Oss Support Tools Oracle Oss Support Tools

Do you want an email whenever new security vulnerabilities are reported in Oracle Oss Support Tools?

By the Year

In 2022 there have been 1 vulnerability in Oracle Oss Support Tools with an average score of 5.5 out of ten. Last year Oss Support Tools had 6 security vulnerabilities published. Right now, Oss Support Tools is on track to have less security vulnerabilities in 2022 than it did last year. Last year, the average CVE base score was greater by 1.18

Year Vulnerabilities Average Score
2022 1 5.50
2021 6 6.68
2020 1 6.10
2019 3 7.90
2018 4 7.80

It may take a day or so for new Oss Support Tools vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Oracle Oss Support Tools Security Vulnerabilities

Vulnerability in the OSS Support Tools product of Oracle Support Tools (component: Oracle Explorer)

CVE-2022-21405 5.5 - Medium - April 19, 2022

Vulnerability in the OSS Support Tools product of Oracle Support Tools (component: Oracle Explorer). The supported version that is affected is 18.3. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where OSS Support Tools executes to compromise OSS Support Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in OSS Support Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all OSS Support Tools accessible data. CVSS 3.1 Base Score 5.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N).

In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely

CVE-2021-41973 6.5 - Medium - November 01, 2021

In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.

Infinite Loop

Vulnerability in the Advanced Networking Option component of Oracle Database Server

CVE-2021-2351 8.3 - High - July 21, 2021

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Advanced Networking Option. Note: The July 2021 Critical Patch Update introduces a number of Native Network Encryption changes to deal with vulnerability CVE-2021-2351 and prevent the use of weaker ciphers. Customers should review: "Changes in Native Network Encryption with the July 2021 Critical Patch Update" (Doc ID 2791571.1). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error

CVE-2021-30129 6.5 - Medium - July 12, 2021

A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0

Missing Release of Resource after Effective Lifetime

Vulnerability in the OSS Support Tools product of Oracle Support Tools (component: Diagnostic Assistant)

CVE-2021-2303 4.9 - Medium - April 22, 2021

Vulnerability in the OSS Support Tools product of Oracle Support Tools (component: Diagnostic Assistant). The supported version that is affected is Prior to 2.12.41. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise OSS Support Tools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all OSS Support Tools accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//

CVE-2021-29425 4.8 - Medium - April 13, 2021

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Directory traversal

An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4

CVE-2021-27568 9.1 - Critical - February 23, 2021

An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.

Improper Check for Unusual or Exceptional Conditions

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements

CVE-2020-11023 6.1 - Medium - April 29, 2020

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

XSS

A vulnerability was found in Hibernate-Validator

CVE-2019-10219 6.1 - Medium - November 08, 2019

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

XSS

Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.

CVE-2019-5482 9.8 - Critical - September 16, 2019

Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.

Memory Corruption

A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/)

CVE-2019-5443 7.8 - High - July 02, 2019

A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.

DLL preloading

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option

CVE-2015-9251 6.1 - Medium - January 18, 2018

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

XSS

Vulnerability in the OSS Support Tools component of Oracle Support Tools (subcomponent: Diagnostic Assistant)

CVE-2018-2615 8.8 - High - January 18, 2018

Vulnerability in the OSS Support Tools component of Oracle Support Tools (subcomponent: Diagnostic Assistant). The supported version that is affected is Prior to 2.11.33. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise OSS Support Tools. Successful attacks of this vulnerability can result in takeover of OSS Support Tools. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Vulnerability in the OSS Support Tools component of Oracle Support Tools (subcomponent: Diagnostic Assistant)

CVE-2018-2616 8.8 - High - January 18, 2018

Vulnerability in the OSS Support Tools component of Oracle Support Tools (subcomponent: Diagnostic Assistant). The supported version that is affected is Prior to 2.11.33. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise OSS Support Tools. Successful attacks of this vulnerability can result in takeover of OSS Support Tools. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Vulnerability in the OSS Support Tools component of Oracle Support Tools (subcomponent: Diagnostic Assistant)

CVE-2018-2617 7.5 - High - January 18, 2018

Vulnerability in the OSS Support Tools component of Oracle Support Tools (subcomponent: Diagnostic Assistant). The supported version that is affected is Prior to 2.11.33. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise OSS Support Tools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all OSS Support Tools accessible data. CVSS 3.0 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Oracle Oss Support Tools or by Oracle? Click the Watch button to subscribe.

Oracle
Vendor

subscribe