Vulnerabilites related to Red Hat - Red Hat build of Apache Camel - HawtIO 4
cve-2024-3653
Vulnerability from cvelistv5
Published
2024-07-08 21:21
Modified
2025-03-04 21:46
Severity ?
EPSS score ?
Summary
A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2024:4392 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:5143 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:5144 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:5145 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:5147 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:6437 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2024-3653 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2274437 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ |
Version: 0 < |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-3653", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-01-09T21:35:33.839379Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-04T21:46:21.970Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-28T15:02:47.378Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2024:4392", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:4392", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2024-3653", }, { name: "RHBZ#2274437", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2274437", }, { url: "https://security.netapp.com/advisory/ntap-20240828-0002/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://github.com/undertow-io/undertow", defaultStatus: "unaffected", packageName: "undertow", versions: [ { lessThanOrEqual: "2.3.14.Final", status: "affected", version: "0", versionType: "custom", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:3.8::el8", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat build of Quarkus 3.8.6.redhat", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "5.2.4.redhat-00001", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat JBoss Enterprise Application Platform 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", ], defaultStatus: "affected", packageName: "eap7-undertow", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.33-1.SP1_redhat_00001.1.el8eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", ], defaultStatus: "affected", packageName: "eap7-undertow", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.33-1.SP1_redhat_00001.1.el9eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", ], defaultStatus: "affected", packageName: "eap7-undertow", product: "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.33-1.SP1_redhat_00001.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat JBoss Enterprise Application Platform 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:serverless:1", ], defaultStatus: "affected", packageName: "undertow", product: "OpenShift Serverless", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_quarkus:3", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat build of Apache Camel 4 for Quarkus 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_spring_boot:4", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat build of Apache Camel for Spring Boot 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:rhboac_hawtio:4", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat build of Apache Camel - HawtIO 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_registry:2", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat build of Apicurio Registry 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:build_keycloak:", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat Build of Keycloak", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:optaplanner:::el6", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat build of OptaPlanner 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:2", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-undertow", product: "Red Hat build of Quarkus", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_data_grid:8", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Data Grid 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_fuse:7", ], defaultStatus: "unknown", packageName: "undertow", product: "Red Hat Fuse 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:integration:1", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Integration Camel K 1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_quarkus:2", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Integration Camel Quarkus 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_data_grid:7", ], defaultStatus: "unknown", packageName: "undertow", product: "Red Hat JBoss Data Grid 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jbosseapxp", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat JBoss Enterprise Application Platform Expansion Pack", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_fuse_service_works:6", ], defaultStatus: "unknown", packageName: "undertow", product: "Red Hat JBoss Fuse Service Works 6", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", ], defaultStatus: "unknown", packageName: "undertow", product: "Red Hat Process Automation 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Single Sign-On 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:amq_streams:1", ], defaultStatus: "affected", packageName: "undertow", product: "streams for Apache Kafka", vendor: "Red Hat", }, ], credits: [ { lang: "en", value: "Red Hat would like to thank Keke Lian, Haoran Zhao, and Yongheng Liu (Secsys Lab of Fudan University) for reporting this issue.", }, ], datePublic: "2024-07-08T20:53:45.000Z", descriptions: [ { lang: "en", value: "A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Low", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-401", description: "Missing Release of Memory after Effective Lifetime", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-03T17:22:02.224Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2024:4392", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:4392", }, { name: "RHSA-2024:5143", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:5143", }, { name: "RHSA-2024:5144", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:5144", }, { name: "RHSA-2024:5145", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:5145", }, { name: "RHSA-2024:5147", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:5147", }, { name: "RHSA-2024:6437", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:6437", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2024-3653", }, { name: "RHBZ#2274437", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2274437", }, ], timeline: [ { lang: "en", time: "2024-04-11T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2024-07-08T20:53:45+00:00", value: "Made public.", }, ], title: "Undertow: learningpushhandler can lead to remote memory dos attacks", workarounds: [ { lang: "en", value: "Setting the maxAge configuration is sufficient to prevent the behavior of this vulnerability being explored.", }, ], x_redhatCweChain: "CWE-401: Missing Release of Memory after Effective Lifetime", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2024-3653", datePublished: "2024-07-08T21:21:20.899Z", dateReserved: "2024-04-11T04:14:52.345Z", dateUpdated: "2025-03-04T21:46:21.970Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-5685
Vulnerability from cvelistv5
Published
2024-03-22 18:24
Modified
2025-03-03 14:46
Severity ?
EPSS score ?
