CRITICAL✓ PATCH🇬🇧 English

CVE-2018-1000613

CVSS 9.8v3.1pub. 2018-07-09upd. 2025-05-12

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Bouncycastle Bc Java

    APP
    Bouncycastle
    1.58 – 1.60 (bez)
  • Netapp Oncommand Workflow Automation

    APP
    Netapp
    wszystkie wersje
  • Opensuse Leap

    OS
    Opensuse
    15.1
  • Oracle Api Gateway

    APP
    Oracle
    11.1.2.4.0
  • Oracle Banking Platform

    APP
    Oracle
    2.6.02.6.12.6.2
  • Oracle Business Process Management Suite

    APP
    Oracle
    11.1.1.9.012.1.3.0.012.2.1.3.0
  • Oracle Business Transaction Management

    APP
    Oracle
    12.1.0
  • Oracle Communications Application Session Controller

    APP
    Oracle
    3.7.13.8.0
  • Oracle Communications Converged Application Server

    APP
    Oracle
    7.0.0.1< 7.0.0.1
  • Oracle Communications Convergence

    APP
    Oracle
    3.0.2
  • Oracle Communications Diameter Signaling Router

    APP
    Oracle
    8.0.08.18.28.2.1
  • Oracle Communications Webrtc Session Controller

    APP
    Oracle
    7.2< 7.2
  • Oracle Data Integrator

    APP
    Oracle
    12.2.1.3.0
  • Oracle Enterprise Manager Base Platform

    APP
    Oracle
    12.1.0.5.013.2.0.013.3.0.0
  • Oracle Enterprise Manager For Fusion Middleware

    APP
    Oracle
    13.2.0.013.3.0.0
  • Oracle Enterprise Repository

    APP
    Oracle
    11.1.1.7.012.1.3.0.0
  • Oracle Managed File Transfer

    APP
    Oracle
    12.1.3.0.012.2.1.3.0
  • Oracle Peoplesoft Enterprise Peopletools

    APP
    Oracle
    8.558.568.57
  • Oracle Retail Convenience And Fuel Pos Software

    APP
    Oracle
    2.8.1
  • Oracle Retail Xstore Point Of Service

    APP
    Oracle
    7.07.1
  • Oracle Soa Suite

    APP
    Oracle
    12.1.3.0.012.2.1.3.0
  • Oracle Utilities Network Management System

    APP
    Oracle
    1.12.0.32.3.0.02.3.0.12.3.0.2
  • Oracle Webcenter Portal

    APP
    Oracle
    11.1.1.9.012.2.1.3.0
  • Oracle Weblogic Server

    APP
    Oracle
    12.2.1.3
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
Deserialization
CWE
Referencje

Powiązane podatności

CVE-2026-35273CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Pominięcie uwierzytelnienia w Oracle PeopleSoft PeopleTools (RCE/Takeover)

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2022-22963CRITICAL9.8⚠ KEVten sam produkt

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...

CVE-2022-22965CRITICAL9.8⚠ KEVten sam produkt

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...

CVE-2020-16846CRITICAL9.8⚠ KEVten sam produkt

An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the...