Multiple vulnerabilities in Cloudera Observability on Premises with IBM

1) Deserialization of Untrusted Data

EUVDB-ID: #VU26493

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-10672

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Resource exhaustion

EUVDB-ID: #VU77362

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-34455

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Integer overflow

EUVDB-ID: #VU77359

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-34453

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in shuffle. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Integer overflow

EUVDB-ID: #VU77361

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-34454

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in compress. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Allocation of Resources Without Limits or Throttling

EUVDB-ID: #VU82454

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-43642

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing upper bound check on chunk length. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Information Exposure Through an Error Message

EUVDB-ID: #VU116606

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-49128

CWE-ID: CWE-209 - Information Exposure Through an Error Message

Exploit availability: No

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability in jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible information disclosure in systems using pooled or reused buffers, like Netty or Vert.x. A local user can gain unauthorized access to sensitive information on the system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Buffer overflow

EUVDB-ID: #VU112106

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-52999

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when parsing deeply nested JSON files. A remote attacker can pass a specially crafted JSON file to the application, trigger memory corruption and perform a denial of service (DoS) attack.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Uncontrolled Recursion

EUVDB-ID: #VU75044

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-1370

CWE-ID: CWE-674 - Uncontrolled Recursion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when processing nested arrays and objects. A remote attacker can pass specially crafted JSON data to the application and perform a denial of service (DoS) attack.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Resource management error

EUVDB-ID: #VU106926

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-57699

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling a specially crafted JSON input. A remote attacker can pass a large number of ’{’ characters to the application and perform a denial of service (DoS) attack.

Note, the vulnerability exists due to incomplete fix for #VU75044 (CVE-2023-1370).

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improper access control

EUVDB-ID: #VU111165

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-48734

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions to enum properties. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Deserialization of Untrusted Data

EUVDB-ID: #VU25831

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-9547

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability is related to:

• com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap)

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

12) Input validation error

EUVDB-ID: #VU17779

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-19361

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the openjpa class from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU19933

Risk: High

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-14379

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists due to the "SubTypeValidator.java" file mishandles default typing when Ehcache is used. A remote attacker can send a request that submits malicious input to the targeted system and execute arbitrary code.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Deserialization of Untrusted Data

EUVDB-ID: #VU29131

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-14061

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Deserialization of Untrusted Data

EUVDB-ID: #VU49367

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-36188

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

16) Deserialization of Untrusted Data

EUVDB-ID: #VU26490

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-11113

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

17) Deserialization of Untrusted Data

EUVDB-ID: #VU49374

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36185

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Input validation error

EUVDB-ID: #VU16786

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-1000873

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into deserializing of crafted input with specifically very large values in the nanoseconds field of a time value and cause the service to crash.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Deserialization of untrusted data

EUVDB-ID: #VU11268

Risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-7489

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote unauthenticated attacker to bypass security restrictions and execute arbitrary code on the target system.

The weakness exists in the readValue method due to improper validation of user-input. A remote attacker can send malicious JSON input, bypass security restrictions and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Deserialization of untrusted data

EUVDB-ID: #VU10610

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-5968

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to deserialization flaw. A remote attacker can supply specially crafted input, execute arbitrary code and bypass a blacklist on the target system.

Successful exploitation of the vulnerability may result in system compromise.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Remote code execution

EUVDB-ID: #VU9607

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-15095

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in the jackson-databind development library due to improper implementation of blacklists for input handled by the ObjectMapper object readValue method. A remote unauthenticated attacker can send a malicious input and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Deserialization of Untrusted Data

EUVDB-ID: #VU19942

Risk: Medium

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-12022

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists when Default Typing is enabled and the service has the Jodd-db jar in the classpath. A remote attacker can provide an LDAP service to access and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Input validation error

EUVDB-ID: #VU17780

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-19360

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the axis2-transport-jmsclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Deserialization of untrusted data

EUVDB-ID: #VU10257

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2017-17485

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in the FasterXML jackson-databind library due to improper validation of user-input handled by the readValue method of the ObjectMapper object. A remote attacker can send malicious input to the vulnerable method of a web application that uses the Spring library in the application's classpath and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

25) Permissions, privileges, and access controls

EUVDB-ID: #VU101893

Risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-56337

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a remote attacker to compromise the affected system.

