All the vulnerabilites related to Red Hat - Red Hat Integration Service Registry
cve-2022-4244
Vulnerability from cvelistv5
Published
2023-09-25 19:20
Modified
2024-08-03 01:34
Severity ?
EPSS score ?
Summary
Codehaus-plexus: directory traversal
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2023:2135 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2023:3906 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2022-4244 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2149841 | issue-tracking, x_refsource_REDHAT |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2022-4244", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-05-03T18:17:37.759702Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:16:33.612Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-03T01:34:49.883Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2023:2135", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:2135" }, { "name": "RHSA-2023:3906", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:3906" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2022-4244" }, { "name": "RHBZ#2149841", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149841" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:camel_k:1" ], "defaultStatus": "unaffected", "packageName": "codehaus-plexus", "product": "RHINT Camel-K-1.10.1", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13" ], "defaultStatus": "unaffected", "product": "RHPAM 7.13.1 async", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:a_mq_clients:2" ], "defaultStatus": "unaffected", "packageName": "codehaus-plexus", "product": "A-MQ Clients 2", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_online:1" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat A-MQ Online", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_spring_boot:3" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat build of Apache Camel for Spring Boot", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_brms_platform:7" ], "defaultStatus": "unknown", "packageName": "codehaus-plexus", "product": "Red Hat Decision Manager 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:7" ], "defaultStatus": "unknown", "packageName": "plexus-utils", "product": "Red Hat Enterprise Linux 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "unaffected", "packageName": "maven:3.6/plexus-utils", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "unaffected", "packageName": "maven:3.8/plexus-utils", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "unaffected", "packageName": "maven:3.8/plexus-utils", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "unaffected", "packageName": "plexus-utils", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:2" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat Integration Camel Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat Integration Change Data Capture", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat Integration Service Registry", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:amq_broker:7" ], "defaultStatus": "unaffected", "packageName": "codehaus-plexus", "product": "Red Hat JBoss A-MQ 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "unknown", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_fuse:6" ], "defaultStatus": "unknown", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Fuse 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_fuse_service_works:6" ], "defaultStatus": "unknown", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Fuse Service Works 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_web_server:3" ], "defaultStatus": "unknown", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Web Server 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_web_server:5" ], "defaultStatus": "unaffected", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Web Server 5", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_application_runtimes:1.0" ], "defaultStatus": "unaffected", "packageName": "codehaus-plexus", "product": "Red Hat OpenShift Application Runtimes", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "unknown", "packageName": "codehaus-plexus", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7" ], "defaultStatus": "unaffected", "packageName": "org.codehaus.plexus-plexus-utils", "product": "Red Hat Single Sign-On 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-byte-buddy", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "unaffected", "packageName": "rh-maven36-maven", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "unaffected", "packageName": "rh-maven36-maven-archiver", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-maven-assembly-plugin", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-maven-compiler-plugin", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "unaffected", "packageName": "rh-maven36-maven-jar-plugin", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-maven-plugin-bundle", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "unaffected", "packageName": "rh-maven36-maven-remote-resources-plugin", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-maven-shade-plugin", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-maven-source-plugin", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-maven-surefire", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "unaffected", "packageName": "rh-maven36-plexus-utils", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_application_runtimes:1.0" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat support for Spring Boot", "vendor": "Red Hat" } ], "datePublic": "2022-12-01T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-03T15:32:27.644Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2023:2135", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:2135" }, { "name": "RHSA-2023:3906", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:3906" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2022-4244" }, { "name": "RHBZ#2149841", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149841" } ], "timeline": [ { "lang": "en", "time": "2022-12-01T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2022-12-01T00:00:00+00:00", "value": "Made public." } ], "title": "Codehaus-plexus: directory traversal", "x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-4244", "datePublished": "2023-09-25T19:20:04.703Z", "dateReserved": "2022-12-01T06:39:33.189Z", "dateUpdated": "2024-08-03T01:34:49.883Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-1108
Vulnerability from cvelistv5
Published
2023-09-14 14:48
Modified
2024-08-02 05:32
Severity ?
EPSS score ?
Summary
Undertow: infinite loop in sslconduit during close
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-1108", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-08T18:37:50.625681Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-08T18:38:02.186Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T05:32:46.370Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2023:1184", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:1184" }, { "name": "RHSA-2023:1185", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:1185" }, { "name": "RHSA-2023:1512", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:1512" }, { "name": "RHSA-2023:1513", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:1513" }, { "name": "RHSA-2023:1514", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:1514" }, { "name": "RHSA-2023:1516", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:1516" }, { "name": "RHSA-2023:2135", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:2135" }, { "name": "RHSA-2023:3883", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:3883" }, { "name": "RHSA-2023:3884", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:3884" }, { "name": "RHSA-2023:3885", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:3885" }, { "name": "RHSA-2023:3888", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:3888" }, { "name": "RHSA-2023:3892", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:3892" }, { "name": "RHSA-2023:3954", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:3954" }, { "name": "RHSA-2023:4612", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:4612" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2023-1108" }, { "name": "RHBZ#2174246", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174246" }, { "tags": [ "x_transferred" ], "url": "https://github.com/advisories/GHSA-m4mm-pg93-fv78" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20231020-0002/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://github.com/undertow-io/undertow", "packageName": "io.undertow:undertow-core", "versions": [ { "status": "unaffected", "version": "2.3.5" }, { "status": "unaffected", "version": "2.2.24" } ] }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" ], "defaultStatus": "unaffected", "product": "EAP 7.4.10 release", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Fuse 7.12", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.1.0", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.22-1.SP3_redhat_00002.1.el8eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" ], "defaultStatus": "affected", "packageName": "eap7-wildfly", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:7.4.9-6.GA_redhat_00004.1.el8eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.23-1.SP2_redhat_00001.1.el8eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" ], "defaultStatus": "affected", "packageName": "eap7-undertow-jastow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.0.14-1.Final_redhat_00001.1.el8eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.22-1.SP3_redhat_00002.1.el9eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" ], "defaultStatus": "affected", "packageName": "eap7-wildfly", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:7.4.9-6.GA_redhat_00004.1.el9eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.23-1.SP2_redhat_00001.1.el9eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9" ], "defaultStatus": "affected", "packageName": "eap7-undertow-jastow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.0.14-1.Final_redhat_00001.1.el9eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.22-1.SP3_redhat_00002.1.el7eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" ], "defaultStatus": "affected", "packageName": "eap7-wildfly", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:7.4.9-6.GA_redhat_00004.1.el7eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.23-1.SP2_redhat_00001.1.el7eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" ], "defaultStatus": "affected", "packageName": "eap7-undertow-jastow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.0.14-1.Final_redhat_00001.1.el7eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6.4" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Single Sign-On 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.8-1.redhat_00001.1.el7sso", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.8-1.redhat_00001.1.el8sso", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.8-1.redhat_00001.1.el9sso", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_application_runtimes:1.0" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat support for Spring Boot 2.7.13", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:rhosemc:1.0::el8" ], "defaultStatus": "affected", "packageName": "rh-sso-7/sso76-openshift-rhel8", "product": "RHEL-8 based Middleware Containers", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7.6-24", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "RHPAM 7.13.1 async", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2" ], "defaultStatus": "unaffected", "packageName": "io.quarkus/quarkus-undertow", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Integration Camel K", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:2" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Integration Camel Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Integration Service Registry", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "unknown", "packageName": "undertow", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_fuse:6" ], "defaultStatus": "unknown", "packageName": "undertow", "product": "Red Hat JBoss Fuse 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openstack:13" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat OpenStack Platform 13 (Queens)", "vendor": "Red Hat" } ], "datePublic": "2023-03-07T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-835", "description": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-03T15:32:32.904Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2023:1184", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:1184" }, { "name": "RHSA-2023:1185", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:1185" }, { "name": "RHSA-2023:1512", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:1512" }, { "name": "RHSA-2023:1513", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:1513" }, { "name": "RHSA-2023:1514", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:1514" }, { "name": "RHSA-2023:1516", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:1516" }, { "name": "RHSA-2023:2135", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:2135" }, { "name": "RHSA-2023:3883", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:3883" }, { "name": "RHSA-2023:3884", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:3884" }, { "name": "RHSA-2023:3885", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:3885" }, { "name": "RHSA-2023:3888", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:3888" }, { "name": "RHSA-2023:3892", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:3892" }, { "name": "RHSA-2023:3954", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:3954" }, { "name": "RHSA-2023:4612", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:4612" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2023-1108" }, { "name": "RHBZ#2174246", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174246" }, { "url": "https://github.com/advisories/GHSA-m4mm-pg93-fv78" }, { "url": "https://security.netapp.com/advisory/ntap-20231020-0002/" } ], "timeline": [ { "lang": "en", "time": "2023-02-07T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2023-03-07T00:00:00+00:00", "value": "Made public." } ], "title": "Undertow: infinite loop in sslconduit during close", "x_redhatCweChain": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2023-1108", "datePublished": "2023-09-14T14:48:58.869Z", "dateReserved": "2023-03-01T00:27:23.587Z", "dateUpdated": "2024-08-02T05:32:46.370Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-1023
Vulnerability from cvelistv5
Published
2024-03-27 07:51
Modified
2024-11-15 21:03
Severity ?
