Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2013-2172 (GCVE-0-2013-2172)
Vulnerability from cvelistv5 – Published: 2013-08-20 22:00 – Updated: 2024-08-06 15:27
VLAI
EPSS
Summary
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
24 references
Date Public
2013-06-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:27:41.140Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2013:1219",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1219.html"
},
{
"name": "54019",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/54019"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
},
{
"name": "RHSA-2013:1218",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1218.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"
},
{
"name": "RHSA-2013:1209",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1209.html"
},
{
"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"name": "USN-2028-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2028-1"
},
{
"name": "RHSA-2013:1217",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1217.html"
},
{
"name": "RHSA-2013:1437",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1437.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h"
},
{
"name": "RHSA-2013:1207",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1207.html"
},
{
"name": "RHSA-2013:1375",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1375.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"name": "RHSA-2014:0212",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
},
{
"name": "RHSA-2013:1853",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html"
},
{
"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Dec/23"
},
{
"name": "RHSA-2013:1208",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1208.html"
},
{
"name": "RHSA-2013:1220",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1220.html"
},
{
"name": "60846",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/60846"
},
{
"name": "94651",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/94651"
},
{
"name": "DSA-3065",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-3065"
},
{
"name": "[santuario-commits] 20190823 svn commit: r1049214 - in /websites/production/santuario/content: cache/main.pageCache download.html index.html javaindex.html javareleasenotes.html secadv.data/CVE-2019-12400.asc secadv.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E"
},
{
"name": "[santuario-commits] 20210917 svn commit: r1076843 - in /websites/production/santuario/content: cache/main.pageCache index.html javaindex.html secadv.data/CVE-2021-40690.txt.asc secadv.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak \"canonicalization algorithm to apply to the SignedInfo part of the Signature.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-17T10:06:19.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2013:1219",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1219.html"
},
{
"name": "54019",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/54019"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html"
},
{
"name": "RHSA-2013:1218",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1218.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"
},
{
"name": "RHSA-2013:1209",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1209.html"
},
{
"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/534161/100/0/threaded"
},
{
"name": "USN-2028-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-2028-1"
},
{
"name": "RHSA-2013:1217",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1217.html"
},
{
"name": "RHSA-2013:1437",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1437.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h"
},
{
"name": "RHSA-2013:1207",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1207.html"
},
{
"name": "RHSA-2013:1375",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1375.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html"
},
{
"name": "RHSA-2014:0212",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html"
},
{
"name": "RHSA-2013:1853",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html"
},
{
"name": "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Dec/23"
},
{
"name": "RHSA-2013:1208",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1208.html"
},
{
"name": "RHSA-2013:1220",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1220.html"
},
{
"name": "60846",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/60846"
},
{
"name": "94651",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/94651"
},
{
"name": "DSA-3065",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-3065"
},
{
"name": "[santuario-commits] 20190823 svn commit: r1049214 - in /websites/production/santuario/content: cache/main.pageCache download.html index.html javaindex.html javareleasenotes.html secadv.data/CVE-2019-12400.asc secadv.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E"
},
{
"name": "[santuario-commits] 20210917 svn commit: r1076843 - in /websites/production/santuario/content: cache/main.pageCache index.html javaindex.html secadv.data/CVE-2021-40690.txt.asc secadv.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2172",
"datePublished": "2013-08-20T22:00:00.000Z",
"dateReserved": "2013-02-19T00:00:00.000Z",
"dateUpdated": "2024-08-06T15:27:41.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2013-2172",
"date": "2026-06-05",
"epss": "0.03643",
"percentile": "0.88081"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3DB7492B-1D95-48D0-9892-C8A47FD15414\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7D8837A5-0840-44D3-BD7D-335611BDF64D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FD0057FF-4F75-4F35-BD15-1093D22AFE04\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C65E4B50-5F5C-4F04-8CF8-4D1CCA2BF427\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5889CDAF-4F5A-42D9-A6CE-7F7A4222ECB4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EDD00EBA-1B65-4245-9A3D-D389830450BB\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak \\\"canonicalization algorithm to apply to the SignedInfo part of the Signature.\\\"\"}, {\"lang\": \"es\", \"value\": \"jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java en Apache Santuario XML Security para Java 1.4.x anterior a 1.4.8 y 1.5.x anterior a 1.5.5 , permite a atacantes dependientes del contexto suplantar una firma XML utilizando el par\\u00e1metro \\\"CanonicalizationMethod\\\" para especificar la debilidad arbitraria: \\\"canonizaci\\u00f3n del algoritmo a aplicar para la parte SignedInfo de la firma\\\".\"}]",
"id": "CVE-2013-2172",
"lastModified": "2024-11-21T01:51:10.880",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2013-08-20T22:55:04.093",
"references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1207.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1208.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1209.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1217.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1218.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1219.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1220.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1375.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1437.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1853.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0212.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2014/Dec/23\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/54019\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.debian.org/security/2014/dsa-3065\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.osvdb.org/94651\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/archive/1/534161/100/0/threaded\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/bid/60846\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.ubuntu.com/usn/USN-2028-1\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.vmware.com/security/advisories/VMSA-2014-0012.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1207.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1208.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1209.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1217.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1218.