18.11

DATE	CVE	VULNERABILITY TITLE	RISK
2020-08-25	CVE-2020-24616	Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). network high complexity fasterxml netapp oracle debian CWE-502	8.1
2020-07-14	CVE-2020-13935	Infinite Loop vulnerability in multiple products The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. network low complexity apache debian netapp opensuse canonical mcafee oracle CWE-835	7.5
2020-07-14	CVE-2020-13934	Memory Leak vulnerability in multiple products An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. network low complexity apache debian netapp opensuse canonical oracle CWE-401	7.5
2020-06-26	CVE-2020-11996	A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. network low complexity apache canonical oracle opensuse debian netapp	7.5
2020-05-20	CVE-2020-9484	Deserialization of Untrusted Data vulnerability in multiple products When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. local high complexity apache debian opensuse fedoraproject canonical oracle mcafee CWE-502	7.0
2020-04-27	CVE-2020-9488	Improper Certificate Validation vulnerability in multiple products Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. network high complexity apache oracle debian qos CWE-295	3.7
2020-02-24	CVE-2020-1938	When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. network low complexity apache fedoraproject oracle debian opensuse blackberry critical	9.8
2020-02-24	CVE-2020-1935	HTTP Request Smuggling vulnerability in multiple products In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. network high complexity apache debian canonical opensuse netapp oracle CWE-444	4.8
2020-01-15	CVE-2020-2564	Unspecified vulnerability in Oracle Siebel UI Framework Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM (component: EAI). network low complexity oracle	5.3
2020-01-15	CVE-2020-2560	Unspecified vulnerability in Oracle Siebel UI Framework Vulnerability in the Siebel UI Framework product of Oracle Siebel CRM (component: SWSE Server). network oracle	4.3