Vulnerabilities > Oracle > Communications Cloud Native Core Security Edge Protection Proxy > Critical

DATE	CVE	VULNERABILITY TITLE	RISK
2022-04-01	CVE-2022-22965	Code Injection vulnerability in multiple products A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. network low complexity vmware cisco oracle siemens veritas CWE-94 critical	9.8
2022-04-01	CVE-2022-22963	Expression Language Injection vulnerability in multiple products In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. network low complexity vmware oracle CWE-917 critical	9.8
2022-03-03	CVE-2022-22947	Expression Language Injection vulnerability in multiple products In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. network low complexity vmware oracle CWE-917 critical	10.0
2022-01-14	CVE-2022-23219	Classic Buffer Overflow vulnerability in multiple products The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution. network low complexity gnu oracle debian CWE-120 critical	9.8
2021-08-24	CVE-2021-3711	Classic Buffer Overflow vulnerability in multiple products In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). network low complexity openssl debian netapp oracle tenable CWE-120 critical	9.8
2019-10-15	CVE-2019-17195	Improper Handling of Exceptional Conditions vulnerability in multiple products Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. network low complexity connect2id apache oracle CWE-755 critical	9.8

CVE is a registered MITRE Corporation trademark and MITRE's CVE website is the authoritative source of CVE content. CWE is a registered MITRE Corporation trademark and MITRE's CWE website is the authoritative source of CWE content.