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1219.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1220.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1375.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1437.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1853.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0212.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2014/Dec/23\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/54019\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.debian.org/security/2014/dsa-3065\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.osvdb.org/94651\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/archive/1/534161/100/0/threaded\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/60846\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.ubuntu.com/usn/USN-2028-1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.vmware.com/security/advisories/VMSA-2014-0012.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-310\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2013-2172\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2013-08-20T22:55:04.093\",\"lastModified\":\"2026-04-29T01:13:23.040\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak \\\"canonicalization algorithm to apply to the SignedInfo part of the Signature.\\\"\"},{\"lang\":\"es\",\"value\":\"jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java en Apache Santuario XML Security para Java 1.4.x anterior a 1.4.8 y 1.5.x anterior a 1.5.5 , permite a atacantes dependientes del contexto suplantar una firma XML utilizando el par\u00e1metro \\\"CanonicalizationMethod\\\" para especificar la debilidad arbitraria: \\\"canonizaci\u00f3n del algoritmo a aplicar para la parte SignedInfo de la firma\\\".\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-310\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:santuario_xml_security_for_java:1.4.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3DB7492B-1D95-48D0-9892-C8A47FD15414\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7D8837A5-0840-44D3-BD7D-335611BDF64D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD0057FF-4F75-4F35-BD15-1093D22AFE04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C65E4B50-5F5C-4F04-8CF8-4D1CCA2BF427\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5889CDAF-4F5A-42D9-A6CE-7F7A4222ECB4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:santuario_xml_security_for_java:1.5.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EDD00EBA-1B65-4245-9A3D-D389830450BB\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1207.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1208.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1209.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1217.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1218.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1219.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1220.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1375.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1437.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1853.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0212.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2014/Dec/23\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/54019\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.debian.org/security/2014/dsa-3065\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.osvdb.org/94651\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/archive/1/534161/100/0/threaded\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/60846\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2028-1\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.vmware.com/security/advisories/VMSA-2014-0012.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1207.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1208.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1209.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1217.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1218.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1219.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1220.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1375.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1437.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1853.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0212.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2014/Dec/23\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/54019\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.debian.org/security/2014/dsa-3065\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.osvdb.org/94651\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/534161/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/60846\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2028-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.vmware.com/security/advisories/VMSA-2014-0012.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
RHSA-2014_0400
Vulnerability from csaf_redhat - Published: 2014-04-14 13:46 - Updated: 2024-11-22 08:11Summary
Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 update
Severity
Moderate
Notes
Topic: Red Hat JBoss Fuse 6.1.0, which fixes multiple security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
The Red Hat Security Response Team has rated this update as having
Moderate security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Red Hat JBoss Fuse 6.1.0 is a minor product release that updates Red Hat
JBoss Fuse 6.0.0, and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the link in the References
section, for a list of changes.
Details: Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
Security fixes:
A flaw was found in the way Apache Santuario XML Security for Java
validated XML signatures. Santuario allowed a signature to specify an
arbitrary canonicalization algorithm, which would be applied to the
SignedInfo XML fragment. A remote attacker could exploit this to spoof an
XML signature via a specially crafted XML signature block. (CVE-2013-2172)
A flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle
attacker could possibly use this flaw to unilaterally disable bidirectional
authentication between a client and a server, forcing a downgrade to simple
(unidirectional) authentication. This flaw only affected users who have
enabled Hadoop's Kerberos security features. (CVE-2013-2192)
It was discovered that the Spring OXM wrapper did not expose any property
for disabling entity resolution when using the JAXB unmarshaller. A remote
attacker could use this flaw to conduct XML External Entity (XXE) attacks
on web sites, and read files in the context of the user running the
application server. (CVE-2013-4152)
It was discovered that the Apache Santuario XML Security for Java project
allowed Document Type Definitions (DTDs) to be processed when applying
Transforms even when secure validation was enabled. A remote attacker could
use this flaw to exhaust all available memory on the system, causing a
denial of service. (CVE-2013-4517)
It was found that the Spring MVC SourceHttpMessageConverter enabled entity
resolution by default. A remote attacker could use this flaw to conduct XXE
attacks on web sites, and read files in the context of the user running the
application server. (CVE-2013-6429)
The Spring JavaScript escape method insufficiently escaped some characters.
Applications using this method to escape user-supplied content, which would
be rendered in HTML5 documents, could be exposed to cross-site scripting
(XSS) flaws. (CVE-2013-6430)
A denial of service flaw was found in the way Apache Commons FileUpload
handled small-sized buffers used by MultipartStream. A remote attacker
could use this flaw to create a malformed Content-Type header for a
multipart request, causing Apache Commons FileUpload to enter an infinite
loop when processing such an incoming request. (CVE-2014-0050)
It was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues
in Spring were incomplete. Spring MVC processed user-provided XML and
neither disabled XML external entities nor provided an option to disable
them, possibly allowing a remote attacker to conduct XXE attacks.
