ID

VAR-201801-0036


CVE

CVE-2015-9251


TITLE

Red Hat Security Advisory 2020-0729-01

Trust: 0.1

sources: PACKETSTORM: 156630

DESCRIPTION

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. jQuery is an open source, cross-browser JavaScript library developed by American John Resig programmers. The library simplifies the operation between HTML and JavaScript, and has the characteristics of modularization and plug-in extension. A cross-site scripting vulnerability exists in jQuery versions prior to 3.0.0. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. Description: Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project. Solution: To install this update, do the following: 1. Download the Data Grid 7.3.5 server patch from the customer portal. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. Install the Data Grid 7.3.5 server patch. Refer to the 7.3 Release Notes for patching instructions. Restart Data Grid to ensure the changes take effect. Bugs fixed (https://bugzilla.redhat.com/): 1399546 - CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests 1755831 - CVE-2019-16335 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource 1758171 - CVE-2019-14892 jackson-databind: Serialization gadgets in classes of the commons-configuration package 1758182 - CVE-2019-14893 jackson-databind: Serialization gadgets in classes of the xalan package 1772464 - CVE-2019-14888 undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS 5. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: ipa security, bug fix, and enhancement update Advisory ID: RHSA-2020:3936-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:3936 Issue date: 2020-09-29 CVE Names: CVE-2015-9251 CVE-2016-10735 CVE-2018-14040 CVE-2018-14042 CVE-2018-20676 CVE-2018-20677 CVE-2019-8331 CVE-2019-11358 CVE-2020-1722 CVE-2020-11022 ==================================================================== 1. Summary: An update for ipa is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. The following packages have been upgraded to a later upstream version: ipa (4.6.8). (BZ#1819725) Security Fix(es): * js-jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251) * bootstrap: XSS in the data-target attribute (CVE-2016-10735) * bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040) * bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip. (CVE-2018-14042) * bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676) * bootstrap: XSS in the affix configuration target property (CVE-2018-20677) * bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331) * js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358) * jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) * ipa: No password length restriction leads to denial of service (CVE-2020-1722) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1399546 - CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests 1404770 - ID Views: do not allow custom Views for the masters 1545755 - ipa-replica-prepare should not update pki admin password. 1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute 1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip. 1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute 1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property 1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute 1701972 - CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection 1754902 - Running ipa-server-install fails when RHEL 7.7 packages are installed on RHEL 7.6 1755535 - ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client 1756568 - ipa-server-certinstall man page does