All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
CVE-2017-7561 is a vulnerability in Red Hat JBoss EAP (Enterprise Application Platform, a Java-based application server) versions 3.0.7 through before 4.0.0.Beta1 that affects the JAX-RS component (a Java library for building web services). The vulnerability allows server-side cache poisoning or CORS (cross-origin resource sharing, a security feature that controls which websites can access resources from another site) requests, creating a moderate security risk.
CVE-2016-8739 is a vulnerability in the JAX-RS module (a Java API for building web services) of Apache CXF versions before 3.0.12 and 3.1.x before 3.1.9, involving the Atom JAX-RS MessageBodyReader component. The provided content only lists reference links to advisories and does not include details about the vulnerability's impact or nature.
A vulnerability in Oracle Java SE's JAX-WS (Java API for XML Web Services, a tool for building web services) allows attackers to read some data they shouldn't access and partially disrupt service availability without needing to authenticate. The flaw affects multiple Java versions and can be exploited through web services or sandboxed Java applications (restricted programs running in isolated environments), with a CVSS score (severity rating) of 6.5 out of 10.
CVE-2017-10101 is a critical vulnerability in Oracle Java SE (JAXP, which handles XML processing) affecting versions 6u151, 7u141, and 8u131 that allows attackers to take over systems through network access if users interact with untrusted code like Java Web Start applications (programs downloaded and run from the internet within a protected sandbox environment). The vulnerability has a CVSS score (severity rating) of 9.6 out of 10, meaning it is very serious.
CVE-2017-10096 is a critical vulnerability in Oracle Java SE's JAXP component (a toolkit for processing XML documents) that affects versions 6u151, 7u141, and 8u131. An attacker can exploit this flaw over the network to take complete control of Java systems, but only if a user runs untrusted code like Java applets or Web Start applications from the internet. The vulnerability has a severity score of 9.6 out of 10.
CVE-2017-4895 is a vulnerability in Airwatch Agent for Android that allows a device to bypass root detection (a security check that prevents compromised devices from accessing sensitive data). If successfully exploited, an enrolled device could gain unrestricted access and bypass local Airwatch security controls and data protections.
A vulnerability in Oracle Java SE's JAXP component (a library for processing XML documents) allows attackers over the network to crash Java applications without authentication, affecting Java versions 6u141, 7u131, 8u121 and related products. The attack is difficult to exploit but can be delivered through multiple methods, including malicious Java Web Start applications (Java programs downloaded and run from the web) and web services. The vulnerability has a CVSS score (a 0-10 severity rating) of 5.9, indicating moderate impact focused on availability disruption.
CVE-2017-5653 is a security flaw in Apache CXF (a framework for building web services) versions before 3.1.11 and 3.0.13, where JAX-RS (Java API for REST web services) XML clients do not properly validate responses from services. This could allow attackers to exploit how the software processes XML data from web services it communicates with.
Honeywell Intermec industrial printers (models PM23, PM42, PM43, PC23, PC43, PD43, PC42) before firmware version 10.11.013310 and 10.12.x before 10.12.013309 have a vulnerability where the Lua interpreter is installed with setuid permissions (allowing it to run with elevated privileges of the itadmin account). This allows local users to conduct a BusyBox jailbreak attack (exploiting a container escape technique) and gain root privileges by modifying the /etc/shadow file (which controls user passwords and permissions).
A vulnerability in the casrvc program (a service component used by multiple CA software products) allows local users (people with access to the same computer) to modify any file on the system and gain root privileges (full administrative control) because the program doesn't properly validate input or check permissions. This affects multiple versions of CA software across several operating systems including Linux, AIX, HP-UX, and Solaris.
CVE-2016-3551 is an unspecified vulnerability in Oracle Web Services (a component of Oracle Fusion Middleware, which is enterprise software for managing business processes) that affects versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, and 12.2.1.0.0. Remote attackers can exploit this flaw through the JAXWS Web Services Stack (the software layer that handles web service communication) to compromise confidentiality, integrity, and availability of the system.
CVE-2016-3508 is a vulnerability in multiple versions of Oracle Java SE (the Java programming language platform) and related products that allows remote attackers to disrupt service availability through a flaw in JAXP (Java API for XML Processing, a tool for handling XML documents). The exact details of the vulnerability are not specified in this advisory.
IBM WebSphere Application Server (WAS) versions 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 has a security flaw where the HTTPOnly flag is missing from Set-Cookie headers for a JAX-RS API cookie. The HTTPOnly flag (a security setting that prevents scripts from accessing cookies) is absent, making it easier for attackers to steal sensitive cookie data through script-based attacks.
A security flaw in Moodle's grade-reporting feature called Singleview allowed users with the Non-Editing Instructor role to change grade exclusion settings even though they shouldn't have that permission. The vulnerability affected Moodle versions 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, because the system didn't properly check user permissions (moodle/grade:manage capability, which controls who can modify grades).
CVE-2016-3425 is an unspecified vulnerability in Oracle Java SE (versions 6u113, 7u99, and 8u77), Java SE Embedded 8u77, and JRockit R28.3.9 that affects a component called JAXP (Java API for XML Processing, which handles XML documents). Remote attackers could exploit this vulnerability to disrupt service availability, though the exact attack method is not detailed in this notice.
CVE-2016-0466 is an unspecified vulnerability in Oracle Java SE (the Java programming language and runtime environment) versions 6u105, 7u91, and 8u66 that affects system availability. The flaw exists in JAXP (Java API for XML Processing, a library for handling XML documents) and can be exploited remotely through Java Web Start applications, Java applets, or web services that use the affected Java components.
CVE-2016-0572 is an unspecified vulnerability in Oracle WebLogic Server (a server software used to run enterprise applications) versions 10.3.6, 12.1.2, 12.1.3, and 12.2.1 that allows remote attackers to compromise the confidentiality, integrity, and availability of systems through unknown methods related to the Coherence Container component. The exact nature of the vulnerability and attack method are not detailed in the available information.
CVE-2015-4911 is a vulnerability in multiple versions of Oracle Java SE (Java SE 6u101, 7u85, 8u60), Java SE Embedded 8u51, and JRockit R28.3.7 that allows remote attackers to disrupt service availability through JAXP (Java API for XML Processing, which handles XML data in Java programs). The vulnerability details remain unspecified, and the National Institute of Standards and Technology (NIST) has not prioritized detailed analysis of this issue.
CVE-2015-4893 is an unspecified vulnerability in multiple versions of Oracle Java SE and related products that allows remote attackers to disrupt service availability through JAXP (Java API for XML Processing, a tool Java uses to read and write XML files). The vulnerability can be exploited through web-based Java applications or by sending malicious data directly to affected APIs.
Fix: Update firmware to version 10.11.013310 or 10.12.013309 or later.
NVD/CVE DatabaseA vulnerability (CVE-2016-3500) exists in several versions of Oracle Java SE and related products that allows remote attackers to disrupt service through a flaw in JAXP (Java API for XML Processing, a tool for handling XML data). The vulnerability affects Java SE versions 6u115, 7u101, 8u92, Java SE Embedded 8u91, and JRockit R28.3.10.
Fix: Update to IBM WebSphere Application Server Liberty Fix Pack 16.0.0.2 or later.
NVD/CVE DatabaseFix: Update to Moodle 2.8.11, 2.9.5, or 3.0.3 or later, as referenced in the CVE description and the Moodle git repository commit tracking system.
NVD/CVE Database