EPSS score ?
Summary
Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:1662 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1706 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:2088 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:2833 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:3527 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:3989 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:4884 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2024-1023 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2260840 | issue-tracking, x_refsource_REDHAT | |
https://github.com/eclipse-vertx/vert.x/issues/5078 | ||
https://github.com/eclipse-vertx/vert.x/pull/5080 | ||
https://github.com/eclipse-vertx/vert.x/pull/5082 |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-1023", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-03T17:46:25.667630Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-01T15:37:55.153Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T18:26:30.343Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:1662", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1662" }, { "name": "RHSA-2024:1706", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1706" }, { "name": "RHSA-2024:2088", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2088" }, { "name": "RHSA-2024:2833", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2833" }, { "name": "RHSA-2024:3527", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:3527" }, { "name": "RHSA-2024:3989", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:3989" }, { "name": "RHSA-2024:4884", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4884" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1023" }, { "name": "RHBZ#2260840", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840" }, { "tags": [ "x_transferred" ], "url": "https://github.com/eclipse-vertx/vert.x/issues/5078" }, { "tags": [ "x_transferred" ], "url": "https://github.com/eclipse-vertx/vert.x/pull/5080" }, { "tags": [ "x_transferred" ], "url": "https://github.com/eclipse-vertx/vert.x/pull/5082" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://mvnrepository.com/artifact/io.vertx", "defaultStatus": "unaffected", "packageName": "vertx-core", "versions": [ { "status": "affected", "version": "4.4.5" }, { "status": "affected", "version": "4.4.6" }, { "status": "affected", "version": "4.5.0" }, { "status": "affected", "version": "4.5.1" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:3" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "CEQ 3.2", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-7", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-operator-bundle", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-reports-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-rhel8-operator", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/jfr-datasource-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "cpe:/a:redhat:migration_toolkit_applications:6.2::el8" ], "defaultStatus": "affected", "packageName": "mta/mta-windup-addon-rhel9", "product": "MTA-6.2-RHEL-9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "6.2.3-2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_streams:2" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat AMQ Streams 2.7.0", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:apache_camel_spring_boot:4.4.1" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat build of Apache Camel 4.4.1 for Spring Boot", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:3.2::el8" ], "defaultStatus": "affected", "packageName": "io.vertx/vertx-core", "product": "Red Hat build of Quarkus 3.2.11.Final", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.8.redhat-00001", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2.5" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "RHINT Service Registry 2.5.11 GA", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:a_mq_clients:2" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "A-MQ Clients 2", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Migration Toolkit for Runtimes", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:serverless:1" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "OpenShift Serverless", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_broker:7" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat AMQ Broker 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_spring_boot:3" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat build of Apache Camel for Spring Boot 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:build_keycloak:" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat Build of Keycloak", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:optaplanner:::el6" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat build of OptaPlanner 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2" ], "defaultStatus": "unaffected", "packageName": "io.vertx/vertx-core", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat Integration Camel K", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:2" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat Integration Camel Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "affected", "packageName": "vert.x", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat JBoss Enterprise Application Platform 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "unaffected", "packageName": "vert.x", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" } ], "datePublic": "2024-01-26T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-119", "description": "Improper Restriction of Operations within the Bounds of a Memory Buffer", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-15T21:03:27.370Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:1662", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1662" }, { "name": "RHSA-2024:1706", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1706" }, { "name": "RHSA-2024:2088", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2088" }, { "name": "RHSA-2024:2833", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2833" }, { "name": "RHSA-2024:3527", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3527" }, { "name": "RHSA-2024:3989", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3989" }, { "name": "RHSA-2024:4884", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4884" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1023" }, { "name": "RHBZ#2260840", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840" }, { "url": "https://github.com/eclipse-vertx/vert.x/issues/5078" }, { "url": "https://github.com/eclipse-vertx/vert.x/pull/5080" }, { "url": "https://github.com/eclipse-vertx/vert.x/pull/5082" } ], "timeline": [ { "lang": "en", "time": "2024-01-29T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-01-26T00:00:00+00:00", "value": "Made public." } ], "title": "Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_redhatCweChain": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-1023", "datePublished": "2024-03-27T07:51:15.716Z", "dateReserved": "2024-01-29T10:54:44.360Z", "dateUpdated": "2024-11-15T21:03:27.370Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-1635
Vulnerability from cvelistv5
Published
2024-02-19 21:23
Modified
2024-11-13 18:06
Severity ?
EPSS score ?
