低危 Oracle Financial Services Market Risk Measurement 8.0.5/8.0.6 User Interface 本地权限提升漏洞

CVE编号

CVE-2015-9251

利用情况

POC 已公开

补丁情况

官方补丁

披露时间

2018-01-19
漏洞描述
jQuery是美国程序员John Resig所研发的一套开源、跨浏览器的JavaScript库。该库简化了HTML与JavaScript之间的操作,并具有模块化、插件扩展等特点。

jQuery 3.0.0之前版本中存在跨站脚本漏洞。远程攻击者可利用该漏洞执行文本/JavaScript响应。
解决建议
目前厂商已发布升级补丁以修复漏洞,详情请关注厂商主页:
https://jquery.com/
参考链接
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
http://seclists.org/fulldisclosure/2019/May/10
http://seclists.org/fulldisclosure/2019/May/11
http://seclists.org/fulldisclosure/2019/May/13
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/105658
https://access.redhat.com/errata/RHSA-2020:0481
https://access.redhat.com/errata/RHSA-2020:0729
https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc
https://github.com/jquery/jquery/issues/2432
https://github.com/jquery/jquery/pull/2588
https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837...
https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359...
https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359...
https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5...
https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5...
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d...
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d...
https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c255...
https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c255...
https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b8...
https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b8...
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a...
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a...
https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d...
https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d...
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34...
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34...
https://seclists.org/bugtraq/2019/May/18
https://security.netapp.com/advisory/ntap-20210108-0004/
https://snyk.io/vuln/npm:jquery:20150627
https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin...
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.tenable.com/security/tns-2019-08
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 jquery jquery * Up to
(excluding)
3.0.0
运行在以下环境
应用 oracle agile_product_lifecycle_management_for_process 6.2.0.0 -
运行在以下环境
应用 oracle agile_product_lifecycle_management_for_process 6.2.1.0 -
运行在以下环境
应用 oracle agile_product_lifecycle_management_for_process 6.2.2.0 -
运行在以下环境
应用 oracle agile_product_lifecycle_management_for_process 6.2.3.0 -
运行在以下环境
应用 oracle agile_product_lifecycle_management_for_process 6.2.3.1 -
运行在以下环境
应用 oracle banking_platform 2.6.0 -
运行在以下环境
应用 oracle banking_platform 2.6.1 -
运行在以下环境
应用 oracle banking_platform 2.6.2 -
运行在以下环境
应用 oracle business_process_management_suite 11.1.1.9.0 -
运行在以下环境
应用 oracle business_process_management_suite 12.1.3.0.0 -
运行在以下环境
应用 oracle business_process_management_suite 12.2.1.3.0 -
运行在以下环境