Summary
A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2023:7637 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2023:7638 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2023:7639 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2023:7641 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:10207 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:10208 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:2707 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2023-5685 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2241822 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Red Hat | EAP 7.4.14 |
cpe:/a:redhat:jboss_enterprise_application_platform:7.4 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-5685", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-04-22T16:12:35.889624Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:28:42.677Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T08:07:32.397Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2023:7637", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7637", }, { name: "RHSA-2023:7638", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7638", }, { name: "RHSA-2023:7639", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7639", }, { name: "RHSA-2023:7641", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7641", }, { name: "RHSA-2024:2707", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-5685", }, { name: "RHBZ#2241822", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241822", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", ], defaultStatus: "unaffected", product: "EAP 7.4.14", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:apache-camel-spring-boot:4.4.0", ], defaultStatus: "unaffected", packageName: "xnio", product: "Red Hat build of Apache Camel 4.4.0 for Spring Boot", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", ], defaultStatus: "affected", packageName: "eap7-apache-cxf", product: "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:3.1.16-3.SP1_redhat_00001.1.ep7.el7", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", ], defaultStatus: "affected", packageName: "eap7-avro", product: "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:1.7.6-2.redhat_00003.1.ep7.el7", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", ], defaultStatus: "affected", packageName: "eap7-bouncycastle", product: "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:1.68.0-1.redhat_00005.1.ep7.el7", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", ], defaultStatus: "affected", packageName: "eap7-h2database", product: "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:1.4.197-2.redhat_00005.1.ep7.el7", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", ], defaultStatus: "affected", packageName: "eap7-jackson-databind", product: "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.8.11.6-1.SP1_redhat_00001.1.ep7.el7", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", ], defaultStatus: "affected", packageName: "eap7-jboss-marshalling", product: "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.0.15-1.Final_redhat_00001.1.ep7.el7", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", ], defaultStatus: "affected", packageName: "eap7-jboss-xnio-base", product: "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:3.5.10-1.Final_redhat_00001.1.ep7.el7", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", ], defaultStatus: "affected", packageName: "eap7-wildfly", product: "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:7.1.8-2.GA_redhat_00002.1.ep7.el7", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", ], defaultStatus: "affected", packageName: "eap7-xalan-j2", product: "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.7.1-26.redhat_00015.1.ep7.el7", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", ], defaultStatus: "affected", packageName: "eap7-apache-cxf", product: "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:3.4.10-1.SP1_redhat_00001.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", ], defaultStatus: "affected", packageName: "eap7-avro", product: "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:1.7.6-8.redhat_00003.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", ], defaultStatus: "affected", packageName: "eap7-h2database", product: "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:1.4.197-3.redhat_00004.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", ], defaultStatus: "affected", packageName: "eap7-jboss-annotations-api_1.3_spec", product: "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.0.1-4.Final_redhat_00001.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", ], defaultStatus: "affected", packageName: "eap7-jboss-marshalling", product: "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.0.15-1.Final_redhat_00001.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", ], defaultStatus: "affected", packageName: "eap7-jboss-server-migration", product: "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:1.7.2-12.Final_redhat_00013.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", ], defaultStatus: "affected", packageName: "eap7-jboss-xnio-base", product: "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:3.7.13-1.Final_redhat_00001.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", ], defaultStatus: "affected", packageName: "eap7-log4j-jboss-logmanager", product: "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:1.2.2-2.Final_redhat_00002.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", ], defaultStatus: "affected", packageName: "eap7-wildfly", product: "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:7.3.11-4.GA_redhat_00002.