Vulnerability-Lookup

CVE-2013-2035 (GCVE-0-2013-2035)

Vulnerability from cvelistv5 – Published: 2013-08-28 17:18 – Updated: 2024-08-06 15:20

Summary

Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp.

Severity

No CVSS data available.

CWE

Assigner

redhat

References

18 references

URL	Tags
http://rhn.redhat.com/errata/RHSA-2014-0029.html	vendor-advisoryx_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2013-1029.html	vendor-advisoryx_refsource_REDHAT
http://secunia.com/advisories/53415	third-party-advisoryx_refsource_SECUNIA
http://www.osvdb.org/93411	vdb-entryx_refsource_OSVDB
http://rhn.redhat.com/errata/RHSA-2015-0034.html	vendor-advisoryx_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2014-0254.html	vendor-advisoryx_refsource_REDHAT
https://github.com/jline/jline2/issues/85	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2013-1785.html	vendor-advisoryx_refsource_REDHAT
http://www.securitytracker.com/id/1029431	vdb-entryx_refsource_SECTRACK
http://rhn.redhat.com/errata/RHSA-2013-1784.html	vendor-advisoryx_refsource_REDHAT
https://github.com/fusesource/hawtjni/commit/92c2…	x_refsource_CONFIRM
http://rhn.redhat.com/errata/RHSA-2014-0400.html	vendor-advisoryx_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2014-0245.html	vendor-advisoryx_refsource_REDHAT
http://rhn.redhat.com/errata/RHSA-2013-1786.html	vendor-advisoryx_refsource_REDHAT
http://secunia.com/advisories/57915	third-party-advisoryx_refsource_SECUNIA
https://github.com/jruby/jruby/issues/732	x_refsource_CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2…	x_refsource_CONFIRM
http://secunia.com/advisories/54108	third-party-advisoryx_refsource_SECUNIA

