Vulnerabilities > Oracle > Communications Cloud Native Core Policy > High

DATE	CVE	VULNERABILITY TITLE	RISK
2021-03-10	CVE-2020-13936	An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. network low complexity apache debian oracle	8.8
2021-03-01	CVE-2021-25329	The fix for CVE-2020-9484 was incomplete. local high complexity apache debian oracle	7.0
2021-03-01	CVE-2021-25122	Information Exposure vulnerability in multiple products When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. network low complexity apache debian oracle CWE-200	7.5
2021-02-16	CVE-2021-23840	Integer Overflow or Wraparound vulnerability in multiple products Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. network low complexity openssl debian tenable oracle mcafee fujitsu nodejs CWE-190	7.5
2021-02-15	CVE-2021-23337	Code Injection vulnerability in multiple products Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. network low complexity lodash oracle netapp siemens CWE-94	7.2
2021-02-12	CVE-2020-13949	Resource Exhaustion vulnerability in multiple products In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. network low complexity apache oracle CWE-400	7.5
2021-01-07	CVE-2020-36183	Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. network high complexity fasterxml netapp debian oracle CWE-502	8.1
2021-01-07	CVE-2020-36182	Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. network high complexity fasterxml netapp debian oracle CWE-502	8.1
2021-01-07	CVE-2020-36180	Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. network high complexity netapp debian oracle fasterxml CWE-502	8.1
2021-01-07	CVE-2020-36179	Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. network high complexity netapp debian oracle fasterxml CWE-502	8.1

CVE is a registered MITRE Corporation trademark and MITRE's CVE website is the authoritative source of CVE content. CWE is a registered MITRE Corporation trademark and MITRE's CWE website is the authoritative source of CWE content.