Search for packages
| purl | pkg:rpm/redhat/eap7-h2database@1.4.197-2.redhat_00005.1.ep7?arch=el7 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6tyr-1gfy-fua1
Aliases: CVE-2022-23221 GHSA-45hx-wfhj-473x |
Improper Control of Generation of Code ('Code Injection') H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392. | There are no reported fixed by versions. |
|
VCID-6yqn-2w2d-3yd3
Aliases: CVE-2023-39410 GHSA-rhrv-645h-fjfh PYSEC-2023-188 |
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue. | There are no reported fixed by versions. |
|
VCID-agjx-5whj-dyac
Aliases: CVE-2024-47561 GHSA-r7pg-v2c8-mfg3 |
Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK) Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue. | There are no reported fixed by versions. |
|
VCID-efw6-swgm-4fbc
Aliases: CVE-2024-28752 GHSA-qmgx-j96g-4428 |
SSRF vulnerability using the Aegis DataBinding in Apache CXF A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted. | There are no reported fixed by versions. |
|
VCID-khr7-6pza-afab
Aliases: CVE-2023-26464 GHSA-vp98-w2p3-mv35 |
Apache Log4j 1.x (EOL) allows Denial of Service (DoS) ** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | There are no reported fixed by versions. |
|
VCID-knw5-d2nn-vyhq
Aliases: CVE-2022-41853 GHSA-77xx-rxvh-q682 |
HyperSQL DataBase vulnerable to remote code execution when processing untrusted input Those using `java.sql.Statement` or `java.sql.PreparedStatement` in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, `System.setProperty("hsqldb.method_class_names", "abc")` or Java argument `-Dhsqldb.method_class_names="abc"` can be used. From version 2.7.1 all classes by default are not accessible except those in `java.lang.Math` and need to be manually enabled. | There are no reported fixed by versions. |
|
VCID-r7tw-km29-4bdp
Aliases: CVE-2020-7238 GHSA-ff2w-cq2g-wv5f |
HTTP Request Smuggling in Netty Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. | There are no reported fixed by versions. |
|
VCID-rfs8-njaq-qkc8
Aliases: CVE-2022-34169 GHSA-9339-86wc-4qgf |
Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. A fix for this issue was published in September 2022 as part of an anticipated 2.7.3 release. | There are no reported fixed by versions. |
|
VCID-rgtf-p6z8-dkc3
Aliases: CVE-2023-5685 GHSA-7f88-5hhx-67m2 |
XNIO denial of service vulnerability A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS). Version 3.8.14.Final is expected to contain a fix. | There are no reported fixed by versions. |
|
VCID-zxsk-ucu6-73h1
Aliases: CVE-2023-3171 |
eap-7: heap exhaustion via deserialization | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||