not match built-in help. 1758406 - KRA authentication fails when IPA CA has custom Subject DN 1769791 - Invisible part of notification area in Web UI intercepts clicks of some page elements 1771356 - Default client configuration breaks ssh in FIPS mode. 1780548 - Man page ipa-cacert-manage does not display correctly on RHEL 1782587 - add "systemctl restart sssd" to warning message when adding trust agents to replicas 1788718 - ipa-server-install incorrectly setting slew mode (-x) when setting up ntpd 1788907 - Renewed certs are not picked up by IPA CAs 1793071 - CVE-2020-1722 ipa: No password length restriction leads to denial of service 1795890 - ipa-pkinit-manage enable fails on replica if it doesn't host the CA 1801791 - Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems 1817886 - ipa group-add-member: prevent adding IPA objects as external members 1817918 - Secure tomcat AJP connector 1817919 - Enable compat tree to provide information about AD users and groups on trust agents 1817922 - covscan memory leaks report 1817923 - IPA upgrade is failing with error "Failed to get request: bus, object_path and dbus_interface must not be None." 1817927 - host-add --password logs cleartext userpassword to Apache error log 1819725 - Rebase IPA to latest 4.6.x version 1825829 - ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1829787 - ipa service-del deletes the required principal when specified in lower/upper case 1834385 - Man page syntax issue detected by rpminspect 1842950 - ipa-adtrust-install fails when replica is offline 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: ipa-4.6.8-5.el7.src.rpm noarch: ipa-client-common-4.6.8-5.el7.noarch.rpm ipa-common-4.6.8-5.el7.noarch.rpm ipa-python-compat-4.6.8-5.el7.noarch.rpm python2-ipaclient-4.6.8-5.el7.noarch.rpm python2-ipalib-4.6.8-5.el7.noarch.rpm x86_64: ipa-client-4.6.8-5.el7.x86_64.rpm ipa-debuginfo-4.6.8-5.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: ipa-server-common-4.6.8-5.el7.noarch.rpm ipa-server-dns-4.6.8-5.el7.noarch.rpm python2-ipaserver-4.6.8-5.el7.noarch.rpm x86_64: ipa-debuginfo-4.6.8-5.el7.x86_64.rpm ipa-server-4.6.8-5.el7.x86_64.rpm ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: ipa-4.6.8-5.el7.src.rpm noarch: ipa-client-common-4.6.8-5.el7.noarch.rpm ipa-common-4.6.8-5.el7.noarch.rpm ipa-python-compat-4.6.8-5.el7.noarch.rpm python2-ipaclient-4.6.8-5.el7.noarch.rpm python2-ipalib-4.6.8-5.el7.noarch.rpm x86_64: ipa-client-4.6.8-5.el7.x86_64.rpm ipa-debuginfo-4.6.8-5.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: ipa-server-common-4.6.8-5.el7.noarch.rpm ipa-server-dns-4.6.8-5.el7.noarch.rpm python2-ipaserver-4.6.8-5.el7.noarch.rpm x86_64: ipa-debuginfo-4.6.8-5.el7.x86_64.rpm ipa-server-4.6.8-5.el7.x86_64.rpm ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: ipa-4.6.8-5.el7.src.rpm noarch: ipa-client-common-4.6.8-5.el7.noarch.rpm ipa-common-4.6.8-5.el7.noarch.rpm ipa-python-compat-4.6.8-5.el7.noarch.rpm ipa-server-common-4.6.8-5.el7.noarch.rpm ipa-server-dns-4.6.8-5.el7.noarch.rpm python2-ipaclient-4.6.8-5.el7.noarch.rpm python2-ipalib-4.6.8-5.el7.noarch.rpm python2-ipaserver-4.6.8-5.el7.noarch.rpm ppc64: ipa-client-4.6.8-5.el7.ppc64.rpm ipa-debuginfo-4.6.8-5.el7.ppc64.rpm ppc64le: ipa-client-4.6.8-5.el7.ppc64le.rpm ipa-debuginfo-4.6.8-5.el7.ppc64le.rpm s390x: ipa-client-4.6.8-5.el7.s390x.rpm ipa-debuginfo-4.6.8-5.el7.s390x.rpm x86_64: ipa-client-4.6.8-5.el7.x86_64.rpm ipa-debuginfo-4.6.8-5.el7.x86_64.rpm ipa-server-4.6.8-5.el7.x86_64.rpm ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: ipa-4.6.8-5.el7.src.rpm noarch: ipa-client-common-4.6.8-5.el7.noarch.rpm ipa-common-4.6.8-5.el7.noarch.rpm ipa-python-compat-4.6.8-5.el7.noarch.rpm ipa-server-common-4.6.8-5.el7.noarch.rpm ipa-server-dns-4.6.8-5.el7.noarch.rpm python2-ipaclient-4.6.8-5.el7.noarch.rpm python2-ipalib-4.6.8-5.el7.noarch.rpm python2-ipaserver-4.6.8-5.el7.noarch.rpm x86_64: ipa-client-4.6.8-5.el7.x86_64.rpm ipa-debuginfo-4.6.8-5.el7.x86_64.rpm ipa-server-4.6.8-5.el7.x86_64.rpm ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-9251 https://access.redhat.com/security/cve/CVE-2016-10735 https://access.redhat.com/security/cve/CVE-2018-14040 https://access.redhat.com/security/cve/CVE-2018-14042 https://access.redhat.com/security/cve/CVE-2018-20676 https://access.redhat.com/security/cve/CVE-2018-20677 https://access.redhat.com/security/cve/CVE-2019-8331 https://access.redhat.com/security/cve/CVE-2019-11358 https://access.redhat.com/security/cve/CVE-2020-1722 https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3Of/9zjgjWX9erEAQjmHBAAi+u4CgMbaduuYvMAMbNKqT/0X8Y02udQ maW4rfZ6udfHWJ21h1VlD/INXHB3sBFC2vpXsgJD7dTkUsZYIx73LrQFkakTzIWc xSQalxNs+Fjh/ot/JMiKQzQUmZeu/vUYgVB81y+hczg5dys3q1mnu42GWe18sJIc FCY2R3mBTnFUZoc/3JDHeVRJU8eq51oqRgNaz+Fl+CoFkR81P6mD8wybIIAsBx14 Ykya/awQf+OuBCe5tqfTV1+KS2U4+tqiqapzALt7dhjfA9Jayc9/UvQjGCyrmGvP +BBBPSqGOS81jpPo0ouM3OtadWrGAWERMwtrR+POUp1rnMxy2kI0EpebnzSOtJy2 xExPZtcTjjgWvIMDdrJJ5DXG6cP5j3GjyvFknmCtCqvXzo90gw73psi6roG+g/a8 UyML+be8jnJK7571X3dz6OCYBExaHqM21ukUEfdvddszhw92J3fxmDm5+picETB9 dZ++VtV1lCBOlKW1SDG/ggk7PeSRGTDL5IkekopO1w89r3QsfqyFudlsNT0dDgk7 8Kzn8YpCWln1Kp0UbVushKRT+KllZRTKzXTBfiEWiYtQiwyL9zj/DrxagXXbiPe7 5mZnk62sAdKya3On4ejgPQ8Nq8oKHzRfaig/CNaNiB00HgZcRdQokPQ9+DRnkdNS UR3S5ZAZvb8=SWQt -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. JIRA issues fixed (https://issues.jboss.org/): JBEAP-23864 - (7.4.z) Upgrade xmlsec from 2.1.7.redhat-00001 to 2.2.3.redhat-00001 JBEAP-23865 - [GSS](7.4.z) Upgrade Apache CXF from 3.3.13.redhat-00001 to 3.4.10.redhat-00001 JBEAP-23866 - (7.4.z) Upgrade wss4j from 2.2.7.redhat-00001 to 2.3.3.redhat-00001 JBEAP-23928 - Tracker bug for the EAP 7.4.9 release for RHEL-9 JBEAP-24055 - (7.4.z) Upgrade HAL from 3.3.15.Final-redhat-00001 to 3.3.16.Final-redhat-00001 JBEAP-24081 - (7.4.z) Upgrade Elytron from 1.15.14.Final-redhat-00001 to 1.15.15.Final-redhat-00001 JBEAP-24095 - (7.4.z) Upgrade elytron-web from 1.9.2.Final-redhat-00001 to 1.9.3.Final-redhat-00001 JBEAP-24100 - [GSS](7.4.z) Upgrade Undertow from 2.2.20.SP1-redhat-00001 to 2.2.22.SP3-redhat-00001 JBEAP-24127 - (7.4.z) UNDERTOW-2123 - Update AsyncContextImpl.dispatch to use proper value JBEAP-24128 - (7.4.z) Upgrade Hibernate Search from 5.10.7.Final-redhat-00001 to 5.10.13.Final-redhat-00001 JBEAP-24132 - [GSS](7.4.z) Upgrade Ironjacamar from 1.5.3.SP2-redhat-00001 to 1.5.10.Final-redhat-00001 JBEAP-24147 - (7.4.z) Upgrade jboss-ejb-client from 4.0.45.Final-redhat-00001 to 4.0.49.Final-redhat-00001 JBEAP-24167 - (7.4.z) Upgrade WildFly Core from 15.0.19.Final-redhat-00001 to 15.0.21.Final-redhat-00002 JBEAP-24191 - [GSS](7.4.z) Upgrade remoting from 5.0.26.SP1-redhat-00001 to 5.0.27.Final-redhat-00001 JBEAP-24195 - [GSS](7.4.z) Upgrade JSF API from 3.0.0.SP06-redhat-00001 to 3.0.0.SP07-redhat-00001 JBEAP-24207 - (7.4.z) Upgrade Soteria from 1.0.1.redhat-00002 to 1.0.1.redhat-00003 JBEAP-24248 - (7.4.z) ELY-2492 - Upgrade sshd-common in Elytron from 2.7.0 to 2.9.2 JBEAP-24426 - (7.4.z) Upgrade Elytron from 1.15.15.Final-redhat-00001 to 1.15.16.Final-redhat-00001 JBEAP-24427 - (7.4.z) Upgrade WildFly Core from 15.0.21.Final-redhat-00002 to 15.0.22.Final-redhat-00001 7

