Vulnerabilities > Oracle

DATE CVE VULNERABILITY TITLE RISK
2016-07-19 CVE-2016-5388 Improper Access Control vulnerability in multiple products
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
network
high complexity
redhat hp oracle apache CWE-284
8.1
2016-07-19 CVE-2016-5387 The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. 8.1
2016-07-19 CVE-2016-5386 Improper Access Control vulnerability in multiple products
The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
network
high complexity
fedoraproject oracle redhat golang CWE-284
8.1
2016-07-19 CVE-2016-5385 Open Redirect vulnerability in multiple products
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
8.1
2016-07-05 CVE-2016-4957 NULL Pointer Dereference vulnerability in multiple products
ntpd in NTP before 4.2.8p8 allows remote attackers to cause a denial of service (daemon crash) via a crypto-NAK packet.
network
low complexity
ntp oracle novell suse opensuse CWE-476
7.5
2016-07-05 CVE-2016-4956 ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet.
network
low complexity
ntp oracle novell suse opensuse siemens
5.3
2016-07-05 CVE-2016-4955 Race Condition vulnerability in multiple products
ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.
network
high complexity
ntp oracle novell suse opensuse siemens CWE-362
5.9
2016-07-05 CVE-2016-4954 Race Condition vulnerability in multiple products
The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.
network
low complexity
ntp oracle suse opensuse siemens CWE-362
7.5
2016-07-05 CVE-2016-4953 Improper Authentication vulnerability in multiple products
ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time.
network
low complexity
ntp oracle suse opensuse siemens CWE-287
7.5
2016-07-04 CVE-2016-1181 ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.
network
high complexity
oracle apache
8.1