Identity Management Suite
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-5645 | Cri | 0.71 | 9.8 | 0.89 | Apr 17, 2017 | In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. | ||
| CVE-2022-23307 | Hig | 0.57 | 8.8 | 0.52 | Jan 18, 2022 | CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. | ||
| CVE-2022-23305 | Cri | 0.57 | 9.8 | 0.67 | Jan 18, 2022 | By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering… | ||
| CVE-2021-45105 | Med | 0.37 | 5.9 | 1.00 | Dec 18, 2021 | Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is… | ||
| CVE-2018-2417 | Med | 0.35 | 5.3 | 0.01 | May 9, 2018 | Under certain conditions, the SAP Identity Management 8.0 (pass of type ToASCII) allows an attacker to access information which would otherwise be restricted. | ||
| CVE-2018-2416 | Med | 0.35 | 5.4 | 0.02 | May 9, 2018 | SAP Identity Management 7.2 and 8.0 do not sufficiently validate an XML document accepted from an untrusted source. | ||
| CVE-2020-6258 | 0.00 | — | 0.01 | May 12, 2020 | SAP Identity Management, version 8.0, does not perform necessary authorization checks for an authenticated user, allowing the attacker to view certain sensitive information of the victim, leading to Missing Authorization Check. |
- risk 0.71cvss 9.8epss 0.89
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
- risk 0.57cvss 8.8epss 0.52
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
- risk 0.57cvss 9.8epss 0.67
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering…
- risk 0.37cvss 5.9epss 1.00
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is…
- risk 0.35cvss 5.3epss 0.01
Under certain conditions, the SAP Identity Management 8.0 (pass of type ToASCII) allows an attacker to access information which would otherwise be restricted.
- risk 0.35cvss 5.4epss 0.02
SAP Identity Management 7.2 and 8.0 do not sufficiently validate an XML document accepted from an untrusted source.
- CVE-2020-6258May 12, 2020risk 0.00cvss —epss 0.01
SAP Identity Management, version 8.0, does not perform necessary authorization checks for an authenticated user, allowing the attacker to view certain sensitive information of the victim, leading to Missing Authorization Check.