Summary
Undertow: out-of-memory error after several closed connections with wildfly-http-client protocol
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:1674 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1675 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1676 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1677 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1860 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1861 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1862 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1864 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1866 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2024-1635 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2264928 | issue-tracking, x_refsource_REDHAT |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-1635", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-02-22T16:54:05.178381Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-05T13:50:19.172Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T18:48:21.580Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:1674", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1674" }, { "name": "RHSA-2024:1675", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1675" }, { "name": "RHSA-2024:1676", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1676" }, { "name": "RHSA-2024:1677", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1677" }, { "name": "RHSA-2024:1860", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1860" }, { "name": "RHSA-2024:1861", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1861" }, { "name": "RHSA-2024:1862", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1862" }, { "name": "RHSA-2024:1864", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1864" }, { "name": "RHSA-2024:1866", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1866" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1635" }, { "name": "RHBZ#2264928", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264928" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240322-0007/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://github.com/undertow-io/undertow", "defaultStatus": "unaffected", "packageName": "undertow", "versions": [ { "status": "affected", "version": "1.31.0" } ] }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.30-1.SP1_redhat_00001.1.el8eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.30-1.SP1_redhat_00001.1.el9eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.30-1.SP1_redhat_00001.1.el7eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.13-1.redhat_00001.1.el7sso", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.13-1.redhat_00001.1.el8sso", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.13-1.redhat_00001.1.el9sso", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:rhosemc:1.0::el8" ], "defaultStatus": "affected", "packageName": "rh-sso-7/sso76-openshift-rhel8", "product": "RHEL-8 based Middleware Containers", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7.6-46", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "RHSSO 7.6.8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:serverless:1" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "OpenShift Serverless", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:3" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat build of Apache Camel for Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_spring_boot:3" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat build of Apache Camel for Spring Boot 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_spring_boot:4" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat build of Apache Camel for Spring Boot 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat build of Apicurio Registry", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:build_keycloak:" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Build of Keycloak", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:optaplanner:::el6" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat build of OptaPlanner 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:3" ], "defaultStatus": "unaffected", "packageName": "io.quarkus/quarkus-undertow", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Integration Camel K", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:2" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Integration Camel Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "unknown", "packageName": "undertow", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_fuse_service_works:6" ], "defaultStatus": "unknown", "packageName": "undertow", "product": "Red Hat JBoss Fuse Service Works 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_streams:1" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "streams for Apache Kafka", "vendor": "Red Hat" } ], "datePublic": "2023-10-27T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. \r\n\r\nAt HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-13T18:06:28.616Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:1674", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1674" }, { "name": "RHSA-2024:1675", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1675" }, { "name": "RHSA-2024:1676", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1676" }, { "name": "RHSA-2024:1677", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1677" }, { "name": "RHSA-2024:1860", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1860" }, { "name": "RHSA-2024:1861", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1861" }, { "name": "RHSA-2024:1862", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1862" }, { "name": "RHSA-2024:1864", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1864" }, { "name": "RHSA-2024:1866", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1866" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1635" }, { "name": "RHBZ#2264928", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264928" } ], "timeline": [ { "lang": "en", "time": "2024-02-19T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2023-10-27T00:00:00+00:00", "value": "Made public." } ], "title": "Undertow: out-of-memory error after several closed connections with wildfly-http-client protocol", "workarounds": [ { "lang": "en", "value": "No mitigation is currently available for this vulnerability. However, there might be some protections, such as request limits by a load balancer in front of JBoss EAP/Wildfly or even Undertow, that could minimize the impact." } ], "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-1635", "datePublished": "2024-02-19T21:23:14.496Z", "dateReserved": "2024-02-19T17:25:58.418Z", "dateUpdated": "2024-11-13T18:06:28.616Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-3653
Vulnerability from cvelistv5
Published
2024-07-08 21:21
Modified
2024-11-15 21:04
Severity ?
EPSS score ?
Summary
Undertow: learningpushhandler can lead to remote memory dos attacks
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:4392 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:5143 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:5144 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:5145 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:5147 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:6437 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2024-3653 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2274437 | issue-tracking, x_refsource_REDHAT |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-3653", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-09T15:00:49.417301Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-09T15:01:06.286Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-28T15:02:47.378Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:4392", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4392" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2024-3653" }, { "name": "RHBZ#2274437", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274437" }, { "url": "https://security.netapp.com/advisory/ntap-20240828-0002/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://github.com/undertow-io/undertow", "defaultStatus": "unaffected", "packageName": "undertow", "versions": [ { "lessThanOrEqual": "2.3.14.Final", "status": "affected", "version": "0", "versionType": "custom" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:3.8::el8" ], "defaultStatus": "affected", "packageName": "io.quarkus.http/quarkus-http-core", "product": "Red Hat build of Quarkus 3.8.6.redhat", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "5.2.4.redhat-00001", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.33-1.SP1_redhat_00001.1.el8eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.33-1.SP1_redhat_00001.1.el9eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.33-1.SP1_redhat_00001.1.el7eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8.0" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:serverless:1" ], "defaultStatus": "affected", "packageName": "undertow", "product": "OpenShift Serverless", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:3" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat build of Apache Camel for Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_spring_boot:3" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat build of Apache Camel for Spring Boot 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_spring_boot:4" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat build of Apache Camel for Spring Boot 4", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhboac_hawtio:4" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat build of Apache Camel - HawtIO", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat build of Apicurio Registry", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:build_keycloak:" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Build of Keycloak", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:optaplanner:::el6" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat build of OptaPlanner 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2" ], "defaultStatus": "affected", "packageName": "io.quarkus/quarkus-undertow", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "unknown", "packageName": "undertow", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Integration Camel K", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:2" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Integration Camel Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "unknown", "packageName": "undertow", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_fuse_service_works:6" ], "defaultStatus": "unknown", "packageName": "undertow", "product": "Red Hat JBoss Fuse Service Works 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "unknown", "packageName": "undertow", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Single Sign-On 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_streams:1" ], "defaultStatus": "affected", "packageName": "undertow", "product": "streams for Apache Kafka", "vendor": "Red Hat" } ], "credits": [ { "lang": "en", "value": "Red Hat would like to thank Keke Lian, Haoran Zhao, and Yongheng Liu (Secsys Lab of Fudan University) for reporting this issue." } ], "datePublic": "2024-07-08T20:53:45+00:00", "descriptions": [ { "lang": "en", "value": "A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server\u0027s config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Low" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-401", "description": "Missing Release of Memory after Effective Lifetime", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-15T21:04:01.140Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:4392", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4392" }, { "name": "RHSA-2024:5143", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:5143" }, { "name": "RHSA-2024:5144", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:5144" }, { "name": "RHSA-2024:5145", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:5145" }, { "name": "RHSA-2024:5147", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:5147" }, { "name": "RHSA-2024:6437", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:6437" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-3653" }, { "name": "RHBZ#2274437", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274437" } ], "timeline": [ { "lang": "en", "time": "2024-04-11T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-07-08T20:53:45+00:00", "value": "Made public." } ], "title": "Undertow: learningpushhandler can lead to remote memory dos attacks", "workarounds": [ { "lang": "en", "value": "Setting the maxAge configuration is sufficient to prevent the behavior of this vulnerability being explored." } ], "x_redhatCweChain": "CWE-401: Missing Release of Memory after Effective Lifetime" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-3653", "datePublished": "2024-07-08T21:21:20.899Z", "dateReserved": "2024-04-11T04:14:52.345Z", "dateUpdated": "2024-11-15T21:04:01.140Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-1249
Vulnerability from cvelistv5
Published
2024-04-17 13:22
Modified
2024-10-29 05:08
Severity ?
EPSS score ?
