Show filters
39 Total Results
Displaying 21-30 of 39
Sort by:
Attacker Value
Unknown

CVE-2020-25649

Disclosure Date: December 03, 2020 (last updated February 22, 2025)
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Attacker Value
Unknown

CVE-2020-27218

Disclosure Date: November 28, 2020 (last updated February 22, 2025)
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
Attacker Value
Unknown

CVE-2020-8277

Disclosure Date: November 19, 2020 (last updated February 22, 2025)
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
Attacker Value
Unknown

CVE-2020-24750

Disclosure Date: September 17, 2020 (last updated February 22, 2025)
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
Attacker Value
Unknown

CVE-2020-24616

Disclosure Date: August 25, 2020 (last updated February 22, 2025)
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
Attacker Value
Unknown

CVE-2020-8174

Disclosure Date: July 24, 2020 (last updated February 21, 2025)
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
Attacker Value
Unknown

CVE-2020-8203

Disclosure Date: July 15, 2020 (last updated February 21, 2025)
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Attacker Value
Unknown

CVE-2020-13935

Disclosure Date: July 14, 2020 (last updated February 21, 2025)
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
Attacker Value
Unknown

CVE-2020-15719

Disclosure Date: July 14, 2020 (last updated February 21, 2025)
libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.
Attacker Value
Unknown

CVE-2020-8172

Disclosure Date: June 08, 2020 (last updated February 21, 2025)
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.