-2019:2690   |   URL:https://access.redhat.com/errata/RHSA-2019:2690   |   REDHAT:RHSA-2019:2726   |   URL:https://access.redhat.com/errata/RHSA-2019:2726   |   REDHAT:RHSA-2019:2766   |   URL:https://access.redhat.com/errata/RHSA-2019:2766   |   REDHAT:RHSA-2019:2769   |   URL:https://access.redhat.com/errata/RHSA-2019:2769   |   REDHAT:RHSA-2019:2796   |   URL:https://access.redhat.com/errata/RHSA-2019:2796   |   REDHAT:RHSA-2019:2861   |   URL:https://access.redhat.com/errata/RHSA-2019:2861   |   REDHAT:RHSA-2019:2925   |   URL:https://access.redhat.com/errata/RHSA-2019:2925   |   REDHAT:RHSA-2019:2939   |   URL:https://access.redhat.com/errata/RHSA-2019:2939   |   REDHAT:RHSA-2019:2955   |   URL:https://access.redhat.com/errata/RHSA-2019:2955   |   REDHAT:RHSA-2019:2966   |   URL:https://access.redhat.com/errata/RHSA-2019:2966   |   REDHAT:RHSA-2019:3131   |   URL:https://access.redhat.com/errata/RHSA-2019:3131   |   REDHAT:RHSA-2019:3245   |   URL:https://access.redhat.com/errata/RHSA-2019:3245   |   REDHAT:RHSA-2019:3265   |   URL:https://access.redhat.com/errata/RHSA-2019:3265   |   REDHAT:RHSA-2019:3892   |   URL:https://access.redhat.com/errata/RHSA-2019:3892   |   REDHAT:RHSA-2019:3906   |   URL:https://access.redhat.com/errata/RHSA-2019:3906   |   REDHAT:RHSA-2019:4018   |   URL:https://access.redhat.com/errata/RHSA-2019:4018   |   REDHAT:RHSA-2019:4019   |   URL:https://access.redhat.com/errata/RHSA-2019:4019   |   REDHAT:RHSA-2019:4020   |   URL:https://access.redhat.com/errata/RHSA-2019:4020   |   REDHAT:RHSA-2019:4021   |   URL:https://access.redhat.com/errata/RHSA-2019:4021   |   REDHAT:RHSA-2019:4040   |   URL:https://access.redhat.com/errata/RHSA-2019:4040   |   REDHAT:RHSA-2019:4041   |   URL:https://access.redhat.com/errata/RHSA-2019:4041   |   REDHAT:RHSA-2019:4042   |   URL:https://access.redhat.com/errata/RHSA-2019:4042   |   REDHAT:RHSA-2019:4045   |   URL:https://access.redhat.com/errata/RHSA-2019:4045   |   REDHAT:RHSA-2019:4269   |   URL:https://access.redhat.com/errata/RHSA-2019:4269   |   REDHAT:RHSA-2019:4273   |   URL:https://access.redhat.com/errata/RHSA-2019:4273   |   REDHAT:RHSA-2019:4352   |   URL:https://access.redhat.com/errata/RHSA-2019:4352   |   REDHAT:RHSA-2020:0406   |   URL:https://access.redhat.com/errata/RHSA-2020:0406   |   REDHAT:RHSA-2020:0727   |   URL:https://access.redhat.com/errata/RHSA-2020:0727   |   SUSE:openSUSE-SU-2019:2000   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html   |   SUSE:openSUSE-SU-2019:2056   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html   |   SUSE:openSUSE-SU-2019:2072   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html   |   SUSE:openSUSE-SU-2019:2085   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html   |   SUSE:openSUSE-SU-2019:2114   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html   |   SUSE:openSUSE-SU-2019:2115   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html   |   SUSE:openSUSE-SU-2019:2130   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html",Assigned (20190301),"None (candidate not yet proposed)",""
85| [CVE-2019-9514,Candidate,"Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.","BUGTRAQ:20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:https://seclists.org/bugtraq/2019/Aug/24   |   BUGTRAQ:20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update   |   URL:https://seclists.org/bugtraq/2019/Aug/31   |   BUGTRAQ:20190825 [SECURITY] [DSA 4508-1] h2o security update   |   URL:https://seclists.org/bugtraq/2019/Aug/43   |   BUGTRAQ:20190910 [SECURITY] [DSA 4520-1] trafficserver security update   |   URL:https://seclists.org/bugtraq/2019/Sep/18   |   CERT-VN:VU#605641   |   URL:https://kb.cert.org/vuls/id/605641/   |   CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10296   