Trust: 1.44

sources: NVD: CVE-2015-9251 // VULHUB: VHN-87212 // PACKETSTORM: 156630 // PACKETSTORM: 159876 // PACKETSTORM: 159353 // PACKETSTORM: 170819 // PACKETSTORM: 170823

AFFECTED PRODUCTS

vendor:jquerymodel:jqueryscope:ltversion:3.0.0

Trust: 1.0

vendor:oraclemodel:financial services analytical applications infrastructurescope:gteversion:8.0.0

Trust: 1.0

vendor:oraclemodel:financial services liquidity risk managementscope:lteversion:8.0.6

Trust: 1.0

vendor:oraclemodel:financial services loan loss forecasting and provisioningscope:gteversion:8.0.2

Trust: 1.0

vendor:oraclemodel:retail workforce management softwarescope:eqversion:1.60.9

Trust: 1.0

vendor:oraclemodel:utilities frameworkscope:lteversion:4.3.0.4

Trust: 1.0

vendor:oraclemodel:primavera unifierscope:lteversion:17.12

Trust: 1.0

vendor:oraclemodel:jd edwards enterpriseone toolsscope:eqversion:9.2

Trust: 1.0

vendor:oraclemodel:financial services data integration hubscope:gteversion:8.0.5

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.55

Trust: 1.0

vendor:oraclemodel:jdeveloperscope:eqversion:12.2.1.3.0

Trust: 1.0

vendor:oraclemodel:primavera unifierscope:eqversion:16.2

Trust: 1.0

vendor:oraclemodel:oss support toolsscope:eqversion:19.1

Trust: 1.0

vendor:oraclemodel:retail allocationscope:eqversion:15.0.2

Trust: 1.0

vendor:oraclemodel:healthcare foundationscope:eqversion:7.1

Trust: 1.0

vendor:oraclemodel:service busscope:eqversion:12.1.3.0.0

Trust: 1.0

vendor:oraclemodel:primavera unifierscope:gteversion:17.1

Trust: 1.0

vendor:oraclemodel:siebel ui frameworkscope:eqversion:18.11

Trust: 1.0

vendor:oraclemodel:communications converged application serverscope:ltversion:7.0.0.1

Trust: 1.0

vendor:oraclemodel:hospitality guest accessscope:eqversion:4.2.0

Trust: 1.0

vendor:oraclemodel:financial services market risk measurement and managementscope:eqversion:8.0.6

Trust: 1.0

vendor:oraclemodel:enterprise manager ops centerscope:eqversion:12.3.3

Trust: 1.0

vendor:oraclemodel:financial services data integration hubscope:lteversion:8.0.7

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.56

Trust: 1.0

vendor:oraclemodel:communications interactive session recorderscope:eqversion:6.0

Trust: 1.0

vendor:oraclemodel:agile product lifecycle management for processscope:eqversion:6.2.3.0

Trust: 1.0

vendor:oraclemodel:insurance insbridge rating and underwritingscope:eqversion:5.4

Trust: 1.0

vendor:oraclemodel:agile product lifecycle management for processscope:eqversion:6.2.1.0

Trust: 1.0

vendor:oraclemodel:banking platformscope:eqversion:2.6.1

Trust: 1.0

vendor:oraclemodel:banking platformscope:eqversion:2.6.2

Trust: 1.0

vendor:oraclemodel:enterprise operations monitorscope:eqversion:3.4

Trust: 1.0

vendor:oraclemodel:jdeveloperscope:eqversion:12.1.3.0.0

Trust: 1.0

vendor:oraclemodel:weblogic serverscope:eqversion:12.2.1.3

Trust: 1.0

vendor:oraclemodel:jdeveloperscope:eqversion:11.1.1.9.0

Trust: 1.0

vendor:oraclemodel:insurance insbridge rating and underwritingscope:eqversion:5.5

Trust: 1.0

vendor:oraclemodel:financial services funds transfer pricingscope:lteversion:8.0.7

Trust: 1.0

vendor:oraclemodel:hospitality guest accessscope:eqversion:4.2.1

Trust: 1.0

vendor:oraclemodel:financial services asset liability managementscope:gteversion:8.0.4

Trust: 1.0

vendor:oraclemodel:primavera gatewayscope:eqversion:15.2

Trust: 1.0

vendor:oraclemodel:financial services hedge management and ifrs valuationsscope:gteversion:8.0.4

