Product:

Managed_file_transfer

(Oracle)
Repositories https://github.com/bcgit/bc-java
#Vulnerabilities 15
Date Id Summary Products Score Patch Annotated
2018-07-09 CVE-2018-1000613 Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes... Bc\-Java, Oncommand_workflow_automation, Leap, Api_gateway, Banking_platform, Business_process_management_suite, Business_transaction_management, Communications_application_session_controller, Communications_converged_application_server, Communications_convergence, Communications_diameter_signaling_router, Communications_webrtc_session_controller, Data_integrator, Enterprise_manager_base_platform, Enterprise_manager_for_fusion_middleware, Enterprise_repository, Managed_file_transfer, Peoplesoft_enterprise_peopletools, Retail_convenience_and_fuel_pos_software, Retail_xstore_point_of_service, Soa_suite, Utilities_network_management_system, Webcenter_portal, Weblogic_server 9.8
2018-06-05 CVE-2018-1000180 Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. Bc\-Java, Fips_java_api, Debian_linux, Oncommand_workflow_automation, Api_gateway, Business_process_management_suite, Business_transaction_management, Communications_application_session_controller, Communications_converged_application_server, Communications_webrtc_session_controller, Enterprise_repository, Managed_file_transfer, Peoplesoft_enterprise_peopletools, Retail_convenience_and_fuel_pos_software, Retail_xstore_point_of_service, Soa_suite, Webcenter_portal, Weblogic_server, Jboss_enterprise_application_platform, Virtualization 7.5
2019-10-08 CVE-2019-17359 The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64. Tomee, Bc\-Java, Active_iq_unified_manager, Oncommand_api_services, Oncommand_workflow_automation, Service_level_manager, Business_process_management_suite, Communications_convergence, Communications_diameter_signaling_router, Communications_session_route_manager, Data_integrator, Financial_services_analytical_applications_infrastructure, Flexcube_private_banking, Hospitality_guest_access, Managed_file_transfer, Peoplesoft_enterprise_hcm_global_payroll_switzerland, Peoplesoft_enterprise_peopletools, Retail_xstore_point_of_service, Soa_suite, Webcenter_portal, Weblogic_server 7.5
2020-05-20 CVE-2020-9484 When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be... Tomcat, Ubuntu_linux, Debian_linux, Fedora, Epolicy_orchestrator, Leap, Agile_engineering_data_management, Agile_plm, Communications_cloud_native_core_binding_support_function, Communications_cloud_native_core_policy, Communications_diameter_signaling_router, Communications_element_manager, Communications_instant_messaging_server, Communications_session_report_manager, Communications_session_route_manager, Database, Fmw_platform, Hospitality_guest_access, Instantis_enterprisetrack, Managed_file_transfer, Mysql_enterprise_monitor, Retail_order_broker, Siebel_apps_\-_marketing, Siebel_ui_framework, Transportation_management, Workload_manager 7.0
2020-07-14 CVE-2020-13935 The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. Tomcat, Ubuntu_linux, Debian_linux, Epolicy_orchestrator, Oncommand_system_manager, Leap, Agile_engineering_data_management, Agile_plm, Blockchain_platform, Commerce_guided_search, Communications_cloud_native_core_policy, Communications_instant_messaging_server, Fmw_platform, Instantis_enterprisetrack, Managed_file_transfer, Mysql_enterprise_monitor, Siebel_ui_framework, Workload_manager 7.5
2020-07-14 CVE-2020-13934 An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. Tomcat, Ubuntu_linux, Debian_linux, Oncommand_system_manager, Leap, Agile_engineering_data_management, Agile_plm, Communications_instant_messaging_server, Fmw_platform, Instantis_enterprisetrack, Managed_file_transfer, Mysql_enterprise_monitor, Siebel_ui_framework, Workload_manager 7.5
2021-03-01 CVE-2021-25122 When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. Tomcat, Debian_linux, Agile_plm, Communications_cloud_native_core_policy, Communications_cloud_native_core_security_edge_protection_proxy, Communications_instant_messaging_server, Database, Graph_server_and_client, Instantis_enterprisetrack, Managed_file_transfer, Mysql_enterprise_monitor, Siebel_ui_framework 7.5
2021-03-01 CVE-2021-25329 The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. Tomcat, Debian_linux, Agile_plm, Communications_cloud_native_core_policy, Communications_cloud_native_core_security_edge_protection_proxy, Communications_instant_messaging_server, Database, Graph_server_and_client, Instantis_enterprisetrack, Managed_file_transfer, Mysql_enterprise_monitor, Siebel_ui_framework 7.0
2021-07-12 CVE-2021-33037 Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the... Tomcat, Tomee, Debian_linux, Epolicy_orchestrator, Agile_plm, Communications_cloud_native_core_policy, Communications_cloud_native_core_service_communication_proxy, Communications_diameter_signaling_router, Communications_instant_messaging_server, Communications_policy_management, Communications_pricing_design_center, Communications_session_report_manager, Communications_session_route_manager, Graph_server_and_client, Healthcare_translational_research, Hospitality_cruise_shipboard_property_management_system, Instantis_enterprisetrack, Managed_file_transfer, Mysql_enterprise_monitor, Sd\-Wan_edge, Secure_global_desktop, Utilities_testing_accelerator 5.3
2021-10-14 CVE-2021-42340 The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. Tomcat, Debian_linux, Hci, Management_services_for_element_software, Agile_engineering_data_management, Big_data_spatial_and_graph, Communications_diameter_signaling_router, Hospitality_cruise_shipboard_property_management_system, Managed_file_transfer, Middleware_common_libraries_and_tools, Payment_interface, Retail_customer_insights, Retail_data_extractor_for_merchandising, Retail_eftlink, Retail_financial_integration, Retail_store_inventory_management, Sd\-Wan_edge, Taleo_platform 7.5