Product:

Retail_xstore_point_of_service

(Oracle)
Repositories https://github.com/bcgit/bc-java
#Vulnerabilities 41
Date Id Summary Products Score Patch Annotated
2018-06-27 CVE-2018-12536 In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler,... Jetty, Retail_xstore_point_of_service 5.3
2019-04-22 CVE-2019-10247 In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error,... Jetty, Element, Oncommand_system_manager, Snap_creator_framework, Snapcenter, Snapmanager, Storage_replication_adapter_for_clustered_data_ontap, Storage_services_connector, Vasa_provider_for_clustered_data_ontap, Virtual_storage_console, Autovue, Communications_analytics, Communications_element_manager, Communications_services_gatekeeper, Communications_session_report_manager, Communications_session_route_manager, Data_integrator, Endeca_information_discovery_integrator, Enterprise_manager_base_platform, Flexcube_core_banking, Flexcube_private_banking, Hospitality_guest_access, Retail_xstore_point_of_service, Unified_directory 5.3
2018-04-26 CVE-2018-10237 Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. Guava, Banking_payments, Communications_ip_service_activator, Customer_management_and_segmentation_foundation, Database_server, Flexcube_investor_servicing, Flexcube_private_banking, Retail_integration_bus, Retail_xstore_point_of_service, Weblogic_server, Jboss_enterprise_application_platform, Openshift_container_platform, Openstack, Satellite, Satellite_capsule, Virtualization, Virtualization_host 5.9
2019-08-13 CVE-2019-9517 Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. Traffic_server, Swiftnio, Ubuntu_linux, Debian_linux, Fedora, Web_gateway, Clustered_data_ontap, Leap, Communications_element_manager, Graalvm, Instantis_enterprisetrack, Retail_xstore_point_of_service, Enterprise_linux, Jboss_core_services, Jboss_enterprise_application_platform, Openshift_service_mesh, Quay, Software_collections, Diskstation_manager, Skynas, Vs960hd_firmware 7.5
2019-04-08 CVE-2019-0217 In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. Http_server, Ubuntu_linux, Debian_linux, Fedora, Clustered_data_ontap, Oncommand_unified_manager, Leap, Enterprise_manager_ops_center, Http_server, Retail_xstore_point_of_service, Enterprise_linux, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_workstation 7.5
2019-01-30 CVE-2019-0190 A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts. Http_server, Enterprise_manager_ops_center, Hospitality_guest_access, Instantis_enterprisetrack, Retail_xstore_point_of_service 7.5
2018-09-25 CVE-2018-11763 In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. Http_server, Ubuntu_linux, Storage_automation_store, Enterprise_manager_ops_center, Hospitality_guest_access, Instantis_enterprisetrack, Retail_xstore_point_of_service, Secure_global_desktop, Enterprise_linux 5.9
2019-07-29 CVE-2019-14379 SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. Debian_linux, Jackson\-Databind, Fedora, Active_iq_unified_manager, Oncommand_workflow_automation, Service_level_manager, Snapcenter, Banking_platform, Communications_diameter_signaling_router, Communications_instant_messaging_server, Financial_services_analytical_applications_infrastructure, Goldengate_stream_analytics, Jd_edwards_enterpriseone_orchestrator, Jd_edwards_enterpriseone_tools, Primavera_gateway, Primavera_unifier, Retail_customer_management_and_segmentation_foundation, Retail_xstore_point_of_service, Siebel_engineering_\-_installer_\&_deployment, Siebel_ui_framework, Jboss_enterprise_application_platform, Openshift_container_platform, Single_sign\-On 9.8
2019-04-22 CVE-2019-10246 In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. Jetty, Element, Oncommand_system_manager, Snap_creator_framework, Snapcenter, Snapmanager, Storage_replication_adapter_for_clustered_data_ontap, Storage_services_connector, Vasa_provider_for_clustered_data_ontap, Virtual_storage_console, Autovue, Communications_analytics, Communications_element_manager, Communications_services_gatekeeper, Communications_session_report_manager, Communications_session_route_manager, Data_integrator, Endeca_information_discovery_integrator, Enterprise_manager_base_platform, Flexcube_core_banking, Flexcube_private_banking, Hospitality_guest_access, Rest_data_services, Retail_xstore_point_of_service, Unified_directory 5.3
2019-07-23 CVE-2019-10173 It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285) Banking_platform, Business_activity_monitoring, Communications_billing_and_revenue_management_elastic_charging_engine, Communications_diameter_signaling_router, Communications_unified_inventory_management, Endeca_information_discovery_studio, Retail_xstore_point_of_service, Utilities_framework, Webcenter_portal, Xstream 9.8