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0001/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0004/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0005/   |   CONFIRM:https://support.f5.com/csp/article/K01988340   |   CONFIRM:https://support.f5.com/csp/article/K01988340?utm_source=f5support&amp] utm_medium=RSS   |   CONFIRM:https://www.synology.com/security/advisory/Synology_SA_19_33   |   DEBIAN:DSA-4503   |   URL:https://www.debian.org/security/2019/dsa-4503   |   DEBIAN:DSA-4508   |   URL:https://www.debian.org/security/2019/dsa-4508   |   DEBIAN:DSA-4520   |   URL:https://www.debian.org/security/2019/dsa-4520   |   FEDORA:FEDORA-2019-55d101a740   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/   |   FEDORA:FEDORA-2019-5a6a7bc12c   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/   |   FEDORA:FEDORA-2019-65db7ad6c7   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/   |   FEDORA:FEDORA-2019-6a2980de56   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/   |   FULLDISC:20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:http://seclists.org/fulldisclosure/2019/Aug/16   |   MISC:https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md   |   MLIST:[oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514   |   URL:http://www.openwall.com/lists/oss-security/2019/08/20/1   |   MLIST:[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E   |   MLIST:[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E   |   MLIST:[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E   |   REDHAT:RHSA-2019:2594   |   URL:https://access.redhat.com/errata/RHSA-2019:2594   |   REDHAT:RHSA-2019:2661   |   URL:https://access.redhat.com/errata/RHSA-2019:2661   |   REDHAT:RHSA-2019:2682   |   URL:https://access.redhat.com/errata/RHSA-2019:2682   |   REDHAT:RHSA-2019:2690   |   URL:https://access.redhat.com/errata/RHSA-2019:2690   |   REDHAT:RHSA-2019:2726   |   URL:https://access.redhat.com/errata/RHSA-2019:2726   |   REDHAT:RHSA-2019:2766   |   URL:https://access.redhat.com/errata/RHSA-2019:2766   |   REDHAT:RHSA-2019:2769   |   URL:https://access.redhat.com/errata/RHSA-2019:2769   |   REDHAT:RHSA-2019:2796   |   URL:https://access.redhat.com/errata/RHSA-2019:2796   |   REDHAT:RHSA-2019:2861   |   URL:https://access.redhat.com/errata/RHSA-2019:2861   |   REDHAT:RHSA-2019:2925   |   URL:https://access.redhat.com/errata/RHSA-2019:2925   |   REDHAT:RHSA-2019:2939   |   URL:https://access.redhat.com/errata/RHSA-2019:2939   |   REDHAT:RHSA-2019:2955   |   URL:https://access.redhat.com/errata/RHSA-2019:2955   |   REDHAT:RHSA-2019:2966   |   URL:https://access.redhat.com/errata/RHSA-2019:2966   |   REDHAT:RHSA-2019:3131   |   URL:https://access.redhat.com/errata/RHSA-2019:3131   |   REDHAT:RHSA-2019:3245   |   URL:https://access.redhat.com/errata/RHSA-2019:3245   |   REDHAT:RHSA-2019:3265   |   URL:https://access.redhat.com/errata/RHSA-2019:3265   |   REDHAT:RHSA-2019:3892   |   URL:https://access.redhat.com/errata/RHSA-2019:3892   |   REDHAT:RHSA-2019:3906   |   URL:https://access.redhat.com/errata/RHSA-2019:3906   |   REDHAT:RHSA-2019:4018   |   URL:https://access.redhat.com/errata/RHSA-2019:4018   |   REDHAT:RHSA-2019:4019   |   URL:https://access.redhat.com/errata/RHSA-2019:4019   |   REDHAT:RHSA-2019:4020   |   URL:https://access.redhat.com/errata/RHSA-2019:4020   |   REDHAT:RHSA-2019:4021   |   URL:https://access.redhat.com/errata/RHSA-2019:4021   |   REDHAT:RHSA-2019:4040   |   URL:https://access.redhat.com/errata/RHSA-2019:4040   |   REDHAT:RHSA-2019:4041   |   URL:https://access.redhat.com/errata/RHSA-2019:4041   |   REDHAT:RHSA-2019:4042   |   URL:https://access.redhat.com/errata/RHSA-2019:4042   |   REDHAT:RHSA-2019:4045   |   URL:https://access.redhat.com/errata/RHSA-2019:4045   |   REDHAT:RHSA-2019:4269   |   URL:https://access.redhat.com/errata/RHSA-2019:4269   |   REDHAT:RHSA-2019:4273   |   