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", ], defaultStatus: "affected", packageName: "eap7-wss4j", product: "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.3.3-2.redhat_00001.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", ], defaultStatus: "affected", packageName: "eap7-xalan-j2", product: "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.7.1-38.redhat_00015.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", ], defaultStatus: "affected", packageName: "eap7-xml-security", product: "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.3-2.redhat_00001.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", ], defaultStatus: "affected", packageName: "eap7-jboss-xnio-base", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:3.8.11-1.SP1_redhat_00001.1.el8eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", ], defaultStatus: "affected", packageName: "eap7-jboss-xnio-base", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:3.8.11-1.SP1_redhat_00001.1.el9eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", ], defaultStatus: "affected", packageName: "eap7-jboss-xnio-base", product: "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:3.8.11-1.SP1_redhat_00001.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_spring_boot:3", ], defaultStatus: "unaffected", packageName: "xnio", product: "Red Hat build of Apache Camel for Spring Boot 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:rhboac_hawtio:4", ], defaultStatus: "affected", packageName: "xnio", product: "Red Hat build of Apache Camel - HawtIO 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:build_keycloak:", ], defaultStatus: "unaffected", packageName: "xnio", product: "Red Hat Build of Keycloak", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_data_grid:8", ], defaultStatus: "unaffected", packageName: "xnio", product: "Red Hat Data Grid 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:integration:1", ], defaultStatus: "affected", packageName: "xnio", product: "Red Hat Integration Camel K 1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_data_grid:7", ], defaultStatus: "unknown", packageName: "xnio", product: "Red Hat JBoss Data Grid 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:8", ], defaultStatus: "unaffected", packageName: "xnio", product: "Red Hat JBoss Enterprise Application Platform 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jbosseapxp", ], defaultStatus: "unaffected", packageName: "xnio", product: "Red Hat JBoss Enterprise Application Platform Expansion Pack", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_fuse_service_works:6", ], defaultStatus: "unknown", packageName: "xnio", product: "Red Hat JBoss Fuse Service Works 6", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", ], defaultStatus: "affected", packageName: "xnio", product: "Red Hat Process Automation 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7", ], defaultStatus: "affected", packageName: "xnio", product: "Red Hat Single Sign-On 7", vendor: "Red Hat", }, ], datePublic: "2024-03-05T00:00:00.000Z", descriptions: [ { lang: "en", value: "A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Important", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-03T14:46:50.701Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2023:7637", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7637", }, { name: "RHSA-2023:7638", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7638", }, { name: "RHSA-2023:7639", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7639", }, { name: "RHSA-2023:7641", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7641", }, { name: "RHSA-2024:10207", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:10207", }, { name: "RHSA-2024:10208", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:10208", }, { name: "RHSA-2024:2707", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-5685", }, { name: "RHBZ#2241822", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241822", }, ], timeline: [ { lang: "en", time: "2023-10-02T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2024-03-05T00:00:00+00:00", value: "Made public.", }, ], title: "Xnio: stackoverflowexception when the chain of notifier states becomes problematically big", workarounds: [ { lang: "en", value: "There is currently no mitigation available for this vulnerability. Please keep the packages up-to-date as the updates become available.", }, ], x_redhatCweChain: "CWE-400: Uncontrolled Resource Consumption", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-5685", datePublished: "2024-03-22T18:24:42.696Z", dateReserved: "2023-10-20T15:39:55.570Z", dateUpdated: "2025-03-03T14:46:50.701Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-11831
Vulnerability from cvelistv5
Published
2025-02-10 15:27
Modified
2025-03-14 19:16
Severity ?
EPSS score ?
Summary
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2025:1334 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2025:1468 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2024-11831 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2312579 | issue-tracking, x_refsource_REDHAT | |
| https://github.com/yahoo/serialize-javascript/commit/f27d65d3de42affe2aac14607066c293891cec4e | ||
| https://github.com/yahoo/serialize-javascript/pull/173 |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ |
Version: 6.0 ≤ |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-11831", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-10T17:08:31.160473Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-10T17:08:44.112Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://github.com/yahoo/serialize-javascript", packageName: "serialize-javascript", versions: [ { lessThan: "6.0.2", status: "affected", version: "6.0", versionType: "semver", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:advanced_cluster_security:4.4::el8", ], defaultStatus: "affected", packageName: "advanced-cluster-security/rhacs-main-rhel8", product: "Red Hat Advanced Cluster Security 4.4", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "4.4.8-2", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:advanced_cluster_security:4.5::el8", ], defaultStatus: "affected", packageName: "advanced-cluster-security/rhacs-main-rhel8", product: "Red Hat Advanced Cluster Security 4.5", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "4.5.6-2", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:cryostat:3", ], defaultStatus: "unknown", packageName: "serialize-javascript", product: "Cryostat 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:logging:5", ], defaultStatus: "unknown", packageName: "openshift-logging/kibana6-rhel8", product: "Logging Subsystem for Red Hat OpenShift", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:migration_toolkit_applications:7", ], defaultStatus: "unaffected", packageName: "mta/mta-cli-rhel9", product: "Migration Toolkit for Applications 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:migration_toolkit_applications:7", ], defaultStatus: "unaffected", packageName: "mta/mta-ui-rhel9", product: "Migration Toolkit for Applications 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:migration_toolkit_virtualization:2", ], defaultStatus: "unknown", packageName: "migration-toolkit-virtualization/mtv-console-plugin-rhel9", product: "Migration Toolkit for Virtualization", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:rhel_dotnet:6.0", ], defaultStatus: "unknown", packageName: "rh-dotnet60-dotnet", product: ".NET 6.0 on Red Hat Enterprise Linux", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_lightspeed", ], defaultStatus: "unaffected", packageName: "openshift-lightspeed-beta/lightspeed-console-plugin-rhel9", product: "OpenShift Lightspeed", vendor: "Red Hat", }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_pipelines:1", ], defaultStatus: "unknown", packageName: "openshift-pipelines-console-plugin-rhel8-container", product: "OpenShift Pipelines", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_pipelines:1", ], defaultStatus: "unknown", packageName: "openshift-pipelines/pipelines-hub-api-rhel8", product: "OpenShift Pipelines", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_pipelines:1", ], defaultStatus: "unknown", packageName: "openshift-pipelines/pipelines-hub-db-migration-rhel8", product: "OpenShift Pipelines", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_pipelines:1", ], defaultStatus: "unknown", packageName: "openshift-pipelines/pipelines-hub-ui-rhel8", product: "OpenShift Pipelines", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:serverless:1", ], defaultStatus: "unknown", packageName: "serialize-javascript", product: "OpenShift Serverless", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_mesh:2", ], defaultStatus: "unknown", packageName: "openshift-service-mesh/kiali-ossmc-rhel8", product: "OpenShift Service Mesh 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_mesh:2", ], defaultStatus: "unknown", packageName: "openshift-service-mesh/kiali-rhel8", product: "OpenShift Service Mesh 2", vendor: "Red Hat", }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:red_hat_3scale_amp:2", ], defaultStatus: "unknown", packageName: "3scale-amp-system-container", product: "Red Hat 3scale API Management Platform 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:acm:2", ], defaultStatus: "unaffected", packageName: "rhacm2/console-rhel9", product: "Red Hat Advanced Cluster Management for Kubernetes 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:advanced_cluster_security:4", ], defaultStatus: "unaffected", packageName: "advanced-cluster-security/rhacs-central-db-rhel8", product: "Red Hat Advanced Cluster Security 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:advanced_cluster_security:4", ], defaultStatus: "unaffected", packageName: "advanced-cluster-security/rhacs-rhel8-operator", product: "Red Hat Advanced Cluster Security 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:advanced_cluster_security:4", ], defaultStatus: "unaffected", packageName: "advanced-cluster-security/rhacs-roxctl-rhel8", product: "Red Hat Advanced Cluster Security 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:advanced_cluster_security:4", ], defaultStatus: "unaffected", packageName: "advanced-cluster-security/rhacs-scanner-v4-db-rhel8", product: "Red Hat Advanced Cluster Security 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:advanced_cluster_security:4", ], defaultStatus: "unaffected", packageName: "advanced-cluster-security/rhacs-scanner-v4-rhel8", product: "Red Hat Advanced Cluster Security 4", vendor: "Red Hat", }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:ansible_automation_platform:2", ], defaultStatus: "unknown", packageName: "aap-cloud-ui-container", product: "Red Hat Ansible Automation Platform 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:ansible_automation_platform:2", ], defaultStatus: "unknown", packageName: "ansible-automation-platform-24/lightspeed-rhel8", product: "Red Hat Ansible Automation Platform 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:ansible_automation_platform:2", ], defaultStatus: "unknown", packageName: "automation-controller", product: "Red Hat Ansible Automation Platform 