The mitigation bypass depends on the version of Java used on the system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Resource management error

EUVDB-ID: #VU100587

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-52317

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: Yes

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper management of internal resources when handling HTTP/2 responses, which causes request and/or response mix-up between users. A remote non-authenticated attacker can send a series of HTTP/2 requests and gain access to sensitive information.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

27) Resource exhaustion

EUVDB-ID: #VU111162

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2025-48976

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: Yes

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

28) Improper handling of case sensitivity

EUVDB-ID: #VU109959

Risk: Low

CVSSv4.0: 2.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2025-46701

CWE-ID: CWE-178 - Improper Handling of Case Sensitivity

Exploit availability: Yes

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to an error when handling URLs on a case insensitive filesystem with security constraints configured for the <code>pathInfo</code> component of a URL that mapped to the CGI servlet. A remote attacker can bypass imposed security constraints via a specially crafted URL.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

29) Resource exhaustion

EUVDB-ID: #VU111161

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2025-48988

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: Yes

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling multipart requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

30) Improper error handling

EUVDB-ID: #VU107996

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2025-31650

CWE-ID: CWE-388 - Error Handling

Exploit availability: Yes

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient error handling for certain invalid HTTP priority headers. A remote attacker can send a large amount of specially crafted HTTP requests to the server and consume all available memory, resulting in a denial of service condition.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

31) Improper Authentication

EUVDB-ID: #VU100588

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-52316

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when processing authentication requests. If Tomcat was configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not have failed, allowing the user to bypass the authentication process.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Improper Protection of Alternate Path

EUVDB-ID: #VU111159

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-49125

CWE-ID: CWE-424 - Improper Protection of Alternate Path

Exploit availability: No

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper access restrictions when using PreResources or PostResources mounted other than at the root of the web application. A remote attacker can bypass configured security rules using a alternate path and gain unauthorized access to the application. 

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU101814

Risk: Medium

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-50379

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing access restrictions to the default servlet. If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

34) Input validation error

EUVDB-ID: #VU105485

Risk: Critical

CVSSv4.0: 9.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2025-24813

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when handling file uploads via HTTP PUT requests. A remote attacker can send a specially crafted HTTP PUT request to the server and gain access to sensitive information or even execute arbitrary code.

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
• attacker knowledge of the names of security sensitive files being uploaded
• the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• application was using Tomcat's file based session persistence with the default storage location
• application included a library that may be leveraged in a deserialization attack

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

35) XXE attack

EUVDB-ID: #VU17777

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-14720

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform XXE attacks.

The vulnerability exists due to fail to block unspecified Java Development Kit (JDK) classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input, conduct an XXE attack to access sensitive information, bypass security restrictions, or cause a denial of service (DoS) condition on the targeted system. 

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Input validation error

EUVDB-ID: #VU107995

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2025-31651

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

The vulnerability allows a remote attacker to bypass rewrite rules.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted input to the application and bypass configured rewrite rules.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

37) Path traversal

EUVDB-ID: #VU98796

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-38819

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: Yes

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in applications that serve static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

38) Resource exhaustion

EUVDB-ID: #VU114024

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-48989

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can send specially crafted HTTP request to the web server and consume all available memory resources, leading to a denial of service. 

Note, this vulnerability is known as HTTP/2 Made You Reset Attack.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Session Fixation

EUVDB-ID: #VU114443

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-55668

CWE-ID: CWE-384 - Session Fixation

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to session fixation. A remote attacker can trick the victim into opening a specially crafted request to gain unauthorized access to sensitive information on the system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Remote code execution

EUVDB-ID: #VU17053

Risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-14718

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to the failure to block the slf4j-ext class from polymorphic deserialization. A remote attacker can execute arbitrary code with elevated privileges.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) Deserialization of Untrusted Data

EUVDB-ID: #VU19938

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-11307

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the usage of default typing along with a gadget class from iBatis, which allows exfiltration of content. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

42) Input validation error

EUVDB-ID: #VU17781

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-19362

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the jboss-common-coreclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU17776

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-14721

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to fail to block the axis2-jaxws class from polymorphic deserialization. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Input validation error

EUVDB-ID: #VU17778

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-14719

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The disclosed vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to fail to block blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Deserialization of Untrusted Data

EUVDB-ID: #VU19943

Risk: Medium

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-12023

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists when Default Typing is enabled and the service has the Oracle JDBC jar in the classpath. A remote attacker can provide an LDAP service to access and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Deserialization of untrusted data

EUVDB-ID: #VU9128

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2017-7525

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to a deserialization flaw in the jackson-databind component. A remote attacker can send a specially crafted input to the readValue method of the ObjectMapper and execute arbitrary code with privileges of the target service.

Successful exploitation of the vulnerability may result in system compromise.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

47) Input validation error

EUVDB-ID: #VU21470

Risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-10202

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

48) Deserialization of Untrusted Data

EUVDB-ID: #VU26494

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-10673

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

49) Deserialization of Untrusted Data

EUVDB-ID: #VU26492

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-10969

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to  javax.swing.JEditorPane. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

50) Deserialization of Untrusted Data

EUVDB-ID: #VU26488

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-11111

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.activemq.*. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

51) Code Injection

EUVDB-ID: #VU25469

Risk: Medium

CVSSv4.0: 2.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2020-8840

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to absence of xbean-reflect/JNDI gadget blocking. A remote attacker can pass specially crafted input to the application and execute arbitrary Java code on the system, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

52) Information disclosure

EUVDB-ID: #VU19937

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-14439

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the logback jar in the classpath. A remote attacker can send a specially crafted JSON message and gain unauthorized access to sensitive information on the system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

53) Deserialization of Untrusted Data

EUVDB-ID: #VU25834

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-14893

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as "enableDefaultTyping()" or when @JsonTypeInfo is using "Id.CLASS" or "Id.MINIMAL_CLASS" or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

54) Deserialization of Untrusted Data

EUVDB-ID: #VU49373

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-36184

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

55) Deserialization of Untrusted Data

EUVDB-ID: #VU69512

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-10650

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data when handling interactions related to the class ignite-jta. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

56) Input validation error

EUVDB-ID: #VU21750

Risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-17531

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to compromise the affected software.

The vulnerability exists due to a Polymorphic Typing in jackson-databind when processing JSON requests. A remote attacker can send specially crafted JSON data to JNDI service and execute a malicious payload.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

57) Deserialization of Untrusted Data

EUVDB-ID: #VU25833

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-14892

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data of a malicious object using commons-configuration 1 and 2 JNDI classes. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

58) Deserialization of Untrusted Data

EUVDB-ID: #VU25832

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-9548

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability is related to:

• br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core)

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

59) Deserialization of Untrusted Data

EUVDB-ID: #VU68635

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-42003

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insecure input validation when processing serialized data when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. A remote attacker can pass specially crafted data to the application and cause a denial of service condition on the target system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

60) Input validation error

EUVDB-ID: #VU21580

Risk: Medium

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-16942

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests  within the org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSourc components. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

61) Deserialization of Untrusted Data

EUVDB-ID: #VU49371

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36183

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

62) Input validation error

EUVDB-ID: #VU21594

Risk: Medium

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-17267

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue within the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup component. A remote attacker can execute arbitrary code on he system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

63) Deserialization of Untrusted Data

EUVDB-ID: #VU29130

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-14062

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

64) Deserialization of Untrusted Data

EUVDB-ID: #VU49379

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-35490

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

65) Deserialization of Untrusted Data

EUVDB-ID: #VU27032

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-11620

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the affected software mishandles the interaction between serialization gadgets and typing, related to "org.apache.commons.jelly.impl.Embedded" (aka commons-jelly). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