URL:https://access.redhat.com/errata/RHSA-2019:4273   |   REDHAT:RHSA-2019:4352   |   URL:https://access.redhat.com/errata/RHSA-2019:4352   |   REDHAT:RHSA-2020:0406   |   URL:https://access.redhat.com/errata/RHSA-2020:0406   |   REDHAT:RHSA-2020:0727   |   URL:https://access.redhat.com/errata/RHSA-2020:0727   |   SUSE:openSUSE-SU-2019:2000   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html   |   SUSE:openSUSE-SU-2019:2056   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html   |   SUSE:openSUSE-SU-2019:2072   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html   |   SUSE:openSUSE-SU-2019:2085   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html   |   SUSE:openSUSE-SU-2019:2114   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html   |   SUSE:openSUSE-SU-2019:2115   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html   |   SUSE:openSUSE-SU-2019:2130   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html",Assigned (20190301),"None (candidate not yet proposed)",""
86| [CVE-2019-9515,Candidate,"Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.","BUGTRAQ:20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:https://seclists.org/bugtraq/2019/Aug/24   |   BUGTRAQ:20190825 [SECURITY] [DSA 4508-1] h2o security update   |   URL:https://seclists.org/bugtraq/2019/Aug/43   |   BUGTRAQ:20190910 [SECURITY] [DSA 4520-1] trafficserver security update   |   URL:https://seclists.org/bugtraq/2019/Sep/18   |   CERT-VN:VU#605641   |   URL:https://kb.cert.org/vuls/id/605641/   |   CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10296   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0005/   |   CONFIRM:https://support.f5.com/csp/article/K50233772   |   CONFIRM:https://support.f5.com/csp/article/K50233772?utm_source=f5support&amp] utm_medium=RSS   |   CONFIRM:https://www.synology.com/security/advisory/Synology_SA_19_33   |   DEBIAN:DSA-4508   |   URL:https://www.debian.org/security/2019/dsa-4508   |   DEBIAN:DSA-4520   |   URL:https://www.debian.org/security/2019/dsa-4520   |   FEDORA:FEDORA-2019-5a6a7bc12c   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/   |   FEDORA:FEDORA-2019-6a2980de56   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/   |   FULLDISC:20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:http://seclists.org/fulldisclosure/2019/Aug/16   |   MISC:https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md   |   MLIST:[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E   |   MLIST:[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E   |   MLIST:[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks   |   URL:https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E   |   REDHAT:RHSA-2019:2766   |   URL:https://access.redhat.com/errata/RHSA-2019:2766   |   REDHAT:RHSA-2019:2796   |   URL:https://access.redhat.com/errata/RHSA-2019:2796   |   REDHAT:RHSA-2019:2861   |   URL:https://access.redhat.com/errata/RHSA-2019:2861   |   REDHAT:RHSA-2019:2925   |   URL:https://access.redhat.com/errata/RHSA-2019:2925   |   REDHAT:RHSA-2019:2939   |   URL:https://access.redhat.com/errata/RHSA-2019:2939   |   REDHAT:RHSA-2019:2955   |   URL:https://access.redhat.com/errata/RHSA-2019:2955   |   REDHAT:RHSA-2019:3892   |   URL:https://access.redhat.com/errata/RHSA-2019:3892   |   REDHAT:RHSA-2019:4018   |   URL:https://access.redhat.com/errata/RHSA-2019:4018   |   REDHAT:RHSA-2019:4019   |   URL:https://access.redhat.com/errata/RHSA-2019:4019   |   REDHAT:RHSA-2019:4020   |   URL:https://access.redhat.com/errata/RHSA-2019:4020   |   REDHAT:RHSA-2019:4021   |   URL:https://access.redhat.com/errata/RHSA-2019:4021   |   REDHAT:RHSA-2019:4040   |   URL:https://access.redhat.com/errata/RHSA-2019:4040   |   REDHAT:RHSA-2019:4041   |   URL:https://access.redhat.com/errata/RHSA-2019:4041   |   REDHAT:RHSA-2019:4042   |   URL:https://access.redhat.com/errata/RHSA-2019:4042   |   REDHAT:RHSA-2019:4045   |   URL:https://access.redhat.com/errata/RHSA-2019:4045   |   REDHAT:RHSA-2019:4352   |   URL:https://access.redhat.com/errata/RHSA-2019:4352   |   REDHAT:RHSA-2020:0727   |   URL:https://access.redhat.com/errata/RHSA-2020:0727   |   SUSE:openSUSE-SU-2019:2114   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html   |   SUSE:openSUSE-SU-2019:2115   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html",Assigned (20190301),"None (candidate not yet proposed)",""