应用 oracle communications_converged_application_server * Up to
(excluding)
7.0.0.1
运行在以下环境
应用 oracle communications_interactive_session_recorder 6.0 -
运行在以下环境
应用 oracle communications_interactive_session_recorder 6.1 -
运行在以下环境
应用 oracle communications_interactive_session_recorder 6.2 -
运行在以下环境
应用 oracle communications_services_gatekeeper * Up to
(excluding)
6.1.0.4.0
运行在以下环境
应用 oracle communications_webrtc_session_controller * Up to
(excluding)
7.2
运行在以下环境
应用 oracle endeca_information_discovery_studio 3.1.0 -
运行在以下环境
应用 oracle endeca_information_discovery_studio 3.2.0 -
运行在以下环境
应用 oracle enterprise_manager_ops_center 12.2.2 -
运行在以下环境
应用 oracle enterprise_manager_ops_center 12.3.3 -
运行在以下环境
应用 oracle enterprise_operations_monitor 3.4 -
运行在以下环境
应用 oracle enterprise_operations_monitor 4.0 -
运行在以下环境
应用 oracle financial_services_analytical_applications_infrastructure * From
(including)
7.3.3
Up to
(including)
7.3.5
运行在以下环境
应用 oracle financial_services_analytical_applications_infrastructure * From
(including)
8.0.0
Up to
(including)
8.0.7
运行在以下环境
应用 oracle financial_services_asset_liability_management * From
(including)
8.0.4
Up to
(including)
8.0.7
运行在以下环境
应用 oracle financial_services_data_integration_hub * From
(including)
8.0.5
Up to
(including)
8.0.7
运行在以下环境
应用 oracle financial_services_funds_transfer_pricing * From
(including)
8.0.4
Up to
(including)
8.0.7
运行在以下环境
应用 oracle financial_services_hedge_management_and_ifrs_valuations * From
(including)
8.0.4
Up to
(including)
8.0.7
运行在以下环境
应用 oracle financial_services_liquidity_risk_management * From
(including)
8.0.2
Up to
(including)
8.0.6
运行在以下环境
应用 oracle financial_services_loan_loss_forecasting_and_provisioning * From
(including)
8.0.2
Up to
(including)
8.0.7
运行在以下环境
应用 oracle financial_services_market_risk_measurement_and_management 8.0.5 -
运行在以下环境
应用 oracle financial_services_market_risk_measurement_and_management 8.0.6 -
运行在以下环境
应用 oracle financial_services_profitability_management * From
(including)
8.0.4
Up to
(including)
8.0.6
运行在以下环境
应用 oracle financial_services_reconciliation_framework 8.0.5 -
运行在以下环境
应用 oracle financial_services_reconciliation_framework 8.0.6 -
运行在以下环境
应用 oracle fusion_middleware_mapviewer 12.2.1.3.0 -
运行在以下环境
应用 oracle healthcare_foundation 7.1 -
运行在以下环境
应用 oracle healthcare_foundation 7.2 -
运行在以下环境
应用 oracle healthcare_translational_research 3.1.0 -
运行在以下环境
应用 oracle hospitality_cruise_fleet_management 9.0.11 -
运行在以下环境
应用 oracle hospitality_guest_access 4.2.0 -
运行在以下环境
应用 oracle hospitality_guest_access 4.2.1 -
运行在以下环境
应用 oracle hospitality_materials_control 18.1 -
运行在以下环境
应用 oracle hospitality_reporting_and_analytics 9.1.0 -
运行在以下环境
应用 oracle insurance_insbridge_rating_and_underwriting 5.2 -
运行在以下环境
应用 oracle insurance_insbridge_rating_and_underwriting 5.4 -
运行在以下环境
应用 oracle insurance_insbridge_rating_and_underwriting 5.5 -
运行在以下环境
应用 oracle jdeveloper 11.1.1.9.0 -
运行在以下环境
应用 oracle jdeveloper 12.1.3.0.0 -
运行在以下环境
应用 oracle jdeveloper 12.2.1.3.0 -
运行在以下环境
应用 oracle jd_edwards_enterpriseone_tools 9.2 -
