AI Sec Watch

CVE-2018-20301 is a mass assignment vulnerability (a flaw where an attacker can modify data fields they shouldn't be able to change) in Steve Pallen Coherence before version 0.5.2. The vulnerability allows users registering for accounts to update any field in the system, including automatically confirming their own accounts by adding a confirmed_at parameter to their registration request.

X-Pack Machine Learning (a tool for automated data analysis in Elasticsearch) versions before 6.2.4 and 5.6.9 contained a cross-site scripting vulnerability (XSS, a flaw where attackers inject malicious code into web pages). An attacker could inject harmful data into a database index being analyzed by the machine learning tool, and when another user views the results, the attacker could steal sensitive information or perform actions as that user.

X-Pack Machine Learning (a tool for building predictive models in Elastic) versions before 6.2.4 and 5.6.9 contained a cross-site scripting vulnerability (XSS, where attackers inject malicious code that runs in users' browsers). Users with manage_ml permissions could hide malicious data in job configurations that would execute when other users viewed the results, allowing attackers to steal sensitive information or perform harmful actions on behalf of those users.

CVE-2017-5719 is a vulnerability in Intel Deep Learning Training Tool Beta 1 that allows a network attacker to remotely execute code (run commands on a system without authorization) as a local user. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 4.0. The specific weakness type could not be determined from available information.

A vulnerability in Oracle Java SE's JAXP component (a tool for processing XML, a common data format) allows attackers to partially disable Java programs over the network without needing to log in. This mainly affects Java applications running in sandboxes (isolated environments) that execute untrusted code from the internet, and does not affect servers running only trusted code.

CVE-2016-8739 is a vulnerability in the JAX-RS module (a Java API for building web services) of Apache CXF versions before 3.0.12 and 3.1.x before 3.1.9, involving the Atom JAX-RS MessageBodyReader component. The provided content only lists reference links to advisories and does not include details about the vulnerability's impact or nature.

A vulnerability in Oracle Java SE's JAXP component (a library for processing XML documents) allows attackers over the network to crash Java applications without authentication, affecting Java versions 6u141, 7u131, 8u121 and related products. The attack is difficult to exploit but can be delivered through multiple methods, including malicious Java Web Start applications (Java programs downloaded and run from the web) and web services. The vulnerability has a CVSS score (a 0-10 severity rating) of 5.9, indicating moderate impact focused on availability disruption.

CVE-2017-5653 is a security flaw in Apache CXF (a framework for building web services) versions before 3.1.11 and 3.0.13, where JAX-RS (Java API for REST web services) XML clients do not properly validate responses from services. This could allow attackers to exploit how the software processes XML data from web services it communicates with.

CVE-2016-0466 is an unspecified vulnerability in Oracle Java SE (the Java programming language and runtime environment) versions 6u105, 7u91, and 8u66 that affects system availability. The flaw exists in JAXP (Java API for XML Processing, a library for handling XML documents) and can be exploited remotely through Java Web Start applications, Java applets, or web services that use the affected Java components.