Summary
Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:1860 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1861 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1862 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1864 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1866 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1867 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1868 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:2945 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:4057 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2024-1249 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2262918 | issue-tracking, x_refsource_REDHAT |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-1249", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-25T17:33:02.839974Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T18:00:28.545Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T18:33:25.533Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:1860", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1860" }, { "name": "RHSA-2024:1861", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1861" }, { "name": "RHSA-2024:1862", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1862" }, { "name": "RHSA-2024:1864", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1864" }, { "name": "RHSA-2024:1866", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1866" }, { "name": "RHSA-2024:1867", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1867" }, { "name": "RHSA-2024:1868", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1868" }, { "name": "RHSA-2024:2945", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2945" }, { "name": "RHSA-2024:4057", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4057" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1249" }, { "name": "RHBZ#2262918", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262918" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://github.com/keycloak/keycloak", "defaultStatus": "unaffected", "packageName": "keycloak", "versions": [ { "lessThan": "22.0.10", "status": "affected", "version": "21.1.0", "versionType": "semver" }, { "lessThan": "24.0.3", "status": "affected", "version": "23.0.0", "versionType": "semver" } ] }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:amq_broker:7.12" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat AMQ Broker 7", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:build_keycloak:22::el9" ], "defaultStatus": "affected", "packageName": "rhbk/keycloak-operator-bundle", "product": "Red Hat build of Keycloak 22", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "22.0.10-1", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:build_keycloak:22::el9" ], "defaultStatus": "affected", "packageName": "rhbk/keycloak-rhel9", "product": "Red Hat build of Keycloak 22", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "22-13", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:build_keycloak:22::el9" ], "defaultStatus": "affected", "packageName": "rhbk/keycloak-rhel9-operator", "product": "Red Hat build of Keycloak 22", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "22-16", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:build_keycloak:22" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat build of Keycloak 22.0.10", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.13-1.redhat_00001.1.el7sso", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.13-1.redhat_00001.1.el8sso", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.13-1.redhat_00001.1.el9sso", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:rhosemc:1.0::el8" ], "defaultStatus": "affected", "packageName": "rh-sso-7/sso76-openshift-rhel8", "product": "RHEL-8 based Middleware Containers", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7.6-46", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-data-index-ephemeral-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-data-index-postgresql-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-jobs-service-postgresql-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-operator-bundle", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-rhel8-operator", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-3", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-swf-builder-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-swf-devmode-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "RHSSO 7.6.8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:migration_toolkit_applications:6" ], "defaultStatus": "affected", "packageName": "mta/mta-ui-rhel9", "product": "Migration Toolkit for Applications 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:migration_toolkit_applications:7" ], "defaultStatus": "affected", "packageName": "mta/mta-ui-rhel9", "product": "Migration Toolkit for Applications 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat build of Apicurio Registry", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_brms_platform:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Decision Manager 7", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:rhdh:1" ], "defaultStatus": "unaffected", "packageName": "rhdh-hub-container", "product": "Red Hat Developer Hub", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "keycloak-adapter-eap6", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "keycloak-adapter-sso7_2-eap6", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "keycloak-adapter-sso7_3-eap6", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "keycloak-adapter-sso7_4-eap6", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "keycloak-adapter-sso7_5-eap6", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "org.keycloak-keycloak-parent", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "rh-sso7-keycloak", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_streams:1" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "streams for Apache Kafka", "vendor": "Red Hat" } ], "credits": [ { "lang": "en", "value": "Red Hat would like to thank Adriano M\u00e1rcio Monteiro for reporting this issue." } ], "datePublic": "2024-04-16T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in Keycloak\u0027s OIDC component in the \"checkLoginIframe,\" which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application\u0027s availability without proper origin validation for incoming messages." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-346", "description": "Origin Validation Error", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-29T05:08:34.032Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:1860", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1860" }, { "name": "RHSA-2024:1861", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1861" }, { "name": "RHSA-2024:1862", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1862" }, { "name": "RHSA-2024:1864", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1864" }, { "name": "RHSA-2024:1866", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1866" }, { "name": "RHSA-2024:1867", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1867" }, { "name": "RHSA-2024:1868", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1868" }, { "name": "RHSA-2024:2945", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2945" }, { "name": "RHSA-2024:4057", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4057" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1249" }, { "name": "RHBZ#2262918", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262918" } ], "timeline": [ { "lang": "en", "time": "2024-02-06T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-04-16T00:00:00+00:00", "value": "Made public." } ], "title": "Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_redhatCweChain": "CWE-346: Origin Validation Error" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-1249", "datePublished": "2024-04-17T13:22:48.335Z", "dateReserved": "2024-02-06T06:20:24.574Z", "dateUpdated": "2024-10-29T05:08:34.032Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-1584
Vulnerability from cvelistv5
Published
2023-10-04 10:47
Modified
2024-08-02 05:57
Severity ?
EPSS score ?
Summary
Quarkus-oidc: id and access tokens leak via the authorization code flow
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2023:3809 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2023:7653 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2023-1584 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2180886 | issue-tracking, x_refsource_REDHAT | |
https://github.com/quarkusio/quarkus/pull/32192 | ||
https://github.com/quarkusio/quarkus/pull/33414 |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T05:57:23.278Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2023:3809", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:3809" }, { "name": "RHSA-2023:7653", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:7653" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2023-1584" }, { "name": "RHBZ#2180886", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180886" }, { "tags": [ "x_transferred" ], "url": "https://github.com/quarkusio/quarkus/pull/32192" }, { "tags": [ "x_transferred" ], "url": "https://github.com/quarkusio/quarkus/pull/33414" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://mvnrepository.com/artifact/io.quarkus", "packageName": "quarkus-oidc", "versions": [ { "status": "unaffected", "version": "3.1.0.CR1" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2.13" ], "defaultStatus": "affected", "packageName": "io.quarkus/quarkus-oidc", "product": "Red Hat build of Quarkus 2.13.8.Final", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.13.8.Final-redhat-00004", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2.5" ], "defaultStatus": "unaffected", "packageName": "quarkus-oidc", "product": "RHINT Service Registry 2.5.4 GA", "vendor": "Red Hat" } ], "credits": [ { "lang": "en", "value": "This issue was discovered by Paulo Lopes (Red Hat)." } ], "datePublic": "2023-03-22T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Low" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-03T15:32:34.371Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2023:3809", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:3809" }, { "name": "RHSA-2023:7653", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:7653" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2023-1584" }, { "name": "RHBZ#2180886", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180886" }, { "url": "https://github.com/quarkusio/quarkus/pull/32192" }, { "url": "https://github.com/quarkusio/quarkus/pull/33414" } ], "timeline": [ { "lang": "en", "time": "2023-03-22T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2023-03-22T00:00:00+00:00", "value": "Made public." } ], "title": "Quarkus-oidc: id and access tokens leak via the authorization code flow", "x_redhatCweChain": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2023-1584", "datePublished": "2023-10-04T10:47:37.831Z", "dateReserved": "2023-03-22T20:15:15.323Z", "dateUpdated": "2024-08-02T05:57:23.278Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-2700
Vulnerability from cvelistv5
Published
2024-04-04 13:46
Modified
2024-11-06 14:53
Severity ?
EPSS score ?
