Primavera Gateway

primavera_gateway

Vendor: Oracle • 59 CVEs

CVEs (59)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-21888 1Oracle 1Primavera Gateway Nov 21, 2024 Jan 18, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: WebUI). Supported versions that are affected are 18.8.0-18.8.15, 19.12.0-19.12.15, 20.12.0-20.12.10 and 21.12.0-21.12.8....Show more Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: WebUI). Supported versions that are affected are 18.8.0-18.8.15, 19.12.0-19.12.15, 20.12.0-20.12.10 and 21.12.0-21.12.8. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera Gateway. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera Gateway, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera Gateway accessible data as well as unauthorized read access to a subset of Primavera Gateway accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).Show less
CVE-2020-36518 4Debian FasterxmlNetapp+1 more 36Active Iq Unified Manager Big Data Spatial And GraphCloud Insights Acquisition Unit+33 more Aug 27, 2025 Mar 11, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CVE-2022-23437 3Apache NetappOracle 29Active Iq Unified Manager Agile Engineering Data ManagementAgile Plm+26 more Nov 21, 2024 Jan 24, 2022 N/A· v4 6.5 MEDIUM· v3 7.1 HIGH· v2 There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consu...Show more There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.Show less
CVE-2021-44832 5Apache CiscoDebian+2 more 22Cloudcenter Communications Brm Elastic Charging EngineCommunications Diameter Signaling Router+19 more May 29, 2026 Dec 28, 2021 N/A· v4 6.6 MEDIUM· v3 8.5 HIGH· v2 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data so...Show more Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.Show less
CVE-2021-45105 5Apache DebianNetapp+2 more 1166bk1602 0aa12 0tp0 Firmware 6bk1602 0aa22 0tp0 Firmware6bk1602 0aa32 0tp0 Firmware+113 more May 29, 2026 Dec 18, 2021 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data t...Show more Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.Show less
CVE-2021-41183 7Debian DrupalFedoraproject+4 more 28Agile Plm Application ExpressBanking Platform+25 more Nov 21, 2024 Oct 26, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fi...Show more jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `Text` options from untrusted sources.Show less
CVE-2021-2351 1Oracle 111Advanced Networking Option Agile Engineering Data ManagementAgile Plm+108 more Nov 21, 2024 Jul 21, 2021 N/A· v4 7.5 HIGH· v3 5.1 MEDIUM· v2 Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker...Show more Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Advanced Networking Option. Note: The July 2021 Critical Patch Update introduces a number of Native Network Encryption changes to deal with vulnerability CVE-2021-2351 and prevent the use of weaker ciphers. Customers should review: "Changes in Native Network Encryption with the July 2021 Critical Patch Update" (Doc ID 2791571.1). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).Show less
CVE-2021-36374 2Apache Oracle 36Agile Engineering Data Management Agile PlmAnt+33 more Nov 21, 2024 Jul 14, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to dis...Show more When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.Show less
CVE-2021-36373 2Apache Oracle 32Agile Plm AntBanking Trade Finance+29 more Nov 21, 2024 Jul 14, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds usi...Show more When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.Show less
CVE-2021-36090 3Apache NetappOracle 34Active Iq Unified Manager Banking ApisBanking Digital Experience+31 more Nov 21, 2024 Jul 13, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of serv...Show more When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.Show less
CVE-2021-21409 5Debian NetappNetty+2 more 18Banking Corporate Lending Process Management Banking Credit Facilities Process ManagementBanking Trade Finance Process Management+15 more Nov 21, 2024 Mar 30, 2021 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1...Show more Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.Show less
CVE-2021-23337 4Lodash NetappOracle+1 more 23Active Iq Unified Manager Banking Corporate Lending Process ManagementBanking Credit Facilities Process Management+20 more Nov 21, 2024 Feb 15, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVE-2020-28500 3Lodash OracleSiemens 19Banking Corporate Lending Process Management Banking Credit Facilities Process ManagementBanking Extensibility Workbench+16 more Nov 21, 2024 Feb 15, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVE-2020-36183 4Debian FasterxmlNetapp+1 more 45Agile Plm Application Testing SuiteAutovue For Agile Product Lifecycle Management+42 more Apr 29, 2026 Jan 7, 2021 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
CVE-2020-36182 4Debian FasterxmlNetapp+1 more 45Agile Plm Application Testing SuiteAutovue For Agile Product Lifecycle Management+42 more Nov 21, 2024 Jan 7, 2021 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36180 4Debian FasterxmlNetapp+1 more 45Agile Plm Application Testing SuiteAutovue For Agile Product Lifecycle Management+42 more Nov 21, 2024 Jan 7, 2021 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36179 4Debian FasterxmlNetapp+1 more 43Agile Plm Application Testing SuiteAutovue For Agile Product Lifecycle Management+40 more Nov 21, 2024 Jan 7, 2021 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36189 4Debian FasterxmlNetapp+1 more 40Agile Plm Application Testing SuiteAutovue For Agile Product Lifecycle Management+37 more Nov 21, 2024 Jan 6, 2021 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
CVE-2020-36188 4Debian FasterxmlNetapp+1 more 45Agile Plm Application Testing SuiteAutovue For Agile Product Lifecycle Management+42 more Nov 21, 2024 Jan 6, 2021 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
CVE-2020-36187 4Debian FasterxmlNetapp+1 more 45Agile Plm Application Testing SuiteAutovue For Agile Product Lifecycle Management+42 more Nov 21, 2024 Jan 6, 2021 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

12 3 Next