87| [CVE-2019-9517,Candidate,"Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint]  however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.","BUGTRAQ:20190826 [SECURITY] [DSA 4509-1] apache2 security update   |   URL:https://seclists.org/bugtraq/2019/Aug/47   |   CERT-VN:VU#605641   |   URL:https://kb.cert.org/vuls/id/605641/   |   CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10296   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0003/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0005/   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190905-0003/   |   CONFIRM:https://support.f5.com/csp/article/K02591030   |   CONFIRM:https://support.f5.com/csp/article/K02591030?utm_source=f5support&amp
88| [CVE-2019-9518,Candidate,"Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.","BUGTRAQ:20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:https://seclists.org/bugtraq/2019/Aug/24   |   BUGTRAQ:20190910 [SECURITY] [DSA 4520-1] trafficserver security update   |   URL:https://seclists.org/bugtraq/2019/Sep/18   |   CERT-VN:VU#605641   |   URL:https://kb.cert.org/vuls/id/605641/   |   CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10296   |   CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0005/   |   CONFIRM:https://support.f5.com/csp/article/K46011592   |   CONFIRM:https://support.f5.com/csp/article/K46011592?utm_source=f5support&amp] utm_medium=RSS   |   CONFIRM:https://www.synology.com/security/advisory/Synology_SA_19_33   |   DEBIAN:DSA-4520   |   URL:https://www.debian.org/security/2019/dsa-4520   |   FEDORA:FEDORA-2019-5a6a7bc12c   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/   |   FEDORA:FEDORA-2019-6a2980de56   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/   |   FULLDISC:20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0   |   URL:http://seclists.org/fulldisclosure/2019/Aug/16   |   MISC:https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md   |   MLIST:[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities   |   URL:https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E   |   MLIST:[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames   |   URL:https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d@%3Cannounce.trafficserver.apache.org%3E   |   MLIST:[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames   |   URL:https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107@%3Cdev.trafficserver.apache.org%3E   |   MLIST:[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames   |   URL:https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61@%3Cusers.trafficserver.apache.org%3E   |   REDHAT:RHSA-2019:2925   |   URL:https://access.redhat.com/errata/RHSA-2019:2925   |   REDHAT:RHSA-2019:2939   |   URL:https://access.redhat.com/errata/RHSA-2019:2939   |   REDHAT:RHSA-2019:2955   |   URL:https://access.redhat.com/errata/RHSA-2019:2955   |   REDHAT:RHSA-2019:3892   |   URL:https://access.redhat.com/errata/RHSA-2019:3892   |   REDHAT:RHSA-2019:4352   |   URL:https://access.redhat.com/errata/RHSA-2019:4352   |   REDHAT:RHSA-2020:0727   |   URL:https://access.redhat.com/errata/RHSA-2020:0727   |   SUSE:openSUSE-SU-2019:2114   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html   |   SUSE:openSUSE-SU-2019:2115   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html",Assigned (20190301),"None (candidate not yet proposed)",""