(CVE-2014-0054)
A cross-site scripting (XSS) flaw was found in the Spring Framework when
using Spring MVC. When the action was not specified in a Spring form, the
action field would be populated with the requested URI, allowing an
attacker to inject malicious content into the form. (CVE-2014-1904)
The HawtJNI Library class wrote native libraries to a predictable file name
in /tmp when the native libraries were bundled in a JAR file, and no custom
library path was specified. A local attacker could overwrite these native
libraries with malicious versions during the window between when HawtJNI
writes them and when they are executed. (CVE-2013-2035)
An information disclosure flaw was found in the way Apache Zookeeper stored
the password of an administrative user in the log files. A local user with
access to these log files could use the exposed sensitive information to
gain administrative access to an application using Apache Zookeeper.
(CVE-2014-0085)
The CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and
Arun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035
issue was discovered by Florian Weimer of the Red Hat Product Security
Team, and the CVE-2014-0085 issue was discovered by Graeme Colman of
Red Hat.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.
5.1 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse 6.1
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:jboss_fuse:6.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.
3.3 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse 6.1
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:jboss_fuse:6.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.
5.8 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse 6.1
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:jboss_fuse:6.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.
3.2 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse 6.1
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:jboss_fuse:6.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse 6.1
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:jboss_fuse:6.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse 6.1
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:jboss_fuse:6.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse 6.1
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:jboss_fuse:6.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.
4.3 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse 6.1
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:jboss_fuse:6.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat and JBoss Web, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse 6.1
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:jboss_fuse:6.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
5.0 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse 6.1
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:jboss_fuse:6.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.
2.1 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse 6.1
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:jboss_fuse:6.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
4.3 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse 6.1
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:jboss_fuse:6.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.
4.3 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse 6.1
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:jboss_fuse:6.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
78 references
Acknowledgments
Red Hat Product Security Team
Florian Weimer
Coverity SRL
Jon Passki
Red Hat Security Response Team
Arun Neelicattu
Red Hat
Graeme Colman
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Fuse 6.1.0, which fixes multiple security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nModerate security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nRed Hat JBoss Fuse 6.1.0 is a minor product release that updates Red Hat\nJBoss Fuse 6.0.0, and includes several bug fixes and enhancements. Refer to\nthe Release Notes document, available from the link in the References\nsection, for a list of changes.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\n\nSecurity fixes:\n\nA flaw was found in the way Apache Santuario XML Security for Java\nvalidated XML signatures. Santuario allowed a signature to specify an\narbitrary canonicalization algorithm, which would be applied to the\nSignedInfo XML fragment. A remote attacker could exploit this to spoof an\nXML signature via a specially crafted XML signature block. (CVE-2013-2172)\n\nA flaw was found in the Apache Hadoop RPC protocol. A man-in-the-middle\nattacker could possibly use this flaw to unilaterally disable bidirectional\nauthentication between a client and a server, forcing a downgrade to simple\n(unidirectional) authentication. This flaw only affected users who have\nenabled Hadoop\u0027s Kerberos security features. (CVE-2013-2192)\n\nIt was discovered that the Spring OXM wrapper did not expose any property\nfor disabling entity resolution when using the JAXB unmarshaller. A remote\nattacker could use this flaw to conduct XML External Entity (XXE) attacks\non web sites, and read files in the context of the user running the\napplication server. (CVE-2013-4152)\n\nIt was discovered that the Apache Santuario XML Security for Java project\nallowed Document Type Definitions (DTDs) to be processed when applying\nTransforms even when secure validation was enabled. A remote attacker could\nuse this flaw to exhaust all available memory on the system, causing a\ndenial of service. (CVE-2013-4517)\n\nIt was found that the Spring MVC SourceHttpMessageConverter enabled entity\nresolution by default. A remote attacker could use this flaw to conduct XXE\nattacks on web sites, and read files in the context of the user running the\napplication server. (CVE-2013-6429)\n\nThe Spring JavaScript escape method insufficiently escaped some characters.\nApplications using this method to escape user-supplied content, which would\nbe rendered in HTML5 documents, could be exposed to cross-site scripting\n(XSS) flaws. (CVE-2013-6430)\n\nA denial of service flaw was found in the way Apache Commons FileUpload\nhandled small-sized buffers used by MultipartStream. A remote attacker\ncould use this flaw to create a malformed Content-Type header for a\nmultipart request, causing Apache Commons FileUpload to enter an infinite\nloop when processing such an incoming request. (CVE-2014-0050)\n\nIt was found that fixes for the CVE-2013-4152 and CVE-2013-6429 XXE issues\nin Spring were incomplete. Spring MVC processed user-provided XML and\nneither disabled XML external entities nor provided an option to disable\nthem, possibly allowing a remote attacker to conduct XXE attacks.\n(CVE-2014-0054)\n\nA cross-site scripting (XSS) flaw was found in the Spring Framework when\nusing Spring MVC. When the action was not specified in a Spring form, the\naction field would be populated with the requested URI, allowing an\nattacker to inject malicious content into the form. (CVE-2014-1904)\n\nThe HawtJNI Library class wrote native libraries to a predictable file name\nin /tmp when the native libraries were bundled in a JAR file, and no custom\nlibrary path was specified. A local attacker could overwrite these native\nlibraries with malicious versions during the window between when HawtJNI\nwrites them and when they are executed. (CVE-2013-2035)\n\nAn information disclosure flaw was found in the way Apache Zookeeper stored\nthe password of an administrative user in the log files. A local user with\naccess to these log files could use the exposed sensitive information to\ngain administrative access to an application using Apache Zookeeper.\n(CVE-2014-0085)\n\nThe CVE-2013-6430 issue was discovered by Jon Passki of Coverity SRL and\nArun Neelicattu of the Red Hat Security Response Team, the CVE-2013-2035\nissue was discovered by Florian Weimer of the Red Hat Product Security\nTeam, and the CVE-2014-0085 issue was discovered by Graeme Colman of\nRed Hat.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0400",
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=distributions\u0026version=6.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=distributions\u0026version=6.1.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/",
"url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Fuse/"
},
{
"category": "external",
"summary": "958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "external",
"summary": "999263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=999263"