Date Public

2013-05-06 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T15:20:37.480Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2014:0029",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0029.html"
          },
          {
            "name": "RHSA-2013:1029",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"
          },
          {
            "name": "53415",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/53415"
          },
          {
            "name": "93411",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://www.osvdb.org/93411"
          },
          {
            "name": "RHSA-2015:0034",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2015-0034.html"
          },
          {
            "name": "RHSA-2014:0254",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0254.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/jline/jline2/issues/85"
          },
          {
            "name": "RHSA-2013:1785",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1785.html"
          },
          {
            "name": "1029431",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1029431"
          },
          {
            "name": "RHSA-2013:1784",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1784.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5"
          },
          {
            "name": "RHSA-2014:0400",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html"
          },
          {
            "name": "RHSA-2014:0245",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0245.html"
          },
          {
            "name": "RHSA-2013:1786",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1786.html"
          },
          {
            "name": "57915",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/57915"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/jruby/jruby/issues/732"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2035"
          },
          {
            "name": "54108",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/54108"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2013-05-06T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2015-01-15T13:57:01.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2014:0029",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0029.html"
        },
        {
          "name": "RHSA-2013:1029",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2013-1029.html"
        },
        {
          "name": "53415",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/53415"
        },
        {
          "name": "93411",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://www.osvdb.org/93411"
        },
        {
          "name": "RHSA-2015:0034",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2015-0034.html"
        },
        {
          "name": "RHSA-2014:0254",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0254.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jline/jline2/issues/85"
        },
        {
          "name": "RHSA-2013:1785",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2013-1785.html"
        },
        {
          "name": "1029431",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1029431"
        },
        {
          "name": "RHSA-2013:1784",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2013-1784.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5"
        },
        {
          "name": "RHSA-2014:0400",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html"
        },
        {
          "name": "RHSA-2014:0245",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0245.html"
        },
        {
          "name": "RHSA-2013:1786",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2013-1786.html"
        },
        {
          "name": "57915",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/57915"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jruby/jruby/issues/732"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2035"
        },
        {
          "name": "54108",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/54108"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2013-2035",
    "datePublished": "2013-08-28T17:18:00.000Z",
    "dateReserved": "2013-02-19T00:00:00.000Z",
    "dateUpdated": "2024-08-06T15:20:37.480Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2013-2035",
      "date": "2026-06-08",
      "epss": "0.00043",
      "percentile": "0.1352"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:hawtjni:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.7\", \"matchCriteriaId\": \"769B44C8-CDCD-4C7D-8973-5C5DDAA9094F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:hawtjni:1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"25DBA7F9-4177-4AF8-AAD5-DC4027F020DC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:hawtjni:1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2E4FD38A-4D4F-4369-B6E2-AD2E50A8F889\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:hawtjni:1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A1966148-E36A-427B-90FF-E7250C3D7645\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:hawtjni:1.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F332821B-AFD7-41B1-AFE5-ECEE08C2D8BF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:hawtjni:1.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"83996644-8ED7-4678-8CB9-8CA3D4C40025\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:hawtjni:1.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1D8632FC-0843-4C52-BB67-BD5181FF2293\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:hawtjni:1.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"27A5B63E-1CD9-4D57-A46B-A196683604FD\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp.\"}, {\"lang\": \"es\", \"value\": \"Una condici\\u00f3n de carrera en la biblioteca hawtjni-runtime/src/main/ java/org/fusesource/hawtjni/runtime/Library.java en HawtJNI anterior a versi\\u00f3n 1.8, cuando una ruta (path) de biblioteca personalizada no se especifica, permite a los usuarios locales ejecutar c\\u00f3digo Java arbitrario sobrescribiendo un Archivo JAR temporal con un nombre predecible en /tmp.\"}]",
      "id": "CVE-2013-2035",
      "lastModified": "2024-11-21T01:50:54.403",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 4.4, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 3.4, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2013-08-28T23:55:04.823",
      "references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1029.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1784.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1785.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1786.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0029.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0245.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0254.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0400.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0034.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/53415\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/54108\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/57915\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.osvdb.org/93411\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securitytracker.com/id/1029431\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2035\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Patch\"]}, {\"url\": \"https://github.com/jline/jline2/issues/85\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://github.com/jruby/jruby/issues/732\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1029.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1784.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1785.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1786.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0029.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0245.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0254.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0400.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0034.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/53415\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/54108\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/57915\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.osvdb.org/93411\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id/1029431\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2035\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Patch\"]}, {\"url\": \"https://github.com/jline/jline2/issues/85\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/jruby/jruby/issues/732\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-94\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2013-2035\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2013-08-28T23:55:04.823\",\"lastModified\":\"2026-04-29T01:13:23.040\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp.\"},{\"lang\":\"es\",\"value\":\"Una condici\u00f3n de carrera en la biblioteca hawtjni-runtime/src/main/ java/org/fusesource/hawtjni/runtime/Library.java en HawtJNI anterior a versi\u00f3n 1.8, cuando una ruta (path) de biblioteca personalizada no se especifica, permite a los usuarios locales ejecutar c\u00f3digo Java arbitrario sobrescribiendo un Archivo JAR temporal con un nombre predecible en /tmp.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":4.4,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.4,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:hawtjni:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.7\",\"matchCriteriaId\":\"769B44C8-CDCD-4C7D-8973-5C5DDAA9094F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:hawtjni:1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"25DBA7F9-4177-4AF8-AAD5-DC4027F020DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:hawtjni:1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E4FD38A-4D4F-4369-B6E2-AD2E50A8F889\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:hawtjni:1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A1966148-E36A-427B-90FF-E7250C3D7645\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:hawtjni:1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F332821B-AFD7-41B1-AFE5-ECEE08C2D8BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:hawtjni:1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"83996644-8ED7-4678-8CB9-8CA3D4C40025\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:hawtjni:1.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D8632FC-0843-4C52-BB67-BD5181FF2293\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:hawtjni:1.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"27A5B63E-1CD9-4D57-A46B-A196683604FD\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1029.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1784.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1785.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1786.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0029.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0245.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0254.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0400.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-0034.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/53415\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/54108\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/57915\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.osvdb.org/93411\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securitytracker.com/id/1029431\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2035\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Patch\"]},{\"url\":\"https://github.com/jline/jline2/issues/85\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/jruby/jruby/issues/732\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1029.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1784.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1785.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1786.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0029.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0245.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0254.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0400.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-0034.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/53415\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/54108\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/57915\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.osvdb.org/93411\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1029431\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2035\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\"]},{\"url\":\"https://github.com/jline/jline2/issues/85\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/jruby/jruby/issues/732\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

RHSA-2015_0034

Vulnerability from csaf_redhat - Published: 2015-01-12 17:32 - Updated: 2024-11-22 08:27