Trust: 1.0

vendor:oraclemodel:real-time schedulerscope:eqversion:2.3.0

Trust: 1.0

vendor:oraclemodel:financial services hedge management and ifrs valuationsscope:lteversion:8.0.7

Trust: 1.0

vendor:oraclemodel:financial services liquidity risk managementscope:gteversion:8.0.2

Trust: 1.0

vendor:oraclemodel:enterprise manager ops centerscope:eqversion:12.2.2

Trust: 1.0

vendor:oraclemodel:hospitality cruise fleet managementscope:eqversion:9.0.11

Trust: 1.0

vendor:oraclemodel:financial services reconciliation frameworkscope:eqversion:8.0.6

Trust: 1.0

vendor:oraclemodel:insurance insbridge rating and underwritingscope:eqversion:5.2

Trust: 1.0

vendor:oraclemodel:communications interactive session recorderscope:eqversion:6.2

Trust: 1.0

vendor:oraclemodel:enterprise operations monitorscope:eqversion:4.0

Trust: 1.0

vendor:oraclemodel:financial services analytical applications infrastructurescope:lteversion:8.0.7

Trust: 1.0

vendor:oraclemodel:financial services analytical applications infrastructurescope:gteversion:7.3.3

Trust: 1.0

vendor:oraclemodel:healthcare translational researchscope:eqversion:3.1.0

Trust: 1.0

vendor:oraclemodel:banking platformscope:eqversion:2.6.0

Trust: 1.0

vendor:oraclemodel:agile product lifecycle management for processscope:eqversion:6.2.3.1

Trust: 1.0

vendor:oraclemodel:weblogic serverscope:eqversion:12.1.3.0

Trust: 1.0

vendor:oraclemodel:communications interactive session recorderscope:eqversion:6.1

Trust: 1.0

vendor:oraclemodel:primavera gatewayscope:eqversion:16.2

Trust: 1.0

vendor:oraclemodel:healthcare foundationscope:eqversion:7.2

Trust: 1.0

vendor:oraclemodel:financial services market risk measurement and managementscope:eqversion:8.0.5

Trust: 1.0

vendor:oraclemodel:siebel ui frameworkscope:eqversion:18.10

Trust: 1.0

vendor:oraclemodel:retail workforce management softwarescope:eqversion:1.64.0

Trust: 1.0

vendor:oraclemodel:hospitality reporting and analyticsscope:eqversion:9.1.0

Trust: 1.0

vendor:oraclemodel:financial services profitability managementscope:gteversion:8.0.4

Trust: 1.0

vendor:oraclemodel:fusion middleware mapviewerscope:eqversion:12.2.1.3.0

Trust: 1.0

vendor:oraclemodel:agile product lifecycle management for processscope:eqversion:6.2.2.0

Trust: 1.0

vendor:oraclemodel:communications webrtc session controllerscope:ltversion:7.2

Trust: 1.0

vendor:oraclemodel:retail invoice matchingscope:eqversion:15.0

Trust: 1.0

vendor:oraclemodel:primavera unifierscope:eqversion:16.1

Trust: 1.0

vendor:oraclemodel:business process management suitescope:eqversion:12.2.1.3.0

Trust: 1.0

vendor:oraclemodel:retail customer insightsscope:eqversion:15.0

Trust: 1.0

vendor:oraclemodel:agile product lifecycle management for processscope:eqversion:6.2.0.0

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.57

Trust: 1.0

vendor:oraclemodel:primavera gatewayscope:eqversion:17.12

Trust: 1.0

vendor:oraclemodel:financial services loan loss forecasting and provisioningscope:lteversion:8.0.7

Trust: 1.0

vendor:oraclemodel:utilities mobile workforce managementscope:eqversion:2.3.0

Trust: 1.0

vendor:oraclemodel:utilities frameworkscope:gteversion:4.3.0.1

Trust: 1.0

vendor:oraclemodel:endeca information discovery studioscope:eqversion:3.2.0

Trust: 1.0

vendor:oraclemodel:financial services funds transfer pricingscope:gteversion:8.0.4

Trust: 1.0

vendor:oraclemodel:financial services reconciliation frameworkscope:eqversion:8.0.5