},
{
"category": "external",
"summary": "1000186",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1000186"
},
{
"category": "external",
"summary": "1001326",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1001326"
},
{
"category": "external",
"summary": "1039783",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1039783"
},
{
"category": "external",
"summary": "1045257",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1045257"
},
{
"category": "external",
"summary": "1053290",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1053290"
},
{
"category": "external",
"summary": "1062337",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1062337"
},
{
"category": "external",
"summary": "1067265",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1067265"
},
{
"category": "external",
"summary": "1075296",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1075296"
},
{
"category": "external",
"summary": "1075328",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1075328"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0400.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse 6.1.0 update",
"tracking": {
"current_release_date": "2024-11-22T08:11:58+00:00",
"generator": {
"date": "2024-11-22T08:11:58+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:0400",
"initial_release_date": "2014-04-14T13:46:50+00:00",
"revision_history": [
{
"date": "2014-04-14T13:46:50+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-04-14T14:27:37+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T08:11:58+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Fuse 6.1",
"product": {
"name": "Red Hat JBoss Fuse 6.1",
"product_id": "Red Hat JBoss Fuse 6.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:6.1.0"
}
}
}
],
"category": "product_family",
"name": "Fuse Enterprise Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-1624",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2013-02-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "908428"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: TLS CBC padding timing attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1624"
},
{
"category": "external",
"summary": "RHBZ#908428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=908428"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1624",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1624"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1624",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1624"
},
{
"category": "external",
"summary": "http://www.isg.rhul.ac.uk/tls/",
"url": "http://www.isg.rhul.ac.uk/tls/"
},
{
"category": "external",
"summary": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf",
"url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf"
}
],
"release_date": "2013-02-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-14T13:46:50+00:00",
"details": "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: TLS CBC padding timing attack"
},
{
"acknowledgments": [
{
"names": [
"Florian Weimer"
],
"organization": "Red Hat Product Security Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-2035",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2013-04-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "958618"
}
],
"notes": [
{
"category": "description",
"text": "The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "HawtJNI: predictable temporary file name leading to local arbitrary code execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2035"
},
{
"category": "external",
"summary": "RHBZ#958618",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=958618"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2035",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2035"
}
],
"release_date": "2013-05-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-14T13:46:50+00:00",
"details": "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "HawtJNI: predictable temporary file name leading to local arbitrary code execution"
},
{
"cve": "CVE-2013-2172",
"cwe": {
"id": "CWE-290",
"name": "Authentication Bypass by Spoofing"
},
"discovery_date": "2013-08-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "999263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Java: XML signature spoofing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2172"
},
{
"category": "external",
"summary": "RHBZ#999263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=999263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2172",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2172"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2172",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2172"
},
{
"category": "external",
"summary": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc",
"url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"
}
],
"release_date": "2013-06-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-14T13:46:50+00:00",
"details": "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Java: XML signature spoofing"
},
{
"cve": "CVE-2013-2192",
"discovery_date": "2013-08-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1001326"
}
],
"notes": [
{
"category": "description",
"text": "The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "hadoop: man-in-the-middle vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2192"
},
{
"category": "external",
"summary": "RHBZ#1001326",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1001326"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2192",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2192"
}
],
"release_date": "2013-08-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-14T13:46:50+00:00",
"details": "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.2,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:H/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "hadoop: man-in-the-middle vulnerability"
},
{
"cve": "CVE-2013-4152",
"discovery_date": "2013-08-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1000186"
}
],
"notes": [
{
"category": "description",
"text": "The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Framework: XML External Entity (XXE) injection flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-4152"
},
{
"category": "external",
"summary": "RHBZ#1000186",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1000186"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-4152",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4152"
},
{
"category": "external",
"summary": "http://www.gopivotal.com/security/cve-2013-4152",
"url": "http://www.gopivotal.com/security/cve-2013-4152"
},
{
"category": "external",
"summary": "https://github.com/SpringSource/spring-framework/pull/317",
"url": "https://github.com/SpringSource/spring-framework/pull/317"
},
{
"category": "external",
"summary": "https://jira.springsource.org/browse/SPR-10806",
"url": "https://jira.springsource.org/browse/SPR-10806"
}
],
"release_date": "2013-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-14T13:46:50+00:00",
"details": "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Framework: XML External Entity (XXE) injection flaw"
},
{
"cve": "CVE-2013-4517",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2013-12-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1045257"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Java: Java XML Signature DoS Attack",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4, Fuse Mediation Router 2.7, 2.8 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/\n\nFuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/\n\nRed Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4; Red Hat JBoss Enterprise Data Services Platform 5; Red Hat JBoss Enterprise Portal Platform 4 and 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-4517"
},
{
"category": "external",
"summary": "RHBZ#1045257",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1045257"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-4517",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4517"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4517",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4517"
}
],
"release_date": "2013-11-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-14T13:46:50+00:00",
"details": "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Java: Java XML Signature DoS Attack"
},
{
"cve": "CVE-2013-6429",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2014-01-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1053290"
}
],
"notes": [
{
"category": "description",