Summary
Quarkus-core: leak of local configuration properties into quarkus applications
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:2106 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:2705 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:3527 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:4028 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:4873 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2024-2700 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2273281 | issue-tracking, x_refsource_REDHAT |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-2700", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-23T20:55:35.446485Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:30:17.872Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T19:18:48.249Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:2106", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2106" }, { "name": "RHSA-2024:2705", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2705" }, { "name": "RHSA-2024:3527", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:3527" }, { "name": "RHSA-2024:4028", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4028" }, { "name": "RHSA-2024:4873", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4873" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2024-2700" }, { "name": "RHBZ#2273281", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273281" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://github.com/cockpit-project/cockpit/", "defaultStatus": "unaffected", "packageName": "quarkus-core", "versions": [ { "status": "affected", "version": "3.8.4" }, { "status": "affected", "version": "3.2.12" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_streams:2" ], "defaultStatus": "unaffected", "product": "Red Hat AMQ Streams 2.7.0", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:apicurio_registry:2.6" ], "defaultStatus": "unaffected", "packageName": "quarkus-core", "product": "Red Hat build of Apicurio Registry 2.6.1 GA", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:3.2::el8" ], "defaultStatus": "affected", "packageName": "io.quarkus/quarkus-core", "product": "Red Hat build of Quarkus 3.2.12.Final", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "3.2.12.Final-redhat-00001", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_application_runtimes:1.0" ], "defaultStatus": "affected", "packageName": "io.quarkus/quarkus-core", "product": "Red Hat build of Quarkus 3.8.4.redhat", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "3.8.4.redhat-00002", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/client-kn-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-6", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-controller-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-6", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-6", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-6", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-istio-controller-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-kafka-broker-controller-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-kafka-broker-dispatcher-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-kafka-broker-post-install-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-kafka-broker-receiver-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-kafka-broker-webhook-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-mtbroker-filter-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-6", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-6", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-mtchannel-broker-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-6", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-mtping-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-6", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-storage-version-migration-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-6", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/eventing-webhook-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-6", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/func-utils-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/ingress-rhel8-operator", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/knative-rhel8-operator", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/kn-cli-artifacts-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/kourier-control-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/net-istio-controller-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/net-istio-webhook-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/serverless-operator-bundle", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-6", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/serverless-rhel8-operator", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/serving-activator-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/serving-autoscaler-hpa-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/serving-autoscaler-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/serving-controller-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/serving-queue-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/serving-storage-version-migration-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/serving-webhook-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/svls-must-gather-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1-tech-preview/backstage-plugins-eventmesh-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1-tech-preview/knative-client-plugin-event-sender-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.12.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:3" ], "defaultStatus": "affected", "packageName": "quarkus-core", "product": "Red Hat build of Apache Camel for Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhboac_hawtio:4" ], "defaultStatus": "affected", "packageName": "quarkus-core", "product": "Red Hat build of Apache Camel - HawtIO", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:build_keycloak:" ], "defaultStatus": "affected", "packageName": "quarkus-core", "product": "Red Hat Build of Keycloak", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:optaplanner:::el6" ], "defaultStatus": "affected", "packageName": "quarkus-core", "product": "Red Hat build of OptaPlanner 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2" ], "defaultStatus": "affected", "packageName": "io.quarkus/quarkus-core", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "affected", "packageName": "quarkus-core", "product": "Red Hat Integration Camel K", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:2" ], "defaultStatus": "affected", "packageName": "quarkus-core", "product": "Red Hat Integration Camel Quarkus", "vendor": "Red Hat" } ], "datePublic": "2024-04-03T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application\u0027s build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-526", "description": "Cleartext Storage of Sensitive Information in an Environment Variable", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-06T14:53:28.789Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:2106", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2106" }, { "name": "RHSA-2024:2705", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2705" }, { "name": "RHSA-2024:3527", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3527" }, { "name": "RHSA-2024:4028", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4028" }, { "name": "RHSA-2024:4873", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4873" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-2700" }, { "name": "RHBZ#2273281", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273281" } ], "timeline": [ { "lang": "en", "time": "2024-04-03T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-04-03T00:00:00+00:00", "value": "Made public." } ], "title": "Quarkus-core: leak of local configuration properties into quarkus applications", "workarounds": [ { "lang": "en", "value": "Currently, no mitigation is available for this vulnerability. Please update as the patches become available." } ], "x_redhatCweChain": "CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-2700", "datePublished": "2024-04-04T13:46:39.956Z", "dateReserved": "2024-03-20T01:39:49.992Z", "dateUpdated": "2024-11-06T14:53:28.789Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-1300
Vulnerability from cvelistv5
Published
2024-04-02 07:33
Modified
2024-11-15 21:03
Severity ?
EPSS score ?
Summary
Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:1662 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1706 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1923 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:2088 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:2833 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:3527 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:3989 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:4884 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2024-1300 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2263139 | issue-tracking, x_refsource_REDHAT | |
https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni. |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-1300", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-02T15:16:36.592165Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-20T19:53:23.394Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T18:33:25.527Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:1662", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1662" }, { "name": "RHSA-2024:1706", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1706" }, { "name": "RHSA-2024:1923", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1923" }, { "name": "RHSA-2024:2088", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2088" }, { "name": "RHSA-2024:2833", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2833" }, { "name": "RHSA-2024:3527", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:3527" }, { "name": "RHSA-2024:3989", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:3989" }, { "name": "RHSA-2024:4884", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4884" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1300" }, { "name": "RHBZ#2263139", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263139" }, { "tags": [ "x_transferred" ], "url": "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni." } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://vertx.io/docs/vertx-core/java/", "defaultStatus": "unaffected", "packageName": "io.vertx:vertx-core", "versions": [ { "lessThanOrEqual": "4.5.2", "status": "affected", "version": "4.3.4", "versionType": "semver" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:3" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "CEQ 3.2", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-7", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-operator-bundle", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-reports-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/cryostat-rhel8-operator", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-9", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:cryostat:2::el8" ], "defaultStatus": "affected", "packageName": "cryostat-tech-preview/jfr-datasource-rhel8", "product": "Cryostat 2 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.4.0-4", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8" ], "defaultStatus": "affected", "packageName": "mtr/mtr-operator-bundle", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.2-18", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8" ], "defaultStatus": "affected", "packageName": "mtr/mtr-rhel8-operator", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.2-11", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8" ], "defaultStatus": "affected", "packageName": "mtr/mtr-web-container-rhel8", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.2-12", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8" ], "defaultStatus": "affected", "packageName": "mtr/mtr-web-executor-container-rhel8", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.2-10", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "cpe:/a:redhat:migration_toolkit_applications:6.2::el8" ], "defaultStatus": "affected", "packageName": "mta/mta-windup-addon-rhel9", "product": "MTA-6.2-RHEL-9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "6.2.3-2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_streams:2" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat AMQ Streams 2.7.0", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:apache_camel_spring_boot:4.4.1" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat build of Apache Camel 4.4.1 for Spring Boot", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:3.2::el8" ], "defaultStatus": "affected", "packageName": "io.vertx/vertx-core", "product": "Red Hat build of Quarkus 3.2.11.Final", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "4.4.8.redhat-00001", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2.5" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "RHINT Service Registry 2.5.11 GA", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:a_mq_clients:2" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "A-MQ Clients 2", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:serverless:1" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "OpenShift Serverless", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_broker:7" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat AMQ Broker 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_spring_boot:3" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat build of Apache Camel for Spring Boot 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:build_keycloak:" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat Build of Keycloak", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:optaplanner:::el6" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat build of OptaPlanner 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2" ], "defaultStatus": "affected", "packageName": "io.vertx/vertx-core", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat Integration Camel K", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:2" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat Integration Camel Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat JBoss Enterprise Application Platform 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "vertx-core", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "affected", "packageName": "vertx-core", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" } ], "datePublic": "2024-02-06T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-15T21:03:29.385Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:1662", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1662" }, { "name": "RHSA-2024:1706", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1706" }, { "name": "RHSA-2024:1923", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1923" }, { "name": "RHSA-2024:2088", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2088" }, { "name": "RHSA-2024:2833", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2833" }, { "name": "RHSA-2024:3527", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3527" }, { "name": "RHSA-2024:3989", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3989" }, { "name": "RHSA-2024:4884", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4884" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1300" }, { "name": "RHBZ#2263139", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263139" }, { "url": "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni." } ], "timeline": [ { "lang": "en", "time": "2024-02-07T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-02-06T00:00:00+00:00", "value": "Made public." } ], "title": "Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-1300", "datePublished": "2024-04-02T07:33:05.215Z", "dateReserved": "2024-02-07T07:11:11.156Z", "dateUpdated": "2024-11-15T21:03:29.385Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-1132
Vulnerability from cvelistv5
Published
2024-04-17 13:21
Modified
2024-10-22 01:19
Severity ?