Trust: 1.0

vendor:oraclemodel:retail customer insightsscope:eqversion:16.0

Trust: 1.0

vendor:oraclemodel:service busscope:eqversion:12.2.1.3.0

Trust: 1.0

vendor:oraclemodel:webcenter sitesscope:eqversion:11.1.1.8.0

Trust: 1.0

vendor:oraclemodel:financial services asset liability managementscope:lteversion:8.0.7

Trust: 1.0

vendor:oraclemodel:financial services profitability managementscope:lteversion:8.0.6

Trust: 1.0

vendor:oraclemodel:retail sales auditscope:eqversion:15.0

Trust: 1.0

vendor:oraclemodel:primavera unifierscope:eqversion:18.8

Trust: 1.0

vendor:oraclemodel:financial services analytical applications infrastructurescope:lteversion:7.3.5

Trust: 1.0

vendor:oraclemodel:business process management suitescope:eqversion:12.1.3.0.0

Trust: 1.0

vendor:oraclemodel:hospitality materials controlscope:eqversion:18.1

Trust: 1.0

vendor:oraclemodel:communications services gatekeeperscope:ltversion:6.1.0.4.0

Trust: 1.0

vendor:oraclemodel:endeca information discovery studioscope:eqversion:3.1.0

Trust: 1.0

vendor:oraclemodel:business process management suitescope:eqversion:11.1.1.9.0

Trust: 1.0

sources: NVD: CVE-2015-9251

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-9251
value: MEDIUM

Trust: 1.0

VULHUB: VHN-87212
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-9251
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-87212
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-9251
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-87212 // NVD: CVE-2015-9251

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

sources: VULHUB: VHN-87212 // NVD: CVE-2015-9251

TYPE

code execution, xss, memory leak

Trust: 0.2

sources: PACKETSTORM: 159876 // PACKETSTORM: 159353

EXTERNAL IDS

db:NVDid:CVE-2015-9251

Trust: 1.6

db:PACKETSTORMid:153237

Trust: 1.1

db:PACKETSTORMid:156743

Trust: 1.1

db:PACKETSTORMid:152787

Trust: 1.1

db:TENABLEid:TNS-2019-08

Trust: 1.1

db:ICS CERTid:ICSA-18-212-04

Trust: 1.1

db:PULSESECUREid:SA44601

Trust: 1.1

db:BIDid:105658

Trust: 1.1

db:PACKETSTORMid:159353

Trust: 0.2

db:PACKETSTORMid:170819

Trust: 0.2

db:PACKETSTORMid:159876

Trust: 0.2

db:PACKETSTORMid:170823

Trust: 0.2

db:PACKETSTORMid:156630

Trust: 0.2

db:PACKETSTORMid:156315

Trust: 0.1

db:PACKETSTORMid:170817

Trust: 0.1

db:PACKETSTORMid:159852

Trust: 0.1

db:PACKETSTORMid:170821

Trust: 0.1

db:PACKETSTORMid:156941

Trust: 0.1

db:CNNVDid:CNNVD-201801-798

Trust: 0.1

db:SEEBUGid:SSVID-98926

Trust: 0.1

db:VULHUBid:VHN-87212

Trust: 0.1

sources: VULHUB: VHN-87212 // PACKETSTORM: 156630 // PACKETSTORM: 159876 // PACKETSTORM: 159353 // PACKETSTORM: 170819 // PACKETSTORM: 170823 // NVD: CVE-2015-9251

REFERENCES

url:https://access.redhat.com/errata/rhsa-2020:0729

Trust: 1.2

url:http://www.securityfocus.com/bid/105658

Trust: 1.1

url:https://seclists.org/bugtraq/2019/may/18

Trust: 1.1

url:https://kb.pulsesecure.net/articles/pulse_security_advisories/sa44601

Trust: 1.1

url:https://security.netapp.com/advisory/ntap-20210108-0004/

Trust: 1.1

url:http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Trust: 1.1

url:https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Trust: 1.1

url:https://www.tenable.com/security/tns-2019-08

Trust: 1.1

url:http://seclists.org/fulldisclosure/2019/may/13

Trust: 1.1

url:http://seclists.org/fulldisclosure/2019/may/11

Trust: 1.1

url:http://seclists.org/fulldisclosure/2019/may/10

Trust: 1.1

url:http://packetstormsecurity.com/files/152787/dotcms-5.1.1-vulnerable-dependencies.html

Trust: 1.1

url:http://packetstormsecurity.com/files/153237/retirejs-cors-issue-script-execution.html

