常用Java组件存在的漏洞

CVE-2017-5645

moderate severity

Vulnerable versions: >= 2.0, < 2.8.2

Patched version: 2.8.2

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

CVE-2020-9488

moderate severity

Vulnerable versions: < 2.13.2

Patched version: 2.13.2

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

CVE-2017-5645

中度严重程度

易受攻击的版本:>=2.0,<2.8.2

修补版本:2.8.2

在2.8.2之前的Apache Log4j 2.x中,当使用TCP套接字服务器或UDP套接字服务器接收来自另一个应用程序的序列化日志事件时,可以发送一个精心编制的二进制负载,当反序列化时,可以执行任意代码。

CVE-2020-9488

中度严重程度

<13.2.2易受攻击的版本

修补版本:2.13.2

Apache Log4j SMTP appender中的证书验证不正确,主机不匹配。这可能会使SMTPS连接被中间人攻击拦截,这可能会泄漏通过该附件发送的任何日志消息。

 

CVE-2019-2692
moderate severity
Vulnerable versions: < 8.0.16
Patched version: 8.0.16
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CVE-2019-2692号文件

中度严重程度

易受攻击的版本:<8.0.16

补丁版本:8.0.16

Oracle MySQL的MySQL连接器组件(子组件:Connector/J)中存在漏洞。受影响的受支持版本为8.0.15及更早版本。难以利用的漏洞允许高权限攻击者登录到执行MySQL连接器的基础设施,从而危害MySQL连接器。成功的攻击需要攻击者以外的人与人进行交互。成功攻击此漏洞可导致接管MySQL连接器。CVSS 3.0基本得分6.3(机密性、完整性和可用性影响)。CVSS矢量:(CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)。

 

 

CVE-2019-17571

moderate severity

Vulnerable versions: >= 1.2, <= 1.2.27

Patched version: No fix

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVE-2019-17571

中度严重程度

易受攻击的版本:>=1.2,<=1.2.27

修补版本:无修复

log4j1.2中包含一个SocketServer类,该类易受不可信数据反序列化的攻击,当监听日志数据的不可信网络流量时,该类与反序列化小工具结合使用,可远程执行任意代码。这会影响到1.2到1.2.17的Log4j版本。

你可能感兴趣的:(问题,Java)