Communications Metasolv Solution Oracle Communications Metasolv Solution

Do you want an email whenever new security vulnerabilities are reported in Oracle Communications Metasolv Solution?

By the Year

In 2022 there have been 2 vulnerabilities in Oracle Communications Metasolv Solution with an average score of 9.8 out of ten. Last year Communications Metasolv Solution had 3 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Communications Metasolv Solution in 2022 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2022 is greater by 2.97.

Year Vulnerabilities Average Score
2022 2 9.80
2021 3 6.83
2020 2 6.90
2019 2 6.70
2018 1 9.80

It may take a day or so for new Communications Metasolv Solution vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Oracle Communications Metasolv Solution Security Vulnerabilities

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

CVE-2022-23990 9.8 - Critical - January 26, 2022

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

Integer Overflow or Wraparound

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer

CVE-2022-23852 9.8 - Critical - January 24, 2022

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

Integer Overflow or Wraparound

Vulnerability in the Advanced Networking Option component of Oracle Database Server

CVE-2021-2351 7.5 - High - July 21, 2021

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Advanced Networking Option. Note: The July 2021 Critical Patch Update introduces a number of Native Network Encryption changes to deal with vulnerability CVE-2021-2351 and prevent the use of weaker ciphers. Customers should review: "Changes in Native Network Encryption with the July 2021 Critical Patch Update" (Doc ID 2791571.1). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//

CVE-2021-29425 4.8 - Medium - April 13, 2021

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Directory traversal

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel

CVE-2020-11987 8.2 - High - February 24, 2021

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Improper Input Validation

Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes

CVE-2019-17566 7.5 - High - November 12, 2020

Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

XSPA

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information

CVE-2020-1945 6.3 - Medium - May 14, 2020

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.

Exposure of Resource to Wrong Sphere

A vulnerability was found in Hibernate-Validator

CVE-2019-10219 6.1 - Medium - November 08, 2019

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

XSS

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which

CVE-2019-10086 7.3 - High - August 20, 2019

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Marshaling, Unmarshaling

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string

CVE-2018-8013 9.8 - Critical - May 24, 2018

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

Marshaling, Unmarshaling

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Debian Linux or by Oracle? Click the Watch button to subscribe.

Oracle
Vendor

subscribe