Trust: 1.1

url:http://packetstormsecurity.com/files/156743/octobercms-insecure-dependencies.html

Trust: 1.1

url:https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc

Trust: 1.1

url:https://github.com/jquery/jquery/issues/2432

Trust: 1.1

url:https://github.com/jquery/jquery/pull/2588

Trust: 1.1

url:https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2

Trust: 1.1

url:https://ics-cert.us-cert.gov/advisories/icsa-18-212-04

Trust: 1.1

url:https://snyk.io/vuln/npm:jquery:20150627

Trust: 1.1

url:https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/securitybulletin_lfsec126.pdf

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpuapr2020.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpujan2020.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpujul2020.html

Trust: 1.1

url:https://www.oracle.com/security-alerts/cpuoct2020.html

Trust: 1.1

url:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Trust: 1.1

url:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Trust: 1.1

url:https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Trust: 1.1

url:https://access.redhat.com/errata/rhsa-2020:0481

Trust: 1.1

url:http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html

Trust: 1.1

url:https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3cdev.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3cuser.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3cdev.drill.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3cuser.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3cuser.flink.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3cdev.drill.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3ccommits.roller.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3cissues.drill.apache.org%3e

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2015-9251

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2015-9251

Trust: 0.5

url:https://bugzilla.redhat.com/):

Trust: 0.5

url:https://access.redhat.com/security/team/contact/

Trust: 0.5

url:https://access.redhat.com/security/cve/cve-2018-14042

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2019-8331

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2018-14040

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2018-14042

Trust: 0.4

url:https://access.redhat.com/articles/11258

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2020-11022

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2019-11358

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2016-10735

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2019-11358

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2018-14040

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2020-11022

Trust: 0.4

url:https://access.redhat.com/security/team/key/

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2016-10735

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2019-8331

Trust: 0.4

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.3

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-1722

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2018-20676

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-1722

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-20676

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-20677

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2018-20677

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-11023

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-40150

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-3143

Trust: 0.2

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-42003

Trust: 0.2

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-42004

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-14041

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-40150

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-45047

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2017-18214

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-40152

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-40149

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-40149

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2020-11023

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-40152

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2018-14041

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2017-18214

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-45693

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-46364

Trust: 0.2

url:https://issues.jboss.org/):

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2022-3143

Trust: 0.2

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.2

url:https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3cdev.drill.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3cdev.drill.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3cissues.drill.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3cdev.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3cuser.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3cuser.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3cuser.flink.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3ccommits.roller.apache.org%3e

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-16335

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-14892

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-14892

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/softwaredetail.html?softwareidp381&product\xdata.grid&version=7.3&downloadtype=patches

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-14893

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-14893

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-16335

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-14888

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-14888

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:4670

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:3936

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:0554

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:0553

Trust: 0.1

sources: VULHUB: VHN-87212 // PACKETSTORM: 156630 // PACKETSTORM: 159876 // PACKETSTORM: 159353 // PACKETSTORM: 170819 // PACKETSTORM: 170823 // NVD: CVE-2015-9251

CREDITS

Red Hat

Trust: 0.5

sources: PACKETSTORM: 156630 // PACKETSTORM: 159876 // PACKETSTORM: 159353 // PACKETSTORM: 170819 // PACKETSTORM: 170823

SOURCES

db:VULHUBid:VHN-87212
db:PACKETSTORMid:156630
db:PACKETSTORMid:159876
db:PACKETSTORMid:159353
db:PACKETSTORMid:170819
db:PACKETSTORMid:170823
db:NVDid:CVE-2015-9251

LAST UPDATE DATE

2024-11-20T20:09:14.061000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-87212date:2021-01-08T00:00:00
db:NVDid:CVE-2015-9251date:2023-11-07T02:28:57.737

SOURCES RELEASE DATE

db:VULHUBid:VHN-87212date:2018-01-18T00:00:00
db:PACKETSTORMid:156630date:2020-03-05T14:42:33
db:PACKETSTORMid:159876date:2020-11-04T15:32:52
db:PACKETSTORMid:159353date:2020-09-30T15:44:20
db:PACKETSTORMid:170819date:2023-01-31T17:19:24
db:PACKETSTORMid:170823date:2023-01-31T17:26:38
db:NVDid:CVE-2015-9251date:2018-01-18T23:29:00.307