66) Information disclosure

EUVDB-ID: #VU19941

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2019-12086

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the mysql-connector-java jar in the classpath. A remote attacker can send a specially crafted JSON message and read arbitrary local files on the server due to the missing "com.mysql.cj.jdbc.admin.MiniAdmin" validation.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

67) Deserialization of Untrusted Data

EUVDB-ID: #VU26489

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-11112

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

68) Deserialization of Untrusted Data

EUVDB-ID: #VU49967

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-20190

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

69) Code Injection

EUVDB-ID: #VU46305

Risk: High

CVSSv4.0: 8.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-24616

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

70) Improper access control

EUVDB-ID: #VU24272

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-20330

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions related to net.sf.ehcache in FasterXML jackson-databind. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

71) Deserialization of Untrusted Data

EUVDB-ID: #VU49380

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-35491

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

72) Information disclosure

EUVDB-ID: #VU18961

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-12814

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

73) Deserialization of Untrusted Data

EUVDB-ID: #VU26491

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-10968

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

74) Resource exhaustion

EUVDB-ID: #VU68832

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-42004

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control usage of deeply nested arrays in BeanDeserializer._deserializeFromArray. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

75) Deserialization of Untrusted Data

EUVDB-ID: #VU19018

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-12384

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to software allows the logback-core class to process polymorphic deserialization. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

76) Deserialization of Untrusted Data

EUVDB-ID: #VU49369

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-36180

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

77) Deserialization of Untrusted Data

EUVDB-ID: #VU49378

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-35728

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

78) Deserialization of Untrusted Data

EUVDB-ID: #VU27031

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-11619

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to affected software mishandles the interaction between serialization gadgets and typing, related to "org.springframework.aop.config.MethodLocatingFactoryBean" (aka spring-aop). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

79) Deserialization of Untrusted Data

EUVDB-ID: #VU25830

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-9546

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data between serialization gadgets and typing. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: This vulnerability is related to:

• org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config)

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

80) Out-of-bounds write

EUVDB-ID: #VU61799

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-36518

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can trigger out-of-bounds write and cause a denial of service condition on the target system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

81) Input validation error

EUVDB-ID: #VU21593

Risk: Medium

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-16943

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests  within the com.p6spy.engine.spy.P6DataSource component. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.

Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

82) Deserialization of Untrusted Data

EUVDB-ID: #VU47105

Risk: High

CVSSv4.0: 7.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-24750

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. A remote attacker can execute arbitrary code on the target system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

83) Deserialization of Untrusted Data

EUVDB-ID: #VU29128

Risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2020-14195

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: Yes

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

84) Deserialization of Untrusted Data

EUVDB-ID: #VU49375

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36186

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

85) Deserialization of Untrusted Data

EUVDB-ID: #VU49376

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36187

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

86) Deserialization of Untrusted Data

EUVDB-ID: #VU49372

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36181

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

87) Information disclosure

EUVDB-ID: #VU21135

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2019-14540

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: Yes

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariConfig". A remote attacker can gain unauthorized access to sensitive information on the system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

88) Information disclosure

EUVDB-ID: #VU21136

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-16335

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariDataSource". A remote attacker can gain unauthorized access to sensitive information on the system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

89) XML External Entity injection

EUVDB-ID: #VU48979

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-25649

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit availability: No

The vulnerability allows a remote attacker to modify information on the system.

The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and modify information on the system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

90) Deserialization of Untrusted Data

EUVDB-ID: #VU29129

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-14060

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

91) Deserialization of Untrusted Data

EUVDB-ID: #VU49377

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36189

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

92) Deserialization of Untrusted Data

EUVDB-ID: #VU49368

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36179

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

93) Deserialization of Untrusted Data

EUVDB-ID: #VU49370

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-36182

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install update from vendor's website.

Cloudera Observability with IBM: 3.5.3

• cpe:2.3:a:ibm_corporation:cloudera_observability_with_ibm:3.5.3:*:*:*:*:*:*:*

https://www.ibm.com/support/pages/node/7251246

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.