https://bugs.eclipse.org/bugs/show_bug.cgi?id=548244

https://github.com/eclipse-ee4j/mojarra/commit/8f70f2bd024f00ecd5b3dcca45df73edda29dcee

https://github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81f

https://github.com/eclipse-ee4j/mojarra/compare/2.3.9-RELEASE...2.3.10-RELEASE

https://github.com/eclipse-ee4j/mojarra/files/3039198/advisory.txt

https://github.com/eclipse-ee4j/mojarra/issues/4556

https://github.com/eclipse-ee4j/mojarra/pull/4567

https://github.com/javaserverfaces/mojarra/commit/ae1c234d0a6750822ac69d4ae26d90e3571f27fe

https://github.com/javaserverfaces/mojarra/commit/f61935cd39f34329fbf27b1972a506fbdd0ab4d4

https://github.com/javaserverfaces/mojarra/compare/2.2.19...2.2.20

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

The versions of Application Testing Suite installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2020 CPU advisory.

  - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load     Testing for Web Apps (Log4j)). The supported version that is affected is 13.3.0.1. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Application Testing Suite. Successful attacks of this vulnerability can result in takeover of Oracle     Application Testing Suite. (CVE-2017-5645)

  - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager (component: Load     Testing for Web Apps (Eclipse Mojarra). Supported versions that are affected are 13.2.0.1 and 13.3.0.1.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Application Testing Suite. Successful attacks require human interaction from a person other than the     attacker and while the vulnerability is in Oracle Application Testing Suite, attacks may significantly     impact additional products. Successful attacks of this vulnerability can result in unauthorized update,     insert or delete access to some of Oracle Application Testing Suite accessible data as well as unauthorized     read access to a subset of Oracle Application Testing Suite accessible data. (CVE-2019-17091)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the Oracle Primavera P6 EnterpriseProject Portfolio Management (EPPM) installation running on the remote web server is 15.x prior to 15.2.18.8, 16.x prior to 16.2.19.2, 17.x prior to 17.12.16.1, or 18.8.x prior to 18.8.16.`, or 19.12.1.0. It is, therefore, affected by multiple vulnerabilities:

  - An authentication bypass vulnerability exists in Oracle Primavera P6 Enterprise     Project Portfolio Management. An unauthenticated, local attack can exploit this,     to bypass authentication and execute arbitrary actions with root privileges.     (CVE-2020-2556)

  - A authorization bypass vulnerability exists in Primavera P6 Enterprise Project     Portfolio Management. An autheticated local attacker can exploit this via HTTP to     access controlled data on the network and EPPM. (CVE-2020-2707)

  - A XSS vulnerability exists in Primavera P6 Enterprise Project Portfolio due to     vulnerability in Mojarra components, allowing Reflected XSS because a client     window field is mishandled. (CVE-2019-17091)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Secure Global Desktop installed on the remote host is missing a security patch from the January 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:

  - A remote code execution vulnerability exists in the Core (Apache Axis) component. An unauthenticated,     adjacent attacker can exploit this issue, to execute arbitrary commands. (CVE-2019-0227)

  - A cross-site scripting vulnerability exists in the Web Server (Appache HTTPD Server) component. An     unauthenticated, remote attacker can exploit this issue via causing the link on the mod_proxy error page     to be malformed and point to a page of the attacker's choice. (CVE-2019-10092)

  - A cross-site scripting vulnerability exists in faces/context/PartialViewContextImpl.java in Eclipse     (Mojarra) due to mishandling of a client window field. An unauthenticated, remote attacker can exploit     this issue, to perform unauthorized update, insert or delete access to some of Oracle Communications     Unified Inventory Management accessible data as well as to perform an unauthorized read access to a subset     of Oracle Communications Unified Inventory Management accessible data. (CVE-2019-17091)

The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities:

	-  An unspecified vulnerability in the jquery component of the        Web Services of Oracle Weblogic Server.  An unauthenticated,        remote attacker can exploit this to gain unauthorized update,        insert, or delete access to some of Oracle WebLogic Server        accessible data. (CVE-2015-9251) 

	-  An unspecified vulnerability in the Web Services component of        Oracle Weblogic Server.  An unauthenticated, remote attacker        unauthorized can exploit this to gain read access to some of        Oracle WebLogic Server accessible data. (CVE-2019-2887)

    -  An unspecified vulnerability in the Web Services component of        Oracle Weblogic Server.  An unauthenticated, remote attacker        can exploit this to gain unauthorized read access to some of        Oracle WebLogic Server accessible data. (CVE-2019-2888)

    -  An unspecified vulnerability in the Web Services component of        Oracle Weblogic Server.  An authenticated, high priviledge        remote attacker can exploit this to compromise        Oracle WebLogic Server. (CVE-2019-2890)

    -  An unspecified vulnerability in the console component of        Oracle Weblogic Server.  An unauthenticated, remote attacker        can exploit this to compromise Oracle WebLogic Server.        (CVE-2019-2891)

    -  An unspecified vulnerability in the SOAP with Attachments API        for Java component of Oracle Weblogic Server.  An        unauthenticated, remote attacker can exploit this to gain        unauthorized update, insert, or delete access to some of        Oracle Web Services accessible data as well as unauthorized        read access to a subset of Oracle Web Services accessible        data. (CVE-2019-2907)        
    -  An unspecified vulnerability in the ADF Faces jQuery component        of Oracle Weblogic Server.  An unauthenticated, remote        attacker can exploit this to compromise Oracle        JDeveloper and ADF resulting in an unauthorized update,        insert, or delete access to some of OracleJDeveloper & ADF        accessible data as well as unauthorized read access to a        subset of Oracle JDeveloper & ADF accessible data.        (CVE-2019-11358)

    -  An unspecified vulnerability in the Web Container jQuery        component of Oracle Weblogic Server.  An unauthenticated,        remote attacker can exploit this to compromise        Oracle Service Bus resulting in an unauthorized update,        insert, or delete access to some of Service Bus data as well        as unauthorized read access to a subset of Oracle Service Bus        accessible data. (CVE-2019-11358)

    -  An unspecified vulnerability in the console jQuery component        of Oracle Weblogic Server.  An unauthenticated, remote        attacker can exploit this to compromise Oracle        WebLogic Server resulting in an unauthorized update, insert,        or delete access to some of Oracle WebLogic Server data as        well as unauthorized read access to a subset of Oracle        WebLogic Server accessible data. (CVE-2019-11358)

    -  An unspecified vulnerability in the Web Container Faces jQuery        component of Oracle Weblogic Server.  An unauthenticated,        remote attacker can exploit this to compromise        Oracle Service Bus resulting in an unauthorized update,        insert, or delete access to some of Oracle WebLogic Server        data as well as unauthorized read access to a subset of Oracle        WebLogic Server accessible data. (CVE-2019-17091)

ID	Name	Product	Family	Severity
138610	Oracle Application Testing Suite (Jul 2020 CPU)	Nessus	Misc.	critical
133054	Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (Jan 2020 CPU)	Nessus	CGI abuses	medium
133042	Oracle Secure Global Desktop Multiple Vulnerabilities (January 2020 CPU)	Nessus	Misc.	medium
130012	Oracle WebLogic Server Multiple Vulnerabilities (Oct 2019 CPU)	Nessus	Misc.	high

CVE-2019-17091

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

medium

medium

high