EPSS score ?
Summary
Keycloak: path transversal in redirection validation
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-1132", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-04-23T18:37:10.567431Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:59:39.871Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T18:26:30.564Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:1860", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1860" }, { "name": "RHSA-2024:1861", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1861" }, { "name": "RHSA-2024:1862", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1862" }, { "name": "RHSA-2024:1864", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1864" }, { "name": "RHSA-2024:1866", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1866" }, { "name": "RHSA-2024:1867", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1867" }, { "name": "RHSA-2024:1868", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1868" }, { "name": "RHSA-2024:2945", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2945" }, { "name": "RHSA-2024:3752", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:3752" }, { "name": "RHSA-2024:3762", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:3762" }, { "name": "RHSA-2024:3919", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:3919" }, { "name": "RHSA-2024:3989", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:3989" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1132" }, { "name": "RHBZ#2262117", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262117" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://github.com/keycloak/keycloak", "defaultStatus": "unaffected", "packageName": "keycloak", "versions": [ { "lessThan": "22.0.10", "status": "affected", "version": "21.1.0", "versionType": "semver" }, { "lessThan": "24.0.3", "status": "affected", "version": "23.0.0", "versionType": "semver" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8" ], "defaultStatus": "affected", "packageName": "mtr/mtr-operator-bundle", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.2-23", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8" ], "defaultStatus": "affected", "packageName": "mtr/mtr-rhel8-operator", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.2-15", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8" ], "defaultStatus": "affected", "packageName": "mtr/mtr-web-container-rhel8", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.2-16", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8" ], "defaultStatus": "affected", "packageName": "mtr/mtr-web-executor-container-rhel8", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.2-14", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "cpe:/a:redhat:migration_toolkit_applications:6.2::el8" ], "defaultStatus": "affected", "packageName": "mta/mta-windup-addon-rhel9", "product": "MTA-6.2-RHEL-9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "6.2.3-2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:amq_broker:7.10" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat AMQ Broker 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:amq_broker:7.11" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat AMQ Broker 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:amq_broker:7.12" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat AMQ Broker 7", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:build_keycloak:22::el9" ], "defaultStatus": "affected", "packageName": "rhbk/keycloak-operator-bundle", "product": "Red Hat build of Keycloak 22", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "22.0.10-1", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:build_keycloak:22::el9" ], "defaultStatus": "affected", "packageName": "rhbk/keycloak-rhel9", "product": "Red Hat build of Keycloak 22", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "22-13", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:build_keycloak:22::el9" ], "defaultStatus": "affected", "packageName": "rhbk/keycloak-rhel9-operator", "product": "Red Hat build of Keycloak 22", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "22-16", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:build_keycloak:22" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat build of Keycloak 22.0.10", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.13-1.redhat_00001.1.el7sso", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.13-1.redhat_00001.1.el8sso", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.13-1.redhat_00001.1.el9sso", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:rhosemc:1.0::el8" ], "defaultStatus": "affected", "packageName": "rh-sso-7/sso76-openshift-rhel8", "product": "RHEL-8 based Middleware Containers", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7.6-46", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "RHSSO 7.6.8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat build of Apicurio Registry", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:3" ], "defaultStatus": "affected", "packageName": "org.keycloak/keycloak-core", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "unaffected", "packageName": "org.wildfly.security-wildfly-elytron-parent", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_brms_platform:7" ], "defaultStatus": "unknown", "packageName": "keycloak", "product": "Red Hat Decision Manager 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" } ], "credits": [ { "lang": "en", "value": "Red Hat would like to thank Axel Flamcourt for reporting this issue." } ], "datePublic": "2024-04-16T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-22T01:19:27.880Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:1860", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1860" }, { "name": "RHSA-2024:1861", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1861" }, { "name": "RHSA-2024:1862", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1862" }, { "name": "RHSA-2024:1864", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1864" }, { "name": "RHSA-2024:1866", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1866" }, { "name": "RHSA-2024:1867", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1867" }, { "name": "RHSA-2024:1868", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1868" }, { "name": "RHSA-2024:2945", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2945" }, { "name": "RHSA-2024:3752", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3752" }, { "name": "RHSA-2024:3762", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3762" }, { "name": "RHSA-2024:3919", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3919" }, { "name": "RHSA-2024:3989", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:3989" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2024-1132" }, { "name": "RHBZ#2262117", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262117" } ], "timeline": [ { "lang": "en", "time": "2024-01-31T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-04-16T00:00:00+00:00", "value": "Made public." } ], "title": "Keycloak: path transversal in redirection validation", "workarounds": [ { "lang": "en", "value": "No current mitigation is available for this vulnerability." } ], "x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2024-1132", "datePublished": "2024-04-17T13:21:19.130Z", "dateReserved": "2024-01-31T17:07:33.455Z", "dateUpdated": "2024-10-22T01:19:27.880Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-5675
Vulnerability from cvelistv5
Published
2024-04-25 15:44
Modified
2024-10-22 00:46
Severity ?
EPSS score ?
Summary
Quarkus: authorization flaw in quarkus resteasy reactive and classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used.