89| [CVE-2019-9853,Candidate,"LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7]  LibreOffice 6.3 series versions prior to 6.3.1.","CONFIRM:https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9853/   |   FEDORA:FEDORA-2019-4b0cc75996   |   URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQGBRSD73KTDZ2MPAOL7FBWO3SQVYE5B/   |   FULLDISC:20200220 Open-Xchange Security Advisory 2020-02-19   |   URL:http://seclists.org/fulldisclosure/2020/Feb/23   |   MISC:http://packetstormsecurity.com/files/156474/Open-Xchange-App-Suite-Documents-Server-Side-Request-Forgery.html   |   MLIST:[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update   |   URL:https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html   |   MLIST:[openoffice-commits] 20191016 svn commit: r1051583 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html   |   URL:https://lists.apache.org/thread.html/3a5570ca5cd14ad08e24684c71cfeff3a507f108fe3cf30ba4f58226@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191016 svn commit: r1868517 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html   |   URL:https://lists.apache.org/thread.html/4ae0e6e52600f408d943ded079d314733ce188b04b04471464f89c4f@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191016 svn commit: r1868522 - /openoffice/ooo-site/trunk/content/security/bulletin.html   |   URL:https://lists.apache.org/thread.html/7394e6b5f78a878bd0c44e9bc9adf90b8cdf49e9adc0f287145aba9b@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1053264 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html   |   URL:https://lists.apache.org/thread.html/a5231ad45b030b54828c7b0b62a7e7d4b48481c7cb83ff628e07fa43@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1053267 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html   |   URL:https://lists.apache.org/thread.html/9dc85d9937ad7f101047c53f78c00e8ceb135eaeff7dcf4724b46f2c@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1053270 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html content/security/cves/CVE-XXXX-YYYY.html   |   URL:https://lists.apache.org/thread.html/27339e8a9a1e9bb47fbdb939b338256d0356250a1974aaf4d774f683@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1053271 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html content/security/cves/CVE-XXXX-YYYY.html   |   URL:https://lists.apache.org/thread.html/19c917f7c8a0d8f62142046fabfe3e2c7d6091ef1f92b99c6e79e24e@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1870322 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html   |   URL:https://lists.apache.org/thread.html/a540d1b6f9a7ebb206adba02839f654a6ee63a7b0976f559a847e49a@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1870324 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html   |   URL:https://lists.apache.org/thread.html/70da9481dca267405e1d79e53942264765ef3f55c9a563c3737e3926@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1870336 - in /openoffice/ooo-site/trunk/content/security/cves: CVE-2019-9853.html CVE-XXXX-YYYY.html   |   URL:https://lists.apache.org/thread.html/306a374361891eb17c6cffc99c3d7be1d3152a99c839d4231edc1631@%3Ccommits.openoffice.apache.org%3E   |   MLIST:[openoffice-commits] 20191124 svn commit: r1870337 - in /openoffice/ooo-site/trunk/content/security/cves: CVE-2019-9853.html CVE-XXXX-YYYY.html   |   URL:https://lists.apache.org/thread.html/ca216900abd846f0220fe18b95f9f787bdbe0e87fa4eee822073cd69@%3Ccommits.openoffice.apache.org%3E   |   SUSE:openSUSE-SU-2019:2709   |   URL:http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00040.html",Assigned (20190317),"None (candidate not yet proposed)",""
90| 
91|_
92
93Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
94# Nmap done at Sat Mar 21 17:59:58 2020 -- 1 IP address (1 host up) scanned in 44.80 seconds