"text": "The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Framework: XML External Entity (XXE) injection flaw",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6429"
},
{
"category": "external",
"summary": "RHBZ#1053290",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1053290"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6429",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6429"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6429",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6429"
},
{
"category": "external",
"summary": "http://www.gopivotal.com/security/cve-2013-6429",
"url": "http://www.gopivotal.com/security/cve-2013-6429"
}
],
"release_date": "2014-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-14T13:46:50+00:00",
"details": "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Framework: XML External Entity (XXE) injection flaw"
},
{
"acknowledgments": [
{
"names": [
"Jon Passki"
],
"organization": "Coverity SRL"
},
{
"names": [
"Arun Neelicattu"
],
"organization": "Red Hat Security Response Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-6430",
"discovery_date": "2013-12-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1039783"
}
],
"notes": [
{
"category": "description",
"text": "The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6430"
},
{
"category": "external",
"summary": "RHBZ#1039783",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1039783"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6430",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6430"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6430",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6430"
},
{
"category": "external",
"summary": "http://www.gopivotal.com/security/cve-2013-6430",
"url": "http://www.gopivotal.com/security/cve-2013-6430"
}
],
"release_date": "2014-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-14T13:46:50+00:00",
"details": "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Framework: org.spring.web.util.JavaScriptUtils.javaScriptEscape insufficient escaping of characters"
},
{
"cve": "CVE-2014-0050",
"discovery_date": "2014-02-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1062337"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat and JBoss Web, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0050"
},
{
"category": "external",
"summary": "RHBZ#1062337",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1062337"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0050",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0050"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0050",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0050"
}
],
"release_date": "2014-02-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-14T13:46:50+00:00",
"details": "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream"
},
{
"cve": "CVE-2014-0054",
"discovery_date": "2014-03-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1075328"
}
],
"notes": [
{
"category": "description",
"text": "The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0054"
},
{
"category": "external",
"summary": "RHBZ#1075328",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1075328"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0054",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0054"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0054",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0054"
},
{
"category": "external",
"summary": "http://www.gopivotal.com/security/cve-2014-0054",
"url": "http://www.gopivotal.com/security/cve-2014-0054"
}
],
"release_date": "2014-01-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-14T13:46:50+00:00",
"details": "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429"
},
{
"acknowledgments": [
{
"names": [
"Graeme Colman"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-0085",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"discovery_date": "2014-02-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1067265"
}
],
"notes": [
{
"category": "description",
"text": "JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse\u0027s usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Fuse: admin user cleartext password appears in logging",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw only affects Apache Zookeeper in conjunction with Fuse Fabric. Fuse Fabric was storing cleartext passwords, which would appear as cleartext in Apache Zookeeper\u0027s log files. Fuse Fabric now encrypts passwords by default.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0085"
},
{
"category": "external",
"summary": "RHBZ#1067265",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1067265"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0085",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0085"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0085",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0085"
}
],
"release_date": "2014-04-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-14T13:46:50+00:00",
"details": "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Fuse: admin user cleartext password appears in logging"
},
{
"cve": "CVE-2014-1904",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2014-03-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1075296"
}
],
"notes": [
{
"category": "description",
"text": "Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Framework: cross-site scripting flaw when using Spring MVC",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat Security Response Team has rated this issue as having Moderate security impact. OpenShift Enterprise 1 is currently in the Production 1 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift page.\n\nFuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-1904"
},
{
"category": "external",
"summary": "RHBZ#1075296",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1075296"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-1904",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-1904"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-1904",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1904"
},
{
"category": "external",
"summary": "http://www.gopivotal.com/security/cve-2014-1904",
"url": "http://www.gopivotal.com/security/cve-2014-1904"
}
],
"release_date": "2014-02-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-14T13:46:50+00:00",
"details": "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Framework: cross-site scripting flaw when using Spring MVC"
},
{
"cve": "CVE-2014-3584",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2014-10-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1157330"
}
],
"notes": [
{
"category": "description",
"text": "The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect Apache CXF as shipped with Red Hat JBoss Enterprise Application Platform 5 and 6; Red Hat JBoss Enterprise Web Platform 5; Red Hat JBoss SOA Platform 5; Red Hat JBoss Fuse Service Works 6; Red Hat JBoss BRMS 5 and 6; Red Hat JBoss BPM Suite 6; Red Hat JBoss Data Virtualization 6; Red Hat JBoss Operations Network 3 and Red Hat JBoss Portal Platform 6 as the REST Web Services endpoints are not available.\n\nFuse ESB Enterprise 7 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse 6.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-3584"
},
{
"category": "external",
"summary": "RHBZ#1157330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1157330"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-3584",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-3584"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3584",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3584"
}
],
"release_date": "2014-10-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-04-14T13:46:50+00:00",
"details": "All users of Red Hat JBoss Fuse 6.0.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Red Hat JBoss Fuse 6.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0400"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse 6.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: Denial of Service (DoS) via invalid JAX-RS SAML tokens"
}
]
}
RHSA-2014_1369
Vulnerability from csaf_redhat - Published: 2014-10-09 16:07 - Updated: 2024-11-22 08:14Summary
Red Hat Security Advisory: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update
Severity
Important
Notes
Topic: Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P6 (Patch 6 on Rollup Patch 1),
which addresses three security issues, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details: Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.
Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.
This release of Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P6 is an update
to Fuse ESB Enterprise 7.1.0 and Fuse MQ Enterprise 7.1.0. The following
security issues are addressed with this release:
It was discovered that Apache Shiro authenticated users without specifying
a user name or a password when used in conjunction with an LDAP back end
that allowed unauthenticated binds. (CVE-2014-0074)
It was found that the secure processing feature of Xalan-Java had
insufficient restrictions defined for certain properties and features.
A remote attacker able to provide Extensible Stylesheet Language
Transformations (XSLT) content to be processed by an application using
Xalan-Java could use this flaw to bypass the intended constraints of the
secure processing feature. Depending on the components available in the
classpath, this could lead to arbitrary remote code execution in the
context of the application server running the application that uses
Xalan-Java. (CVE-2014-0107)
A flaw was found in the way Apache Santuario XML Security for Java
validated XML signatures. Santuario allowed a signature to specify an
arbitrary canonicalization algorithm, which would be applied to the
SignedInfo XML fragment. A remote attacker could exploit this to spoof an
XML signature via a specially crafted XML signature block. (CVE-2013-2172)
All users of Fuse ESB Enterprise/MQ Enterprise 7.1.0 as provided from the
Red Hat Customer Portal are advised to upgrade to Fuse ESB Enterprise/MQ
Enterprise 7.1.0 R1 P6.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.
5.8 ()
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Fuse ESB Enterprise 7.1.0
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:fuse_esb_enterprise:7.1.0
|
— |
Vendor Fix
fix
|
|
Fuse MQ Enterprise 7.1.0
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:fuse_mq_enterprise:7.1.0
|
— |
Vendor Fix
fix
|
|
Fuse Management Console 7.1.0
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:fuse_management_console:7.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
It was discovered that Apache Shiro authenticated users without specifying a user name or a password when used in conjunction with an LDAP back end that allowed unauthenticated binds.
7.5 ()
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Fuse ESB Enterprise 7.1.0
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:fuse_esb_enterprise:7.1.0
|
— |
Vendor Fix
fix
|
|
Fuse MQ Enterprise 7.1.0
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:fuse_mq_enterprise:7.1.0
|
— |
Vendor Fix
fix
|
|
Fuse Management Console 7.1.0
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:fuse_management_console:7.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.
6.8 ()
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Fuse ESB Enterprise 7.1.0
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:fuse_esb_enterprise:7.1.0
|
— |
Vendor Fix
fix
|
|
Fuse MQ Enterprise 7.1.0
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:fuse_mq_enterprise:7.1.0
|
— |
Vendor Fix
fix
|
|
Fuse Management Console 7.1.0
Red Hat / Fuse Enterprise Middleware
|
cpe:/a:redhat:fuse_management_console:7.1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
22 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P6 (Patch 6 on Rollup Patch 1),\nwhich addresses three security issues, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.\nFuse MQ Enterprise, based on Apache ActiveMQ, is a standards-compliant\nmessaging system that is tailored for use in mission critical applications.\n\nThis release of Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P6 is an update\nto Fuse ESB Enterprise 7.1.0 and Fuse MQ Enterprise 7.1.0. The following\nsecurity issues are addressed with this release:\n\nIt was discovered that Apache Shiro authenticated users without specifying\na user name or a password when used in conjunction with an LDAP back end\nthat allowed unauthenticated binds. (CVE-2014-0074)\n\nIt was found that the secure processing feature of Xalan-Java had\ninsufficient restrictions defined for certain properties and features.\nA remote attacker able to provide Extensible Stylesheet Language\nTransformations (XSLT) content to be processed by an application using\nXalan-Java could use this flaw to bypass the intended constraints of the\nsecure processing feature. Depending on the components available in the\nclasspath, this could lead to arbitrary remote code execution in the\ncontext of the application server running the application that uses\nXalan-Java. (CVE-2014-0107)\n\nA flaw was found in the way Apache Santuario XML Security for Java\nvalidated XML signatures. Santuario allowed a signature to specify an\narbitrary canonicalization algorithm, which would be applied to the\nSignedInfo XML fragment. A remote attacker could exploit this to spoof an\nXML signature via a specially crafted XML signature block. (CVE-2013-2172)\n\nAll users of Fuse ESB Enterprise/MQ Enterprise 7.1.0 as provided from the\nRed Hat Customer Portal are advised to upgrade to Fuse ESB Enterprise/MQ\nEnterprise 7.1.0 R1 P6.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:1369",
"url": "https://access.redhat.com/errata/RHSA-2014:1369"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0"
},
{
"category": "external",
"summary": "999263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=999263"
},
{
"category": "external",
"summary": "1072603",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072603"
},
{
"category": "external",
"summary": "1080248",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1080248"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1369.json"
}
],
"title": "Red Hat Security Advisory: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update",
"tracking": {
"current_release_date": "2024-11-22T08:14:17+00:00",
"generator": {
"date": "2024-11-22T08:14:17+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:1369",
"initial_release_date": "2014-10-09T16:07:38+00:00",
"revision_history": [
{
"date": "2014-10-09T16:07:38+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-10-09T16:07:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T08:14:17+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Fuse ESB Enterprise 7.1.0",