Summary

Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.0.0 security update

Severity

Moderate

Notes

Topic: Red Hat JBoss Data Virtualization 6.0.0 roll up patch 4, which fixes three security issues and various bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Details: Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems—such as multiple databases, XML files, and even Hadoop systems—appear as a set of tables in a local database. This roll up patch serves as a cumulative upgrade for Red Hat JBoss Data Virtualization 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files. The following security issues are also fixed with this release: It was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a REST endpoint was deployed, a remote attacker could submit a request containing an external XML entity that, when resolved, allowed that attacker to read files on the application server in the context of the user running that server. (CVE-2014-0171) The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed. (CVE-2013-2035) It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials. (CVE-2014-0058) The CVE-2014-0171 issue was discovered by David Jorm of Red Hat Product Security; the CVE-2013-2035 issue was discovered by Florian Weimer of Red Hat Product Security. All users of Red Hat JBoss Data Virtualization 6.0.0 as provided from the Red Hat Customer Portal are advised to apply this roll up patch.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2013-2035

The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.

3.3 ()


                        
                          AV:L/AC:M/Au:N/C:P/I:P/A:N

CWE-377 - Insecure Temporary File

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Data Virtualization 6.0 Red Hat / Red Hat JBoss Data Virtualization	`cpe:/a:redhat:jboss_data_virtualization:6.0`	—	Vendor Fix fix

Threats

Impact Low

CVE-2014-0058

It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.

1.9 ()


                        
                          AV:L/AC:M/Au:N/C:P/I:N/A:N

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Data Virtualization 6.0 Red Hat / Red Hat JBoss Data Virtualization	`cpe:/a:redhat:jboss_data_virtualization:6.0`	—	Vendor Fix fix

Threats

Impact Low

CVE-2014-0171

It was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a REST endpoint was deployed, a remote attacker could submit a request containing an external XML entity that, when resolved, allowed that attacker to read files on the application server in the context of the user running that server.

5.0 ()


                        
                          AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat JBoss Data Virtualization 6.0 Red Hat / Red Hat JBoss Data Virtualization	`cpe:/a:redhat:jboss_data_virtualization:6.0`	—	Vendor Fix fix

Threats

Impact Moderate

References

19 references

URL	Category
https://access.redhat.com/errata/RHSA-2015:0034	self
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/jbossnetwork/restricted…	external
https://bugzilla.redhat.com/show_bug.cgi?id=958618	external
https://bugzilla.redhat.com/show_bug.cgi?id=1063641	external
https://bugzilla.redhat.com/show_bug.cgi?id=1085555	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2013-2035	self
https://bugzilla.redhat.com/show_bug.cgi?id=958618	external
https://www.cve.org/CVERecord?id=CVE-2013-2035	external
https://nvd.nist.gov/vuln/detail/CVE-2013-2035	external
https://access.redhat.com/security/cve/CVE-2014-0058	self
https://bugzilla.redhat.com/show_bug.cgi?id=1063641	external
https://www.cve.org/CVERecord?id=CVE-2014-0058	external
https://nvd.nist.gov/vuln/detail/CVE-2014-0058	external
https://access.redhat.com/security/cve/CVE-2014-0171	self
https://bugzilla.redhat.com/show_bug.cgi?id=1085555	external
https://www.cve.org/CVERecord?id=CVE-2014-0171	external
https://nvd.nist.gov/vuln/detail/CVE-2014-0171	external