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:0494 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:0495 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2023-5675 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2245197 | issue-tracking, x_refsource_REDHAT |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-5675", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-04-25T19:40:04.917288Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-18T18:37:54.897Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T08:07:32.514Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:0494", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:0494" }, { "name": "RHSA-2024:0495", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:0495" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2023-5675" }, { "name": "RHBZ#2245197", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245197" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://mvnrepository.com/artifact/io.quarkus", "defaultStatus": "unaffected", "packageName": "quarkus-resteasy-reactive", "versions": [ { "lessThan": "3.2.10.Final", "status": "affected", "version": "3.2.0", "versionType": "maven" }, { "lessThan": "3.6.9", "status": "affected", "version": "3.6.0", "versionType": "maven" }, { "lessThan": "3.7.1", "status": "affected", "version": "3.7.0", "versionType": "maven" }, { "lessThan": "3.8.*", "status": "unaffected", "version": "3.8.0", "versionType": "maven" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2.13" ], "defaultStatus": "affected", "packageName": "io.quarkus/quarkus-resteasy", "product": "Red Hat build of Quarkus 2.13.9.Final", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.13.9.Final-redhat-00003", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2.13" ], "defaultStatus": "affected", "packageName": "io.quarkus/quarkus-resteasy-reactive", "product": "Red Hat build of Quarkus 2.13.9.Final", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "2.13.9.Final-redhat-00003", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:3.2" ], "defaultStatus": "affected", "packageName": "io.quarkus/quarkus-resteasy", "product": "Red Hat build of Quarkus 3.2.9.Final", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "3.2.9.Final-redhat-00003", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:3.2" ], "defaultStatus": "affected", "packageName": "io.quarkus/quarkus-resteasy-reactive", "product": "Red Hat build of Quarkus 3.2.9.Final", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "3.2.9.Final-redhat-00003", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:a_mq_clients:2" ], "defaultStatus": "unknown", "packageName": "quarkus-resteasy-reactive", "product": "A-MQ Clients 2", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:cryostat:2" ], "defaultStatus": "unknown", "packageName": "quarkus-resteasy-reactive", "product": "Cryostat 2", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:serverless:1" ], "defaultStatus": "unknown", "packageName": "quarkus-resteasy-reactive", "product": "OpenShift Serverless", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2" ], "defaultStatus": "unknown", "packageName": "quarkus-resteasy-reactive", "product": "Red Hat build of Apicurio Registry", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:optaplanner:::el6" ], "defaultStatus": "unknown", "packageName": "quarkus-resteasy-reactive", "product": "Red Hat build of OptaPlanner 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "unknown", "packageName": "quarkus-resteasy-reactive", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "unknown", "packageName": "quarkus-resteasy-reactive", "product": "Red Hat Integration Camel K", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:2" ], "defaultStatus": "unknown", "packageName": "quarkus-resteasy-reactive", "product": "Red Hat Integration Camel Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8" ], "defaultStatus": "unknown", "packageName": "quarkus-resteasy-reactive", "product": "Red Hat JBoss Enterprise Application Platform 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "unknown", "packageName": "quarkus-resteasy-reactive", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" } ], "credits": [ { "lang": "en", "value": "This issue was discovered by Michal Vav\u0159\u00edk (Red Hat)." } ], "datePublic": "2024-01-24T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either \u0027quarkus.security.jaxrs.deny-unannotated-endpoints\u0027 or \u0027quarkus.security.jaxrs.default-roles-allowed\u0027 properties." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-285", "description": "Improper Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-22T00:46:35.102Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:0494", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:0494" }, { "name": "RHSA-2024:0495", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:0495" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2023-5675" }, { "name": "RHBZ#2245197", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245197" } ], "timeline": [ { "lang": "en", "time": "2023-10-16T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-01-24T00:00:00+00:00", "value": "Made public." } ], "title": "Quarkus: authorization flaw in quarkus resteasy reactive and classic when \"quarkus.security.jaxrs.deny-unannotated-endpoints\" or \"quarkus.security.jaxrs.default-roles-allowed\" properties are used.", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_redhatCweChain": "CWE-285: Improper Authorization" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2023-5675", "datePublished": "2024-04-25T15:44:55.582Z", "dateReserved": "2023-10-20T04:42:22.947Z", "dateUpdated": "2024-10-22T00:46:35.102Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-4245
Vulnerability from cvelistv5
Published
2023-09-25 19:20
Modified
2024-08-03 01:34
Severity ?
EPSS score ?
Summary
Codehaus-plexus: xml external entity (xxe) injection
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2023:2135 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2023:3906 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2022-4245 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2149843 | issue-tracking, x_refsource_REDHAT |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2022-4245", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-05-07T17:32:13.401725Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:16:32.674Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-03T01:34:49.896Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2023:2135", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:2135" }, { "name": "RHSA-2023:3906", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:3906" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2022-4245" }, { "name": "RHBZ#2149843", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149843" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:camel_k:1" ], "defaultStatus": "unaffected", "packageName": "codehaus-plexus", "product": "RHINT Camel-K-1.10.1", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13" ], "defaultStatus": "unaffected", "product": "RHPAM 7.13.1 async", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:a_mq_clients:2" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "A-MQ Clients 2", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:amq_online:1" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat A-MQ Online", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_spring_boot:3" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat build of Apache Camel for Spring Boot", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_brms_platform:7" ], "defaultStatus": "unknown", "packageName": "codehaus-plexus", "product": "Red Hat Decision Manager 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:7" ], "defaultStatus": "unknown", "packageName": "plexus-utils", "product": "Red Hat Enterprise Linux 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "unaffected", "packageName": "maven:3.6/plexus-utils", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "unaffected", "packageName": "maven:3.8/plexus-utils", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "unaffected", "packageName": "maven:3.8/plexus-utils", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "unaffected", "packageName": "plexus-utils", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:camel_quarkus:2" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat Integration Camel Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat Integration Change Data Capture", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat Integration Service Registry", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:amq_broker:7" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat JBoss A-MQ 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "unknown", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "unaffected", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_fuse:6" ], "defaultStatus": "unknown", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Fuse 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_fuse_service_works:6" ], "defaultStatus": "unknown", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Fuse Service Works 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_web_server:3" ], "defaultStatus": "unknown", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Web Server 3", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_web_server:5" ], "defaultStatus": "unaffected", "packageName": "codehaus-plexus", "product": "Red Hat JBoss Web Server 5", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_application_runtimes:1.0" ], "defaultStatus": "unaffected", "packageName": "codehaus-plexus", "product": "Red Hat OpenShift Application Runtimes", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7" ], "defaultStatus": "affected", "packageName": "org.codehaus.plexus-plexus-utils", "product": "Red Hat Single Sign-On 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-byte-buddy", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "unaffected", "packageName": "rh-maven36-maven", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "unaffected", "packageName": "rh-maven36-maven-archiver", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-maven-assembly-plugin", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-maven-compiler-plugin", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "unaffected", "packageName": "rh-maven36-maven-jar-plugin", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-maven-plugin-bundle", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "unaffected", "packageName": "rh-maven36-maven-remote-resources-plugin", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-maven-shade-plugin", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-maven-source-plugin", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "affected", "packageName": "rh-maven36-maven-surefire", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_software_collections:3" ], "defaultStatus": "unaffected", "packageName": "rh-maven36-plexus-utils", "product": "Red Hat Software Collections", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_application_runtimes:1.0" ], "defaultStatus": "affected", "packageName": "codehaus-plexus", "product": "Red Hat support for Spring Boot", "vendor": "Red Hat" } ], "datePublic": "2022-12-01T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --\u003e sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-91", "description": "XML Injection (aka Blind XPath Injection)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-03T15:32:28.238Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2023:2135", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:2135" }, { "name": "RHSA-2023:3906", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:3906" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2022-4245" }, { "name": "RHBZ#2149843", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149843" } ], "timeline": [ { "lang": "en", "time": "2022-12-01T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2022-12-01T00:00:00+00:00", "value": "Made public." } ], "title": "Codehaus-plexus: xml external entity (xxe) injection", "x_redhatCweChain": "CWE-91: XML Injection (aka Blind XPath Injection)" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-4245", "datePublished": "2023-09-25T19:20:57.329Z", "dateReserved": "2022-12-01T06:39:39.475Z", "dateUpdated": "2024-08-03T01:34:49.896Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-6717
Vulnerability from cvelistv5
Published
2024-04-25 16:02
Modified
2024-10-29 02:57
Severity ?
EPSS score ?