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:ansible_automation_platform:2", ], defaultStatus: "unknown", packageName: "automation-eda-controller", product: "Red Hat Ansible Automation Platform 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:rhboac_hawtio:4", ], defaultStatus: "unknown", packageName: "serialize-javascript", product: "Red Hat build of Apache Camel - HawtIO 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_registry:2", ], defaultStatus: "unknown", packageName: "serialize-javascript", product: "Red Hat build of Apicurio Registry 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:build_keycloak:", ], defaultStatus: "unknown", packageName: "serialize-javascript", product: "Red Hat Build of Keycloak", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:optaplanner:::el6", ], defaultStatus: "unknown", packageName: "serialize-javascript", product: "Red Hat build of OptaPlanner 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_data_grid:8", ], defaultStatus: "unaffected", packageName: "serialize-javascript", product: "Red Hat Data Grid 8", vendor: "Red Hat", }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhdh:1", ], defaultStatus: "unaffected", packageName: "rhdh-hub-container", product: "Red Hat Developer Hub", vendor: "Red Hat", }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhdh:1", ], defaultStatus: "unaffected", packageName: "rhdh-operator-container", product: "Red Hat Developer Hub", vendor: "Red Hat", }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:discovery:1", ], defaultStatus: "unknown", packageName: "discovery-server-container", product: "Red Hat Discovery", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8", ], defaultStatus: "unknown", packageName: "dotnet6.0", product: "Red Hat Enterprise Linux 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8", ], defaultStatus: "unknown", packageName: "dotnet8.0", product: "Red Hat Enterprise Linux 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8", ], defaultStatus: "unknown", packageName: "grafana", product: "Red Hat Enterprise Linux 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8", ], defaultStatus: "unknown", packageName: "pcs", product: "Red Hat Enterprise Linux 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:9", ], defaultStatus: "unknown", packageName: "dotnet6.0", product: "Red Hat Enterprise Linux 9", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:9", ], defaultStatus: "unknown", packageName: "dotnet7.0", product: "Red Hat Enterprise Linux 9", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:9", ], defaultStatus: "unknown", packageName: "dotnet8.0", product: "Red Hat Enterprise Linux 9", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:9", ], defaultStatus: "unknown", packageName: "pcs", product: "Red Hat Enterprise Linux 9", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_fuse:7", ], defaultStatus: "affected", packageName: "serialize-javascript", product: "Red Hat Fuse 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:integration:1", ], defaultStatus: "unknown", packageName: "serialize-javascript", product: "Red Hat Integration Camel K 1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7", ], defaultStatus: "unknown", packageName: "serialize-javascript", product: "Red Hat JBoss Enterprise Application Platform 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:8", ], defaultStatus: "unknown", packageName: "serialize-javascript", product: "Red Hat JBoss Enterprise Application Platform 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jbosseapxp", ], defaultStatus: "unknown", packageName: "serialize-javascript", product: "Red Hat JBoss Enterprise Application Platform Expansion Pack", vendor: "Red Hat", }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_ai", ], defaultStatus: "unaffected", packageName: "odh-dashboard-container", product: "Red Hat OpenShift AI (RHOAI)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_ai", ], defaultStatus: "unaffected", packageName: "odh-dashboard-rhel8", product: "Red Hat OpenShift AI (RHOAI)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_ai", ], defaultStatus: "affected", packageName: "odh-data-science-pipelines-argo-argoexec-rhel8", product: "Red Hat OpenShift AI (RHOAI)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_ai", ], defaultStatus: "affected", packageName: "odh-data-science-pipelines-argo-workflowcontroller-rhel8", product: "Red Hat OpenShift AI (RHOAI)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_ai", ], defaultStatus: "affected", packageName: "odh-kf-notebook-controller-rhel8", product: "Red Hat OpenShift AI (RHOAI)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_ai", ], defaultStatus: "affected", packageName: "odh-ml-pipelines-api-server-v2-rhel8", product: "Red Hat OpenShift AI (RHOAI)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_ai", ], defaultStatus: "affected", packageName: "odh-ml-pipelines-driver-rhel8", product: "Red Hat OpenShift AI (RHOAI)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_ai", ], defaultStatus: "affected", packageName: "odh-ml-pipelines-launcher-rhel8", product: "Red Hat OpenShift AI (RHOAI)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_ai", ], defaultStatus: "affected", packageName: "odh-ml-pipelines-persistenceagent-v2-rhel8", product: "Red Hat OpenShift AI (RHOAI)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_ai", ], defaultStatus: "affected", packageName: "odh-ml-pipelines-scheduledworkflow-v2-rhel8", product: "Red Hat OpenShift AI (RHOAI)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_ai", ], defaultStatus: "unaffected", packageName: "odh-model-registry-rhel8", product: "Red Hat OpenShift AI (RHOAI)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_ai", ], defaultStatus: "unaffected", packageName: "odh-notebook-controller-rhel8", product: "Red Hat OpenShift AI (RHOAI)", vendor: "Red Hat", }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_ai", ], defaultStatus: "unaffected", packageName: "odh-operator-container", product: "Red Hat OpenShift AI (RHOAI)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift:3.11", ], defaultStatus: "unknown", packageName: "openshift3/ose-console", product: "Red Hat OpenShift Container Platform 3.11", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift:4", ], defaultStatus: "unknown", packageName: "openshift4/ose-monitoring-plugin-rhel9", product: "Red Hat OpenShift Container Platform 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_data_foundation:4", ], defaultStatus: "affected", packageName: "odf4/mcg-core-rhel9", product: "Red Hat Openshift Data Foundation 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_data_foundation:4", ], defaultStatus: "affected", packageName: "odf4/ocs-client-console-rhel9", product: "Red Hat Openshift Data Foundation 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_data_foundation:4", ], defaultStatus: "affected", packageName: "odf4/odf-console-rhel9", product: "Red Hat Openshift Data Foundation 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_data_foundation:4", ], defaultStatus: "affected", packageName: "odf4/odf-multicluster-console-rhel9", product: "Red Hat Openshift Data Foundation 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_devspaces:3:", ], defaultStatus: "unknown", packageName: "devspaces/code-rhel8", product: "Red Hat OpenShift Dev Spaces", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_devspaces:3:", ], defaultStatus: "unknown", packageName: "devspaces/dashboard-rhel8", product: "Red Hat OpenShift Dev Spaces", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_devspaces:3:", ], defaultStatus: "unknown", packageName: "devspaces/traefik-rhel8", product: "Red Hat OpenShift Dev Spaces", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "unknown", packageName: "rhosdt/jaeger-agent-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "unknown", packageName: "rhosdt/jaeger-all-in-one-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "unknown", packageName: "rhosdt/jaeger-collector-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "unknown", packageName: "rhosdt/jaeger-es-index-cleaner-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "unknown", packageName: "rhosdt/jaeger-es-rollover-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "unknown", packageName: "rhosdt/jaeger-ingester-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_distributed_tracing:3", ], defaultStatus: "unknown", packageName: "rhosdt/jaeger-query-rhel8", product: "Red Hat OpenShift distributed tracing 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", ], defaultStatus: "unknown", packageName: "serialize-javascript", product: "Red Hat Process Automation 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quay:3", ], defaultStatus: "unknown", packageName: "quay/quay-rhel8", product: "Red Hat Quay 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:satellite:6", ], defaultStatus: "unknown", packageName: "nodejs-compression-webpack-plugin", product: "Red Hat Satellite 6", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:satellite:6", ], defaultStatus: "unknown", packageName: "nodejs-css-minimizer-webpack-plugin", product: "Red Hat Satellite 6", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:satellite:6", ], defaultStatus: "unknown", packageName: "nodejs-uglifyjs-webpack-plugin", product: "Red Hat Satellite 6", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:satellite:6", ], defaultStatus: "unknown", packageName: "nodejs-webpack", product: "Red Hat Satellite 6", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7", ], defaultStatus: "unknown", packageName: "serialize-javascript", product: "Red Hat Single Sign-On 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:trusted_profile_analyzer:1", ], defaultStatus: "unknown", packageName: "rhtpa/rhtpa-trustification-service-rhel9", product: "Red Hat Trusted Profile Analyzer", vendor: "Red Hat", }, ], datePublic: "2024-09-16T00:00:00.000Z", descriptions: [ { lang: "en", value: "A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-14T19:16:08.863Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2025:1334", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:1334", }, { name: "RHSA-2025:1468", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:1468", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2024-11831", }, { name: "RHBZ#2312579", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2312579", }, { url: "https://github.com/yahoo/serialize-javascript/commit/f27d65d3de42affe2aac14607066c293891cec4e", }, { url: "https://github.com/yahoo/serialize-javascript/pull/173", }, ], timeline: [ { lang: "en", time: "2024-09-16T16:43:32.021000+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2024-09-16T00:00:00+00:00", value: "Made public.", }, ], title: "Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript", workarounds: [ { lang: "en", value: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", }, ], x_redhatCweChain: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2024-11831", datePublished: "2025-02-10T15:27:46.732Z", dateReserved: "2024-11-26T18:56:38.187Z", dateUpdated: "2025-03-14T19:16:08.863Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-6162
Vulnerability from cvelistv5
Published
2024-06-20 14:33
Modified
2025-03-03 15:17
Severity ?
EPSS score ?
Summary
A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2024:1194 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:4386 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:4884 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2024-6162 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2293069 | issue-tracking, x_refsource_REDHAT | |
| https://issues.redhat.com/browse/JBEAP-26268 |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ▼ |
Version: 0 < 2.2.33.Final Version: 2.3.0.Alpha1 < 2.3.14 |
|||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-6162", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-06-20T16:12:01.298919Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-20T16:12:42.628Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-11-29T12:04:43.347Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2024:4884", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:4884", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2024-6162", }, { name: "RHBZ#2293069", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2293069", }, { url: "https://security.netapp.com/advisory/ntap-20241129-0009/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://github.com/undertow-io/undertow", packageName: "undertow", versions: [ { lessThan: "2.2.33.Final", status: "affected", version: "0", versionType: "custom", }, { lessThan: "2.3.14", status: "affected", version: "2.3.0.Alpha1", versionType: "custom", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", ], defaultStatus: "unaffected", product: "EAP 8.0.1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:apache_camel_spring_boot:4.4.1", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat build of Apache Camel 4.4.1 for Spring Boot", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jbosseapxp", ], defaultStatus: "unaffected", product: "Red Hat JBoss Enterprise Application Platform Expansion Pack", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_spring_boot:3", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat build of Apache Camel for Spring Boot 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:rhboac_hawtio:4", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat build of Apache Camel - HawtIO 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:build_keycloak:", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat Build of Keycloak", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_data_grid:8", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat Data Grid 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_fuse:7", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Fuse 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:integration:1", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Integration Camel K 1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_data_grid:7", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat JBoss Data Grid 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat JBoss Enterprise Application Platform 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:8", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat JBoss Enterprise Application Platform 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jbosseapxp", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat JBoss Enterprise Application Platform Expansion Pack", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Process Automation 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Single Sign-On 7", vendor: "Red Hat", }, ], datePublic: "2024-06-19T00:00:00.000Z", descriptions: [ { lang: "en", value: "A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as \"404 Not Found\" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-03T15:17:26.135Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2024:1194", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:1194", }, { name: "RHSA-2024:4386", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:4386", }, { name: "RHSA-2024:4884", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:4884", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2024-6162", }, { name: "RHBZ#2293069", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2293069", }, { url: "https://issues.redhat.com/browse/JBEAP-26268", }, ], timeline: [ { lang: "en", time: "2024-06-19T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2024-06-19T00:00:00+00:00", value: "Made public.", }, ], title: "Undertow: url-encoded request path information can be broken on ajp-listener", workarounds: [ { lang: "en", value: "To mitigate this issue, you can either switch to a different listener like the http-listener, or adjust the AJP listener configuration. By setting decode-url=\"false\" on the AJP listener and configuring a separate URL decoding filter, you can prevent the path decoding errors. This adjustment ensures that each request is processed correctly without interference from concurrent requests.", }, ], x_redhatCweChain: "CWE-362->CWE-400: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') leads to Uncontrolled Resource Consumption", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2024-6162", datePublished: "2024-06-20T14:33:10.342Z", dateReserved: "2024-06-19T12:35:30.284Z", dateUpdated: "2025-03-03T15:17:26.135Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-5971
Vulnerability from cvelistv5
Published
2024-07-08 20:51
Modified
2025-03-03 14:17
Severity ?
EPSS score ?
Summary
A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2024:4392 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:4884 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:5143 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:5144 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:5145 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:5147 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:6508 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:6883 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2024-5971 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2292211 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ |
Version: 0 < 2.2.34.Final Version: 2.3.0.Alpha1 < 2.3.15.Final |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-5971", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-09T14:48:10.532625Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-09T14:48:19.006Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-28T15:02:51.331Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2024:4392", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:4392", }, { name: "RHSA-2024:4884", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:4884", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2024-5971", }, { name: "RHBZ#2292211", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2292211", }, { url: "https://security.netapp.com/advisory/ntap-20240828-0001/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://github.com/undertow-io/undertow", packageName: "undertow", versions: [ { lessThan: "2.2.34.Final", status: "affected", version: "0", versionType: "custom", }, { lessThan: "2.3.15.Final", status: "affected", version: "2.3.0.Alpha1", versionType: "custom", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:apache_camel_spring_boot:3.20.7", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat build of Apache Camel 3.20.7 for Spring Boot", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:apache_camel_spring_boot:4.4.1", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat build of Apache Camel 4.4.1 for Spring Boot", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:apache_camel_spring_boot:4.4.2", ], defaultStatus: "unaffected", product: "Red Hat build of Apache Camel 4.4.2 for Spring Boot", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat JBoss Enterprise Application Platform 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", ], defaultStatus: "affected", packageName: "eap7-undertow", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.33-1.SP1_redhat_00001.1.el8eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", ], defaultStatus: "affected", packageName: "eap7-undertow", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.33-1.SP1_redhat_00001.1.el9eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", ], defaultStatus: "affected", packageName: "eap7-undertow", product: "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.33-1.SP1_redhat_00001.