Acknowledgments

Red Hat Product Security Team Florian Weimer

Red Hat Product Security David Jorm

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat JBoss Data Virtualization 6.0.0 roll up patch 4, which fixes three\nsecurity issues and various bugs, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Data Virtualization is a lean data integration solution that\nprovides easy, real-time, and unified data access across disparate sources\nto multiple applications and users. JBoss Data Virtualization makes data\nspread across physically distinct systems\u2014such as multiple databases, XML\nfiles, and even Hadoop systems\u2014appear as a set of tables in a local\ndatabase.\n\nThis roll up patch serves as a cumulative upgrade for Red Hat JBoss Data\nVirtualization 6.0.0. It includes various bug fixes, which are listed in\nthe README file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a\nREST endpoint was deployed, a remote attacker could submit a request\ncontaining an external XML entity that, when resolved, allowed that\nattacker to read files on the application server in the context of the user\nrunning that server. (CVE-2014-0171)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp when the native libraries were bundled in a JAR file, and no custom\nlibrary path was specified. A local attacker could overwrite these native\nlibraries with malicious versions during the window between when HawtJNI\nwrites them and when they are executed. (CVE-2013-2035)\n\nIt was found that the security audit functionality logged request\nparameters in plain text. This may have caused passwords to be included in\nthe audit log files when using BASIC or FORM-based authentication. A local\nattacker with access to audit log files could possibly use this flaw to\nobtain application or server authentication credentials. (CVE-2014-0058)\n\nThe CVE-2014-0171 issue was discovered by David Jorm of Red Hat Product\nSecurity; the CVE-2013-2035 issue was discovered by Florian Weimer of Red\nHat Product Security.\n\nAll users of Red Hat JBoss Data Virtualization 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this roll up patch.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:0034",
        "url": "https://access.redhat.com/errata/RHSA-2015:0034"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.0.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.0.0"
      },
      {
        "category": "external",
        "summary": "958618",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
      },
      {
        "category": "external",
        "summary": "1063641",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063641"
      },
      {
        "category": "external",
        "summary": "1085555",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1085555"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0034.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.0.0 security update",
    "tracking": {
      "current_release_date": "2024-11-22T08:27:44+00:00",
      "generator": {
        "date": "2024-11-22T08:27:44+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2015:0034",
      "initial_release_date": "2015-01-12T17:32:39+00:00",
      "revision_history": [
        {
          "date": "2015-01-12T17:32:39+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-02-20T12:35:13+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T08:27:44+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Data Virtualization 6.0",
                "product": {
                  "name": "Red Hat JBoss Data Virtualization 6.0",
                  "product_id": "Red Hat JBoss Data Virtualization 6.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Data Virtualization"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Florian Weimer"
          ],
          "organization": "Red Hat Product Security Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-2035",
      "cwe": {
        "id": "CWE-377",
        "name": "Insecure Temporary File"
      },
      "discovery_date": "2013-04-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "958618"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Data Virtualization 6.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-2035"
        },
        {
          "category": "external",
          "summary": "RHBZ#958618",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-2035",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-2035"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035"
        }
      ],
      "release_date": "2013-05-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-01-12T17:32:39+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Data Virtualization installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Data Virtualization server by starting the JBoss Application Server\nprocess.",
          "product_ids": [
            "Red Hat JBoss Data Virtualization 6.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0034"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Data Virtualization 6.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "HawtJNI: predictable temporary file name leading to local arbitrary code execution"
    },
    {
      "cve": "CVE-2014-0058",
      "discovery_date": "2014-02-11T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1063641"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that the security audit functionality logged request parameters in plain text. This may have caused passwords to be included in the audit log files when using BASIC or FORM-based authentication. A local attacker with access to audit log files could possibly use this flaw to obtain application or server authentication credentials.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "EAP6: Plain text password logging during security audit",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Data Virtualization 6.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0058"
        },
        {
          "category": "external",
          "summary": "RHBZ#1063641",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1063641"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0058",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0058"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0058",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0058"
        }
      ],
      "release_date": "2014-02-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-01-12T17:32:39+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Data Virtualization installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Data Virtualization server by starting the JBoss Application Server\nprocess.",
          "product_ids": [
            "Red Hat JBoss Data Virtualization 6.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0034"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 1.9,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Data Virtualization 6.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "EAP6: Plain text password logging during security audit"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "David Jorm"
          ],
          "organization": "Red Hat Product Security",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2014-0171",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2014-03-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1085555"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a REST endpoint was deployed, a remote attacker could submit a request containing an external XML entity that, when resolved, allowed that attacker to read files on the application server in the context of the user running that server.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Odata4j: XML eXternal Entity (XXE) flaw",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Data Virtualization 6.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0171"
        },
        {
          "category": "external",
          "summary": "RHBZ#1085555",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1085555"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0171",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0171"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0171",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0171"
        }
      ],
      "release_date": "2015-01-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-01-12T17:32:39+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Data Virtualization installation (including its\ndatabases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the Red Hat\nJBoss Data Virtualization server by starting the JBoss Application Server\nprocess.",
          "product_ids": [
            "Red Hat JBoss Data Virtualization 6.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0034"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Data Virtualization 6.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Odata4j: XML eXternal Entity (XXE) flaw"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2013-2035 (GCVE-0-2013-2035)

RHSA-2015_0034

Tags

Sightings

Nomenclature