运行在以下环境
应用 oracle oss_support_tools 19.1 -
运行在以下环境
应用 oracle peoplesoft_enterprise_peopletools 8.55 -
运行在以下环境
应用 oracle peoplesoft_enterprise_peopletools 8.56 -
运行在以下环境
应用 oracle peoplesoft_enterprise_peopletools 8.57 -
运行在以下环境
应用 oracle primavera_gateway 15.2 -
运行在以下环境
应用 oracle primavera_gateway 16.2 -
运行在以下环境
应用 oracle primavera_gateway 17.12 -
运行在以下环境
应用 oracle primavera_unifier * From
(including)
17.1
Up to
(including)
17.12
运行在以下环境
应用 oracle primavera_unifier 16.1 -
运行在以下环境
应用 oracle primavera_unifier 16.2 -
运行在以下环境
应用 oracle primavera_unifier 18.8 -
运行在以下环境
应用 oracle real-time_scheduler 2.3.0 -
运行在以下环境
应用 oracle retail_allocation 15.0.2 -
运行在以下环境
应用 oracle retail_customer_insights 15.0 -
运行在以下环境
应用 oracle retail_customer_insights 16.0 -
运行在以下环境
应用 oracle retail_invoice_matching 15.0 -
运行在以下环境
应用 oracle retail_sales_audit 15.0 -
运行在以下环境
应用 oracle retail_workforce_management_software 1.60.9 -
运行在以下环境
应用 oracle retail_workforce_management_software 1.64.0 -
运行在以下环境
应用 oracle service_bus 12.1.3.0.0 -
运行在以下环境
应用 oracle service_bus 12.2.1.3.0 -
运行在以下环境
应用 oracle siebel_ui_framework 18.10 -
运行在以下环境
应用 oracle siebel_ui_framework 18.11 -
运行在以下环境
应用 oracle utilities_framework * From
(including)
4.3.0.1
Up to
(including)
4.3.0.4
运行在以下环境
应用 oracle utilities_mobile_workforce_management 2.3.0 -
运行在以下环境
应用 oracle webcenter_sites 11.1.1.8.0 -
运行在以下环境
应用 oracle weblogic_server 12.1.3.0 -
运行在以下环境
应用 oracle weblogic_server 12.2.1.3 -
运行在以下环境
系统 alibaba_cloud_linux_2.1903 ipa * Up to
(excluding)
4.6.8-5.1.al7
运行在以下环境
系统 alpine_3.10 ipa * Up to
(excluding)
2.5.6-r0
运行在以下环境
系统 amazon linux_2 ipa * Up to
(excluding)
4.6.8-5.amzn2
运行在以下环境
系统 amazon linux_AMI ipa * Up to
(excluding)
2.6.14.4-2.12.amzn1
运行在以下环境
系统 amazon_2 ipa * Up to
(excluding)
6.1.2-125.amzn2.0.2
运行在以下环境
系统 amazon_AMI ruby24 * Up to
(excluding)
0.1.1-2.12.amzn1
运行在以下环境
系统 centos_7 ipa * Up to
(excluding)
4.6.8-5.el7
运行在以下环境
系统 centos_8 slapi-nis-debugsource * Up to
(excluding)
2.10.0-1.module+el8.2.0+5059+3eb3af25
运行在以下环境
系统 debian_10 jquery * Up to
(excluding)
3.1.1-1
运行在以下环境
系统 fedora_27 ipa * Up to
(excluding)
1.12.0.1-2.fc27
运行在以下环境
系统 kylinos_aarch64_V10 ipa-client * Up to
(excluding)
4.6.8-5.el7_9.10.ns7.01
运行在以下环境
系统 kylinos_x86_64_V10 ipa-client * Up to
(excluding)
4.6.8-5.el7_9.10.ns7.01
运行在以下环境
系统 opensuse_Leap_15.1 ipa * Up to
(excluding)
2.5.7-lp151.4.6.1
运行在以下环境
系统 oracle linux_7 ipa * Up to
(excluding)
4.6.8-5.0.1.el7
运行在以下环境
系统 oracle_7 oraclelinux-release * Up to
(excluding)
4.6.8-5.0.1.el7
运行在以下环境
系统 oracle_8 oraclelinux-release * Up to
(excluding)
2.6-21.module+el8.3.0+7697+44932688
运行在以下环境
系统 redhat_7 ipa-client * Up to
(excluding)
4.6.8-5.el7
运行在以下环境
系统 redhat_8 slapi-nis-debugsource * Up to
(excluding)
2.10.0-1.module+el8.2.0+5059+3eb3af25
阿里云评分
3.6
  • 攻击路径
    远程
  • 攻击复杂度
    容易
  • 权限要求
    无需权限
  • 影响范围
    有限影响
  • EXP成熟度
    POC 已公开
  • 补丁情况
    官方补丁
  • 数据保密性
    数据泄露
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-79 在Web页面生成时对输入的转义处理不恰当(跨站脚本)
阿里云安全产品覆盖情况