Vulnerabilities > Alibaba
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-08-22 | CVE-2020-21699 | Integer Overflow or Wraparound vulnerability in Alibaba Tengine 2.2.2 The web server Tengine 2.2.2 developed in the Nginx version from 0.5.6 thru 1.13.2 is vulnerable to an integer overflow vulnerability in the nginx range filter module, resulting in the leakage of potentially sensitive information triggered by specially crafted requests. | 7.5 |
| 2022-07-05 | CVE-2021-43116 | Improper Authentication vulnerability in Alibaba Nacos An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login. | 6.5 |
| 2022-06-10 | CVE-2022-25845 | Deserialization of Untrusted Data vulnerability in multiple products The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. | 9.8 |
| 2022-03-11 | CVE-2021-44667 | Cross-site Scripting vulnerability in Alibaba Nacos 2.0.3 A Cross Site Scripting (XSS) vulnerability exists in Nacos 2.0.3 in auth/users via the (1) pageSize and (2) pageNo parameters. | 4.3 |
| 2021-11-03 | CVE-2021-33800 | Path Traversal vulnerability in Alibaba Druid 1.2.3 In Druid 1.2.3, visiting the path with parameter in a certain function can lead to directory traversal. | 5.0 |
| 2021-04-27 | CVE-2021-29441 | Authentication Bypass by Spoofing vulnerability in Alibaba Nacos Nacos is a platform designed for dynamic service discovery and configuration and service management. | 7.5 |
| 2021-04-27 | CVE-2021-29442 | Missing Authentication for Critical Function vulnerability in Alibaba Nacos Nacos is a platform designed for dynamic service discovery and configuration and service management. | 5.0 |
| 2020-09-30 | CVE-2020-19676 | Information Exposure vulnerability in Alibaba Nacos 1.1.4 Nacos 1.1.4 is affected by: Incorrect Access Control. | 5.0 |
| 2018-10-23 | CVE-2017-18349 | Improper Input Validation vulnerability in multiple products parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java. | 10.0 |
| 2014-09-20 | CVE-2014-5976 | Cryptographic Issues vulnerability in Alibaba 4.1.0.0 The alibaba (aka com.alibaba.wireless) application 4.1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.4 |