Index: security/vuxml/vuln.xml
===================================================================
--- security/vuxml/vuln.xml	(revision 486101)
+++ security/vuxml/vuln.xml	(working copy)
@@ -58,6 +58,169 @@
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="93f8e0ff-f33d-11e8-be46-0019dbb15b3f">
+    <topic>payara -- Default typing issue in Jackson Databind</topic>
+    <affects>
+      <package>
+	<name>payara</name>
+	<range><eq>4.1.2.181.3</eq></range>
+	<range><eq>4.1.2.182</eq></range>
+	<range><eq>5.181.3</eq></range>
+	<range><eq>5.182</eq></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489">
+	  <p>FasterXML jackson-databind before 2.8.11.1 and 2.9.x before
+	    2.9.5 allows unauthenticated remote code execution because of
+	    an incomplete fix for the CVE-2017-7525 deserialization flaw.
+	    This is exploitable by sending maliciously crafted JSON input
+	    to the readValue method of the ObjectMapper, bypassing a
+	    blacklist that is ineffective if the c3p0 libraries are
+	    available in the classpath.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489</url>
+      <cvename>CVE-2018-7489</cvename>
+    </references>
+    <dates>
+      <discovery>2018-02-26</discovery>
+      <entry>2018-11-28</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="22bc5327-f33f-11e8-be46-0019dbb15b3f">
+    <topic>payara -- Code execution via crafted PUT requests to JSPs</topic>
+    <affects>
+      <package>
+	<name>payara</name>
+	<range><eq>4.1.2.174</eq></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615">
+	  <p>When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP
+	    PUTs enabled (e.g. via setting the readonly initialisation
+	    parameter of the Default to false) it was possible to upload a
+	    JSP file to the server via a specially crafted request. This
+	    JSP could then be requested and any code it contained would be
+	    executed by the server.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615</url>
+      <cvename>CVE-2017-12615</cvename>
+    </references>
+    <dates>
+      <discovery>2017-08-07</discovery>
+      <entry>2018-11-28</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="d70c9e18-f340-11e8-be46-0019dbb15b3f">
+    <topic>payara -- Multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>payara</name>
+	<range><eq>4.1.2.173</eq></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031">
+	  <p>Apache Commons FileUpload before 1.3.3
+	    DiskFileItem File Manipulation Remote Code Execution.</p>
+	</blockquote>
+	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3239">
+	  <p>Vulnerability in the Oracle GlassFish Server component of
+	    Oracle Fusion Middleware (subcomponent: Administration).
+	    Supported versions that are affected are 3.0.1 and 3.1.2.
+	    Easily exploitable vulnerability allows low privileged attacker
+	    with logon to the infrastructure where Oracle GlassFish Server
+	    executes to compromise Oracle GlassFish Server. Successful
+	    attacks of this vulnerability can result in unauthorized read
+	    access to a subset of Oracle GlassFish Server accessible data.
+	    CVSS v3.0 Base Score 3.3 (Confidentiality impacts).</p>
+	</blockquote>
+	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3247">
+	  <p>Vulnerability in the Oracle GlassFish Server component of Oracle
+	  Fusion Middleware (subcomponent: Core). Supported versions that
+	  are affected are 2.1.1, 3.0.1 and 3.1.2. Easily exploitable
+	  vulnerability allows unauthenticated attacker with network access
+	  via SMTP to compromise Oracle GlassFish Server. Successful
+	  attacks require human interaction from a person other than the
+	  attacker. Successful attacks of this vulnerability can result in
+	  unauthorized update, insert or delete access to some of Oracle
+	  GlassFish Server accessible data. CVSS v3.0 Base Score 4.3
+	  (Integrity impacts).</p>
+	</blockquote>
+	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3249">
+	  <p>Vulnerability in the Oracle GlassFish Server component of
+	    Oracle Fusion Middleware (subcomponent: Security). Supported
+	    versions that are affected are 2.1.1, 3.0.1 and 3.1.2.
+	    Easily exploitable vulnerability allows unauthenticated attacker
+	    with network access via LDAP to compromise Oracle GlassFish Server.
+	    Successful attacks of this vulnerability can result in unauthorized
+	    update, insert or delete access to some of Oracle GlassFish Server
+	    accessible data as well as unauthorized read access to a subset of
+	    Oracle GlassFish Server accessible data and unauthorized ability
+	    to cause a partial denial of service (partial DOS) of Oracle
+	    GlassFish Server. CVSS v3.0 Base Score 7.3 (Confidentiality,
+	    Integrity and Availability impacts).</p>
+	</blockquote>
+	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3250">
+	  <p>Vulnerability in the Oracle GlassFish Server component of Oracle
+	    Fusion Middleware (subcomponent: Security). Supported versions that
+	    are affected are 2.1.1, 3.0.1 and 3.1.2. Easily exploitable
+	    vulnerability allows unauthenticated attacker with network access
+	    via HTTP to compromise Oracle GlassFish Server. Successful attacks
+	    of this vulnerability can result in unauthorized update, insert or
+	    delete access to some of Oracle GlassFish Server accessible data as
+	    well as unauthorized read access to a subset of Oracle GlassFish
+	    Server accessible data and unauthorized ability to cause a partial
+	    denial of service (partial DOS) of Oracle GlassFish Server.
+	    CVSS v3.0 Base Score 7.3 (Confidentiality, Integrity and
+	    Availability impacts).</p>
+	</blockquote>
+	<blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5528">
+	  <p>Vulnerability in the Oracle GlassFish Server component of Oracle
+	    Fusion Middleware (subcomponent: Security). Supported versions that
+	    are affected are 2.1.1, 3.0.1 and 3.1.2. Difficult to exploit
+	    vulnerability allows unauthenticated attacker with network access
+	    via multiple protocols to compromise Oracle GlassFish Server. While
+	    the vulnerability is in Oracle GlassFish Server, attacks may
+	    significantly impact additional products. Successful attacks of this
+	    vulnerability can result in takeover of Oracle GlassFish Server.
+	    CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and
+	    Availability impacts).</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031</url>
+      <cvename>CVE-2016-1000031</cvename>
+      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3239</url>
+      <cvename>CVE-2017-3239</cvename>
+      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3247</url>
+      <cvename>CVE-2017-3247</cvename>
+      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3249</url>
+      <cvename>CVE-2017-3249</cvename>
+      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3250</url>
+      <cvename>CVE-2017-3250</cvename>
+      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5528</url>
+      <cvename>CVE-2016-5528</cvename>
+    </references>
+    <dates>
+      <discovery>2016-06-16</discovery>
+      <entry>2018-11-28</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="54976998-f248-11e8-81e2-005056a311d1">
     <topic>samba -- multiple vulnerabilities</topic>
     <affects>