rpm package
almalinux/python-nss-doc
pkg:rpm/almalinux/python-nss-doc
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-17531 | Cri | 9.8 | < 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma | 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma | Oct 12, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the | |
| CVE-2019-16943 | Cri | 9.8 | < 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma | 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma | Oct 1, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an att | |
| CVE-2019-16942 | Cri | 9.8 | < 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma | 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma | Oct 1, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and a | |
| CVE-2019-16335 | Cri | 9.8 | < 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma | 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma | Sep 15, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. | |
| CVE-2019-14540 | Cri | 9.8 | < 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma | 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma | Sep 15, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. | |
| CVE-2019-12384 | Med | 5.9 | < 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma | 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma | Jun 24, 2019 | FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. | |
| CVE-2018-11784 | Med | 4.3 | < 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma | 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma | Oct 4, 2018 | When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated | |
| CVE-2018-8037 | Med | 5.9 | < 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma | 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma | Aug 2, 2018 | If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors | |
| CVE-2018-8034 | Hig | 7.5 | < 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma | 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma | Aug 1, 2018 | The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. | |
| CVE-2018-8014 | Cri | 9.8 | < 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma | 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma | May 16, 2018 | The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it approp |
- affected < 1.0.1-10.module_el8.5.0+2577+9e95fe00.almafixed 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the
- affected < 1.0.1-10.module_el8.5.0+2577+9e95fe00.almafixed 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an att
- affected < 1.0.1-10.module_el8.5.0+2577+9e95fe00.almafixed 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and a
- affected < 1.0.1-10.module_el8.5.0+2577+9e95fe00.almafixed 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
- affected < 1.0.1-10.module_el8.5.0+2577+9e95fe00.almafixed 1.0.1-10.module_el8.5.0+2577+9e95fe00.alma
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
- affected < 1.0.1-10.module_el8.5.0+150+5f0dbea0.almafixed 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
- affected < 1.0.1-10.module_el8.5.0+150+5f0dbea0.almafixed 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated
- affected < 1.0.1-10.module_el8.5.0+150+5f0dbea0.almafixed 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors
- affected < 1.0.1-10.module_el8.5.0+150+5f0dbea0.almafixed 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
- affected < 1.0.1-10.module_el8.5.0+150+5f0dbea0.almafixed 1.0.1-10.module_el8.5.0+150+5f0dbea0.alma
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it approp