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat JBoss Enterprise Application Platform 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_spring_boot:3", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat build of Apache Camel for Spring Boot 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:rhboac_hawtio:4", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat build of Apache Camel - HawtIO 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:build_keycloak:", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Build of Keycloak", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:3", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-undertow", product: "Red Hat build of Quarkus", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_data_grid:8", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat Data Grid 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_fuse:7", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Fuse 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:integration:1", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Integration Camel K 1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_data_grid:7", ], defaultStatus: "unknown", packageName: "undertow", product: "Red Hat JBoss Data Grid 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jbosseapxp", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat JBoss Enterprise Application Platform Expansion Pack", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", ], defaultStatus: "unknown", packageName: "undertow", product: "Red Hat Process Automation 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Single Sign-On 7", vendor: "Red Hat", }, ], datePublic: "2024-07-08T20:46:55.000Z", descriptions: [ { lang: "en", value: "A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\\r\\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Important", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-674", description: "Uncontrolled Recursion", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-03T14:17:30.281Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2024:4392", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:4392", }, { name: "RHSA-2024:4884", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:4884", }, { name: "RHSA-2024:5143", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:5143", }, { name: "RHSA-2024:5144", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:5144", }, { name: "RHSA-2024:5145", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:5145", }, { name: "RHSA-2024:5147", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:5147", }, { name: "RHSA-2024:6508", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:6508", }, { name: "RHSA-2024:6883", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:6883", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2024-5971", }, { name: "RHBZ#2292211", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2292211", }, ], timeline: [ { lang: "en", time: "2024-06-13T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2024-07-08T20:46:55+00:00", value: "Made public.", }, ], title: "Undertow: response write hangs in case of java 17 tlsv1.3 newsessionticket", workarounds: [ { lang: "en", value: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", }, ], x_redhatCweChain: "CWE-674: Uncontrolled Recursion", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2024-5971", datePublished: "2024-07-08T20:51:29.223Z", dateReserved: "2024-06-13T13:50:13.855Z", dateUpdated: "2025-03-03T14:17:30.281Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-12397
Vulnerability from cvelistv5
Published
2024-12-12 09:05
Modified
2025-03-06 18:31
Severity ?
EPSS score ?
Summary
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with
certain value-delimiting characters in incoming requests. This issue could
allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie
values or spoof arbitrary additional cookie values, leading to unauthorized
data access or modification. The main threat from this flaw impacts data
confidentiality and integrity.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2025:0900 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2025:1082 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2024-12397 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2331298 | issue-tracking, x_refsource_REDHAT |
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-12397", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-12-12T15:31:47.316503Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-12-12T15:45:08.143Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_quarkus:3.15", ], defaultStatus: "unaffected", packageName: "com.redhat.quarkus.platform/quarkus-camel-bom", product: "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_quarkus:3.15", ], defaultStatus: "unaffected", packageName: "com.redhat.quarkus.platform/quarkus-cxf-bom", product: "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:quarkus:3.15::el8", ], defaultStatus: "unaffected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat build of Quarkus 3.15.3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:cryostat:3", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Cryostat 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:rhboac_hawtio:4", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat build of Apache Camel - HawtIO 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_registry:2", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat build of Apicurio Registry 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:build_keycloak:", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat Build of Keycloak", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:optaplanner:::el6", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat build of OptaPlanner 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_fuse:7", ], defaultStatus: "unknown", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat Fuse 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:integration:1", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat Integration Camel K 1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:8", ], defaultStatus: "unaffected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat JBoss Enterprise Application Platform 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jbosseapxp", ], defaultStatus: "unaffected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat JBoss Enterprise Application Platform Expansion Pack", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat Process Automation 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:amq_streams:1", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "streams for Apache Kafka", vendor: "Red Hat", }, ], datePublic: "2024-12-10T00:00:00.000Z", descriptions: [ { lang: "en", value: "A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with\ncertain value-delimiting characters in incoming requests. This issue could\nallow an attacker to construct a cookie value to exfiltrate HttpOnly cookie\nvalues or spoof arbitrary additional cookie values, leading to unauthorized\ndata access or modification. The main threat from this flaw impacts data\nconfidentiality and integrity.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-06T18:31:46.240Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2025:0900", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:0900", }, { name: "RHSA-2025:1082", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:1082", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2024-12397", }, { name: "RHBZ#2331298", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2331298", }, ], timeline: [ { lang: "en", time: "2024-12-10T01:15:33.380000+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2024-12-10T00:00:00+00:00", value: "Made public.", }, ], title: "Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling", workarounds: [ { lang: "en", value: "Currently, no mitigation is available for this vulnerability.", }, ], x_redhatCweChain: "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2024-12397", datePublished: "2024-12-12T09:05:28.451Z", dateReserved: "2024-12-10T01:22:12.303Z", dateUpdated: "2025-03-06T18:31:46.240Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }