Oracle Communications Messaging Server 8.1

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Published: 2021-08-18T15:10:11.000Z
Updated: 2024-08-04T01:23:01.524Z

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Published: 2021-07-13T07:15:23.000Z
Updated: 2024-08-04T00:47:43.813Z

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Published: 2021-07-13T07:15:22.000Z
Updated: 2024-08-04T00:40:46.713Z

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Published: 2021-07-13T07:15:20.000Z
Updated: 2024-08-04T00:40:46.628Z

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Published: 2021-07-13T07:15:19.000Z
Updated: 2024-08-04T00:40:47.264Z

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

Published: 2021-06-16T11:18:14.000Z
Updated: 2024-08-03T23:58:23.111Z

In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

Published: 2021-06-12T09:45:11.000Z
Updated: 2024-08-03T23:10:30.239Z

In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

Published: 2021-06-12T09:45:11.000Z
Updated: 2024-08-03T23:10:30.183Z

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.

Published: 2021-06-16T12:00:18.000Z
Updated: 2024-08-03T22:32:41.089Z

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

Published: 2021-03-31T07:35:14.000Z
Updated: 2025-02-13T16:27:59.935Z

A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

Published: 2021-03-19T16:05:21.000Z
Updated: 2025-02-13T16:27:57.655Z

A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

Published: 2021-03-19T16:05:20.000Z
Updated: 2025-02-13T16:27:57.032Z

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.

Published: 2020-04-27T13:25:27.000Z
Updated: 2024-08-04T10:26:16.391Z

In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations.

Published: 2020-02-21T21:25:14.000Z
Updated: 2024-08-04T10:26:16.084Z

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

Published: 2020-12-18T00:52:48.000Z
Updated: 2024-08-04T16:33:56.942Z

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Published: 2020-12-03T16:16:50.000Z
Updated: 2024-08-04T15:40:36.648Z

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.

Published: 2020-11-12T12:45:14.000Z
Updated: 2025-02-13T16:27:30.592Z

In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

Published: 2020-04-09T02:49:18.000Z
Updated: 2024-08-04T11:35:13.760Z

SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.

Published: 2020-04-09T02:49:33.000Z
Updated: 2024-08-04T11:35:13.644Z

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

Published: 2020-04-07T18:00:34.000Z
Updated: 2024-08-04T11:35:13.236Z

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

Published: 2019-11-08T14:46:03.000Z
Updated: 2025-07-07T13:55:51.360Z

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

Published: 2019-04-17T14:07:34.000Z
Updated: 2024-08-04T17:44:15.952Z