"product": {
"name": "Fuse ESB Enterprise 7.1.0",
"product_id": "Fuse ESB Enterprise 7.1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:fuse_esb_enterprise:7.1.0"
}
}
},
{
"category": "product_name",
"name": "Fuse Management Console 7.1.0",
"product": {
"name": "Fuse Management Console 7.1.0",
"product_id": "Fuse Management Console 7.1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:fuse_management_console:7.1.0"
}
}
},
{
"category": "product_name",
"name": "Fuse MQ Enterprise 7.1.0",
"product": {
"name": "Fuse MQ Enterprise 7.1.0",
"product_id": "Fuse MQ Enterprise 7.1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:fuse_mq_enterprise:7.1.0"
}
}
}
],
"category": "product_family",
"name": "Fuse Enterprise Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2013-2172",
"cwe": {
"id": "CWE-290",
"name": "Authentication Bypass by Spoofing"
},
"discovery_date": "2013-08-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "999263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the way Apache Santuario XML Security for Java validated XML signatures. Santuario allowed a signature to specify an arbitrary canonicalization algorithm, which would be applied to the SignedInfo XML fragment. A remote attacker could exploit this to spoof an XML signature via a specially crafted XML signature block.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Java: XML signature spoofing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse ESB Enterprise 7.1.0",
"Fuse MQ Enterprise 7.1.0",
"Fuse Management Console 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-2172"
},
{
"category": "external",
"summary": "RHBZ#999263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=999263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-2172",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-2172"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2172",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2172"
},
{
"category": "external",
"summary": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc",
"url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc"
}
],
"release_date": "2013-06-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-10-09T16:07:38+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse ESB Enterprise 7.1.0",
"Fuse MQ Enterprise 7.1.0",
"Fuse Management Console 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1369"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"Fuse ESB Enterprise 7.1.0",
"Fuse MQ Enterprise 7.1.0",
"Fuse Management Console 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Java: XML signature spoofing"
},
{
"cve": "CVE-2014-0074",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2014-03-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1072603"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Apache Shiro authenticated users without specifying a user name or a password when used in conjunction with an LDAP back end that allowed unauthenticated binds.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Shiro: successful authentication without specifying user name or password",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse ESB Enterprise 7.1.0",
"Fuse MQ Enterprise 7.1.0",
"Fuse Management Console 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0074"
},
{
"category": "external",
"summary": "RHBZ#1072603",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072603"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0074",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0074"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0074",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0074"
}
],
"release_date": "2014-03-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-10-09T16:07:38+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse ESB Enterprise 7.1.0",
"Fuse MQ Enterprise 7.1.0",
"Fuse Management Console 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1369"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Fuse ESB Enterprise 7.1.0",
"Fuse MQ Enterprise 7.1.0",
"Fuse Management Console 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Shiro: successful authentication without specifying user name or password"
},
{
"cve": "CVE-2014-0107",
"cwe": {
"id": "CWE-358",
"name": "Improperly Implemented Security Check for Standard"
},
"discovery_date": "2014-03-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1080248"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Xalan-Java: insufficient constraints in secure processing feature",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse ESB Enterprise 7.1.0",
"Fuse MQ Enterprise 7.1.0",
"Fuse Management Console 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0107"
},
{
"category": "external",
"summary": "RHBZ#1080248",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1080248"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0107",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0107"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0107",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0107"
},
{
"category": "external",
"summary": "http://www.ocert.org/advisories/ocert-2014-002.html",
"url": "http://www.ocert.org/advisories/ocert-2014-002.html"
}
],
"release_date": "2014-03-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-10-09T16:07:38+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update).",
"product_ids": [
"Fuse ESB Enterprise 7.1.0",
"Fuse MQ Enterprise 7.1.0",
"Fuse Management Console 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1369"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Fuse ESB Enterprise 7.1.0",
"Fuse MQ Enterprise 7.1.0",
"Fuse Management Console 7.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Xalan-Java: insufficient constraints in secure processing feature"
}
]
}
WID-SEC-W-2022-1738
Vulnerability from csaf_certbund - Published: 2022-10-16 22:00 - Updated: 2023-09-27 22:00Summary
IBM InfoSphere Information Server: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: IBM InfoSphere Information Server ist eine Softwareplattform zur Integration heterogener Daten.
Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM InfoSphere Information Server ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Betroffene Betriebssysteme: - UNIX
- Linux
- Windows
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM InfoSphere Information Server 11.7
IBM
|
cpe:/a:ibm:infosphere_information_server:11.7
|
— | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— |
References
17 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "IBM InfoSphere Information Server ist eine Softwareplattform zur Integration heterogener Daten.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM InfoSphere Information Server ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-1738 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1738.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-1738 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1738"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7038982 vom 2023-09-28",
"url": "https://www.ibm.com/support/pages/node/7038982"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6829353 vom 2022-10-16",
"url": "https://www.ibm.com/support/pages/node/6829353"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6829371 vom 2022-10-16",
"url": "https://www.ibm.com/support/pages/node/6829371"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6829373 vom 2022-10-16",
"url": "https://www.ibm.com/support/pages/node/6829373"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6829335 vom 2022-10-16",
"url": "https://www.ibm.com/support/pages/node/6829335"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6829311 vom 2022-10-16",
"url": "https://www.ibm.com/support/pages/node/6829311"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6829369 vom 2022-10-16",
"url": "https://www.ibm.com/support/pages/node/6829369"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6829325 vom 2022-10-16",
"url": "https://www.ibm.com/support/pages/node/6829325"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6829365 vom 2022-10-16",
"url": "https://www.ibm.com/support/pages/node/6829365"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6829361 vom 2022-10-16",
"url": "https://www.ibm.com/support/pages/node/6829361"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6829339 vom 2022-10-16",
"url": "https://www.ibm.com/support/pages/node/6829339"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6829349 vom 2022-10-16",
"url": "https://www.ibm.com/support/pages/node/6829349"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6829363 vom 2022-10-16",
"url": "https://www.ibm.com/support/pages/node/6829363"
},
{
"category": "external",
"summary": "IBM Security Bulletin: 6829327 vom 2022-10-16",
"url": "https://www.ibm.com/support/pages/node/6829327"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6955819 vom 2023-02-15",
"url": "https://www.ibm.com/support/pages/node/6955819"
}
],
"source_lang": "en-US",
"title": "IBM InfoSphere Information Server: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-09-27T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:36:32.285+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2022-1738",
"initial_release_date": "2022-10-16T22:00:00.000+00:00",
"revision_history": [
{
"date": "2022-10-16T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2022-11-03T23:00:00.000+00:00",
"number": "2",
"summary": "CVE erg\u00e4nzt"
},
{
"date": "2023-02-15T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2023-09-27T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM InfoSphere Information Server 11.7",
"product": {
"name": "IBM InfoSphere Information Server 11.7",
"product_id": "444803",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:infosphere_information_server:11.7"
}
}
},
{
"category": "product_name",
"name": "IBM QRadar SIEM",
"product": {
"name": "IBM QRadar SIEM",
"product_id": "T021415",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:qradar_siem:-"
}
}
}
],
"category": "vendor",
"name": "IBM"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2009-0217",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2009-0217"
},
{
"cve": "CVE-2009-2625",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2009-2625"
},
{
"cve": "CVE-2012-0881",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2012-0881"
},
{
"cve": "CVE-2012-2098",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2012-2098"
},
{
"cve": "CVE-2013-2172",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2013-2172"
},
{
"cve": "CVE-2013-4002",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2013-4002"
},
{
"cve": "CVE-2013-4517",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2013-4517"
},
{
"cve": "CVE-2015-4852",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2015-4852"
},
{
"cve": "CVE-2015-6420",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2015-6420"
},
{
"cve": "CVE-2015-7501",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2015-7501"
},
{
"cve": "CVE-2017-15708",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2017-15708"
},
{
"cve": "CVE-2019-13116",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2019-13116"
},
{
"cve": "CVE-2021-33813",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2021-33813"
},
{
"cve": "CVE-2021-36373",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2021-36373"
},
{
"cve": "CVE-2021-36374",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2021-36374"
},
{
"cve": "CVE-2021-40690",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2021-40690"
},
{
"cve": "CVE-2021-41089",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2021-41089"
},
{
"cve": "CVE-2021-41091",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2021-41091"
},
{
"cve": "CVE-2022-22442",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2022-22442"
},
{
"cve": "CVE-2022-23437",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2022-23437"
},
{
"cve": "CVE-2022-24769",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2022-24769"
},
{
"cve": "CVE-2022-30608",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2022-30608"
},
{
"cve": "CVE-2022-30615",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2022-30615"
},
{
"cve": "CVE-2022-31129",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2022-31129"
},
{
"cve": "CVE-2022-35642",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2022-35642"
},
{
"cve": "CVE-2022-35717",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2022-35717"
},
{
"cve": "CVE-2022-36109",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2022-36109"
},
{
"cve": "CVE-2022-40235",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2022-40235"
},
{
"cve": "CVE-2022-40747",
"notes": [
{
"category": "description",
"text": "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind teilweise auf Fehler in Komponenten des Produktes zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode auszuf\u00fchren, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren, Dateien zu manipulieren oder Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"444803",
"T021415"
]
},
"release_date": "2022-10-16T22:00:00.000+00:00",
"title": "CVE-2022-40747"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…