Vulnerabilities > Oracle > Communications Cloud Native Core Security Edge Protection Proxy

DATE CVE VULNERABILITY TITLE RISK
2022-04-01 CVE-2022-22963 Expression Language Injection vulnerability in multiple products
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
network
low complexity
vmware oracle CWE-917
critical
9.8
2022-04-01 CVE-2022-22965 Code Injection vulnerability in multiple products
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
network
low complexity
vmware cisco oracle siemens veritas CWE-94
critical
9.8
2022-03-11 CVE-2020-36518 Out-of-bounds Write vulnerability in multiple products
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
network
low complexity
fasterxml oracle debian netapp CWE-787
7.5
2022-03-04 CVE-2022-22946 Improper Certificate Validation vulnerability in multiple products
In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager.
local
low complexity
vmware oracle CWE-295
5.5
2022-03-03 CVE-2022-22947 Expression Language Injection vulnerability in multiple products
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
network
low complexity
vmware oracle CWE-917
critical
10.0
2022-02-24 CVE-2022-24407 SQL Injection vulnerability in multiple products
In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
8.8
2022-01-14 CVE-2022-23219 Classic Buffer Overflow vulnerability in multiple products
The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
network
low complexity
gnu oracle debian CWE-120
critical
9.8
2021-12-18 CVE-2021-45105 Uncontrolled Recursion vulnerability in multiple products
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups.
network
high complexity
apache netapp debian sonicwall oracle CWE-674
5.9
2021-12-09 CVE-2021-43797 HTTP Request Smuggling vulnerability in multiple products
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.
network
low complexity
netty quarkus netapp oracle debian CWE-444
6.5
2021-11-04 CVE-2021-43396 In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset.
network
low complexity
gnu oracle
7.5