Summary
Keycloak: xss via assertion consumer service url in saml post-binding flow
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2024:1353 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1867 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1868 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:2945 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:4057 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2023-6717 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2253952 | issue-tracking, x_refsource_REDHAT |
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-6717", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-04-25T19:15:14.697195Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:16:59.611Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T08:35:14.887Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2024:1867", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1867" }, { "name": "RHSA-2024:1868", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1868" }, { "name": "RHSA-2024:2945", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:2945" }, { "name": "RHSA-2024:4057", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:4057" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2023-6717" }, { "name": "RHBZ#2253952", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253952" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:amq_broker:7.12" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat AMQ Broker 7", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:build_keycloak:22::el9" ], "defaultStatus": "affected", "packageName": "rhbk/keycloak-operator-bundle", "product": "Red Hat build of Keycloak 22", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "22.0.10-1", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:build_keycloak:22::el9" ], "defaultStatus": "affected", "packageName": "rhbk/keycloak-rhel9", "product": "Red Hat build of Keycloak 22", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "22-13", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:build_keycloak:22::el9" ], "defaultStatus": "affected", "packageName": "rhbk/keycloak-rhel9-operator", "product": "Red Hat build of Keycloak 22", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "22-16", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:build_keycloak:22" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat build of Keycloak 22.0.10", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-data-index-ephemeral-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-data-index-postgresql-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-jobs-service-postgresql-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-operator-bundle", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-rhel8-operator", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-3", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-swf-builder-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:openshift_serverless:1.33::el8" ], "defaultStatus": "affected", "packageName": "openshift-serverless-1/logic-swf-devmode-rhel8", "product": "RHOSS-1.33-RHEL-8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "1.33.0-5", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13" ], "defaultStatus": "unaffected", "product": "RHPAM 7.13.5 async", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:migration_toolkit_applications:6" ], "defaultStatus": "affected", "packageName": "mta/mta-ui-rhel9", "product": "Migration Toolkit for Applications 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:migration_toolkit_applications:7" ], "defaultStatus": "affected", "packageName": "mta/mta-ui-rhel9", "product": "Migration Toolkit for Applications 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat build of Apicurio Registry", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2" ], "defaultStatus": "unaffected", "packageName": "org.keycloak/keycloak-core", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_brms_platform:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Decision Manager 7", "vendor": "Red Hat" }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:rhdh:1" ], "defaultStatus": "affected", "packageName": "rhdh-hub-container", "product": "Red Hat Developer Hub", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Fuse 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "org.keycloak-keycloak-parent", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:6" ], "defaultStatus": "unknown", "packageName": "rh-sso7-keycloak", "product": "Red Hat JBoss Enterprise Application Platform 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:8" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "keycloak", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_gitops:1" ], "defaultStatus": "affected", "packageName": "openshift-gitops-1/gitops-rhel8-operator", "product": "Red Hat OpenShift GitOps", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7" ], "defaultStatus": "affected", "packageName": "keycloak", "product": "Red Hat Single Sign-On 7", "vendor": "Red Hat" } ], "datePublic": "2024-04-16T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-29T02:57:16.532Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2024:1353", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1353" }, { "name": "RHSA-2024:1867", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1867" }, { "name": "RHSA-2024:1868", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1868" }, { "name": "RHSA-2024:2945", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:2945" }, { "name": "RHSA-2024:4057", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:4057" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2023-6717" }, { "name": "RHBZ#2253952", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253952" } ], "timeline": [ { "lang": "en", "time": "2023-12-11T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2024-04-16T00:00:00+00:00", "value": "Made public." } ], "title": "Keycloak: xss via assertion consumer service url in saml post-binding flow", "x_redhatCweChain": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2023-6717", "datePublished": "2024-04-25T16:02:03.267Z", "dateReserved": "2023-12-12T07:30:43.924Z", "dateUpdated": "2024-10-29T02:57:16.532Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-3223
Vulnerability from cvelistv5
Published
2023-09-27 13:54
Modified
2024-08-02 06:48
Severity ?
EPSS score ?
Summary
Undertow: outofmemoryerror due to @multipartconfig handling
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-3223", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-13T20:07:40.554787Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-13T20:07:46.970Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T06:48:07.955Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2023:4505", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:4505" }, { "name": "RHSA-2023:4506", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:4506" }, { "name": "RHSA-2023:4507", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:4507" }, { "name": "RHSA-2023:4509", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:4509" }, { "name": "RHSA-2023:4918", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:4918" }, { "name": "RHSA-2023:4919", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:4919" }, { "name": "RHSA-2023:4920", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:4920" }, { "name": "RHSA-2023:4921", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:4921" }, { "name": "RHSA-2023:4924", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:4924" }, { "name": "RHSA-2023:7247", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:7247" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2023-3223" }, { "name": "RHBZ#2209689", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209689" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20231027-0004/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_fuse:7" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Fuse 7.12.1", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.1.0", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.25-3.SP3_redhat_00001.1.el8eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.25-3.SP3_redhat_00001.1.el9eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" ], "defaultStatus": "affected", "packageName": "eap7-undertow", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:2.2.25-3.SP3_redhat_00001.1.el7eap", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6.5" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Single Sign-On 7.6.5", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.9-1.redhat_00001.1.el7sso", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.9-1.redhat_00001.1.el8sso", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9" ], "defaultStatus": "affected", "packageName": "rh-sso7-keycloak", "product": "Red Hat Single Sign-On 7.6 for RHEL 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "0:18.0.9-1.redhat_00001.1.el9sso", "versionType": "rpm" } ] }, { "collectionURL": "https://catalog.redhat.com/software/containers/", "cpes": [ "cpe:/a:redhat:rhosemc:1.0::el8" ], "defaultStatus": "affected", "packageName": "rh-sso-7/sso76-openshift-rhel8", "product": "RHEL-8 based Middleware Containers", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7.6-27", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:quarkus:2" ], "defaultStatus": "unaffected", "packageName": "io.quarkus/quarkus-undertow", "product": "Red Hat build of Quarkus", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_data_grid:8" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat Data Grid 8", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_brms_platform:7" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Decision Manager 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:integration:1" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Integration Camel K", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:service_registry:2" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Integration Service Registry", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_data_grid:7" ], "defaultStatus": "unknown", "packageName": "undertow", "product": "Red Hat JBoss Data Grid 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jbosseapxp" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "cpes": [ "cpe:/a:redhat:jboss_fuse:6" ], "defaultStatus": "unknown", "packageName": "undertow", "product": "Red Hat JBoss Fuse 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openstack-optools:13" ], "defaultStatus": "unknown", "packageName": "undertow", "product": "Red Hat OpenStack Platform 13 (Queens) Operational Tools", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" ], "defaultStatus": "affected", "packageName": "undertow", "product": "Red Hat Process Automation 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:openshift_application_runtimes:1.0" ], "defaultStatus": "unaffected", "packageName": "undertow", "product": "Red Hat support for Spring Boot", "vendor": "Red Hat" } ], "credits": [ { "lang": "en", "value": "Red Hat would like to thank Keke Lian \u0026 Haoran Zhao (SecSys Lab) for reporting this issue." } ], "datePublic": "2023-08-07T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it\u0027s possible to bypass the limit by setting the file name in the request to null." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-789", "description": "Memory Allocation with Excessive Size Value", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-03T15:32:37.244Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2023:4505", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:4505" }, { "name": "RHSA-2023:4506", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:4506" }, { "name": "RHSA-2023:4507", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:4507" }, { "name": "RHSA-2023:4509", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:4509" }, { "name": "RHSA-2023:4918", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:4918" }, { "name": "RHSA-2023:4919", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:4919" }, { "name": "RHSA-2023:4920", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:4920" }, { "name": "RHSA-2023:4921", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:4921" }, { "name": "RHSA-2023:4924", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:4924" }, { "name": "RHSA-2023:7247", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:7247" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2023-3223" }, { "name": "RHBZ#2209689", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209689" }, { "url": "https://security.netapp.com/advisory/ntap-20231027-0004/" } ], "timeline": [ { "lang": "en", "time": "2023-05-24T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2023-08-07T00:00:00+00:00", "value": "Made public." } ], "title": "Undertow: outofmemoryerror due to @multipartconfig handling", "x_redhatCweChain": "CWE-789: Memory Allocation with Excessive Size Value" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2023-3223", "datePublished": "2023-09-27T13:54:44.682Z", "dateReserved": "2023-06-13T15:50:40.922Z", "dateUpdated": "2024-08-02T06:48:07.955Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }