Endeca Information Discovery Studio Oracle Endeca Information Discovery Studio

Do you want an email whenever new security vulnerabilities are reported in Oracle Endeca Information Discovery Studio?

By the Year

In 2022 there have been 0 vulnerabilities in Oracle Endeca Information Discovery Studio . Last year Endeca Information Discovery Studio had 1 security vulnerability published. Right now, Endeca Information Discovery Studio is on track to have less security vulnerabilities in 2022 than it did last year.

Year Vulnerabilities Average Score
2022 0 0.00
2021 1 9.90
2020 3 7.53
2019 3 9.03
2018 2 6.10

It may take a day or so for new Endeca Information Discovery Studio vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Oracle Endeca Information Discovery Studio Security Vulnerabilities

XStream is a Java library to serialize objects to XML and back again

CVE-2021-21345 9.9 - Critical - March 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Code Injection

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may

CVE-2020-26217 8.8 - High - November 16, 2020

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Shell injection

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so

CVE-2020-11979 7.5 - High - October 01, 2020

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information

CVE-2020-1945 6.3 - Medium - May 14, 2020

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.

Exposure of Resource to Wrong Sphere

Included in Log4j 1.2 is a SocketServer class

CVE-2019-17571 9.8 - Critical - December 20, 2019

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Marshaling, Unmarshaling

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw

CVE-2019-10173 9.8 - Critical - July 23, 2019

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

Code Injection

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006

CVE-2019-0227 7.5 - High - May 01, 2019

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.

XSPA

Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.

CVE-2018-8032 6.1 - Medium - August 02, 2018

Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.

XSS

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option

CVE-2015-9251 6.1 - Medium - January 18, 2018

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Oracle Weblogic Server or by Oracle? Click the Watch button to subscribe.

Oracle
Vendor

subscribe