Vulnerabilities > Oracle > High

DATE CVE VULNERABILITY TITLE RISK
2016-02-03 CVE-2015-7546 Insufficiently Protected Credentials vulnerability in multiple products
The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.
network
high complexity
openstack oracle CWE-522
7.5
2016-01-31 CVE-2016-1935 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Buffer overflow in the BufferSubData function in Mozilla Firefox before 44.0 and Firefox ESR 38.x before 38.6 allows remote attackers to execute arbitrary code via crafted WebGL content.
network
low complexity
opensuse oracle mozilla CWE-119
8.8
2016-01-14 CVE-2016-0778 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings.
network
high complexity
oracle openbsd apple hp sophos CWE-119
8.1
2016-01-12 CVE-2015-1779 Resource Exhaustion vulnerability in multiple products
The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.
8.6
2015-12-07 CVE-2015-3276 The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.
network
low complexity
openldap oracle redhat
7.5
2015-10-01 CVE-2015-7236 Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code.
network
low complexity
rpcbind-project canonical debian oracle
7.5
2015-08-14 CVE-2014-3576 Permissions, Privileges, and Access Controls vulnerability in multiple products
The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command.
network
low complexity
apache oracle CWE-264
7.5
2015-08-08 CVE-2015-4495 The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.
network
low complexity
mozilla oracle canonical redhat suse opensuse
8.8
2015-06-12 CVE-2015-1789 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.
network
low complexity
openssl oracle CWE-119
7.5
2015-06-09 CVE-2015-3200 Injection vulnerability in multiple products
mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.
network
low complexity
lighttpd hp oracle CWE-74
7.5