Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-2933
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-27 18:48
Severity ?
EPSS score ?
0.13%
(0.28738)
Summary
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | MySQL Connectors |
Version: 5.1.48 and prior |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T07:24:00.692Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { name: "[debian-lts-announce] 20200611 [SECURITY] [DLA 2245-1] mysql-connector-java security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html", }, { name: "DSA-4703", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2020/dsa-4703", }, { name: "FEDORA-2020-747ec39700", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/", }, { name: "FEDORA-2020-35995bb2d3", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/", }, { name: "GLSA-202105-27", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/202105-27", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2020-2933", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-27T18:00:47.319725Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-27T18:48:58.711Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "MySQL Connectors", vendor: "Oracle Corporation", versions: [ { status: "affected", version: "5.1.48 and prior", }, ], }, ], descriptions: [ { lang: "en", value: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 2.2, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { description: "Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-05-26T11:08:20", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { name: "[debian-lts-announce] 20200611 [SECURITY] [DLA 2245-1] mysql-connector-java security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html", }, { name: "DSA-4703", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2020/dsa-4703", }, { name: "FEDORA-2020-747ec39700", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/", }, { name: "FEDORA-2020-35995bb2d3", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/", }, { name: "GLSA-202105-27", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/202105-27", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2020-2933", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "MySQL Connectors", version: { version_data: [ { version_affected: "=", version_value: "5.1.48 and prior", }, ], }, }, ], }, vendor_name: "Oracle Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).", }, ], }, impact: { cvss: { baseScore: "2.2", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors.", }, ], }, ], }, references: { reference_data: [ { name: "https://www.oracle.com/security-alerts/cpuapr2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { name: "[debian-lts-announce] 20200611 [SECURITY] [DLA 2245-1] mysql-connector-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html", }, { name: "DSA-4703", refsource: "DEBIAN", url: "https://www.debian.org/security/2020/dsa-4703", }, { name: "FEDORA-2020-747ec39700", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/", }, { name: "FEDORA-2020-35995bb2d3", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/", }, { name: "GLSA-202105-27", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202105-27", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2020-2933", datePublished: "2020-04-15T13:29:53", dateReserved: "2019-12-10T00:00:00", dateUpdated: "2024-09-27T18:48:58.711Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:mysql_connector\\\\/j:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"5.1.48\", \"matchCriteriaId\": \"AD15EE6F-5465-4029-8587-C02A521C1C90\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"36D96259-24BD-44E2-96D9-78CE1D41F956\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad en el producto MySQL Connectors de Oracle MySQL (componente: Conector/J). Las versiones compatibles que est\\u00e1n afectadas son la 5.1.48 y anteriores. Una vulnerabilidad dif\\u00edcil de explotar permite a un atacante muy privilegiado con acceso a la red por medio de m\\u00faltiples protocolos comprometer a MySQL Connectors. Los ataques con \\u00e9xito de esta vulnerabilidad pueden resultar en una capacidad no autorizada para causar una denegaci\\u00f3n de servicio parcial (DOS parcial) de MySQL Connectors. CVSS 3.0 Puntuaci\\u00f3n Base 2.2 (Impactos de la disponibilidad). Vector CVSS: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).\"}]", id: "CVE-2020-2933", lastModified: "2024-11-21T05:26:40.043", metrics: "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L\", \"baseScore\": 2.2, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 0.7, \"impactScore\": 1.4}], \"cvssMetricV30\": [{\"source\": \"secalert_us@oracle.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L\", \"baseScore\": 2.2, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 0.7, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:N/A:P\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}", published: "2020-04-15T14:15:36.357", references: "[{\"url\": \"https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/\", \"source\": \"secalert_us@oracle.com\"}, {\"url\": \"https://security.gentoo.org/glsa/202105-27\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2020/dsa-4703\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"source\": \"secalert_us@oracle.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.gentoo.org/glsa/202105-27\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2020/dsa-4703\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]", sourceIdentifier: "secalert_us@oracle.com", vulnStatus: "Modified", weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2020-2933\",\"sourceIdentifier\":\"secalert_us@oracle.com\",\"published\":\"2020-04-15T14:15:36.357\",\"lastModified\":\"2024-11-21T05:26:40.043\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad en el producto MySQL Connectors de Oracle MySQL (componente: Conector/J). Las versiones compatibles que están afectadas son la 5.1.48 y anteriores. Una vulnerabilidad difícil de explotar permite a un atacante muy privilegiado con acceso a la red por medio de múltiples protocolos comprometer a MySQL Connectors. Los ataques con éxito de esta vulnerabilidad pueden resultar en una capacidad no autorizada para causar una denegación de servicio parcial (DOS parcial) de MySQL Connectors. CVSS 3.0 Puntuación Base 2.2 (Impactos de la disponibilidad). Vector CVSS: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":2.2,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.7,\"impactScore\":1.4}],\"cvssMetricV30\":[{\"source\":\"secalert_us@oracle.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":2.2,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.7,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:N/A:P\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:mysql_connector\\\\/j:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"5.1.48\",\"matchCriteriaId\":\"AD15EE6F-5465-4029-8587-C02A521C1C90\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}],\"references\":[{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/\",\"source\":\"secalert_us@oracle.com\"},{\"url\":\"https://security.gentoo.org/glsa/202105-27\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4703\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2020.html\",\"source\":\"secalert_us@oracle.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202105-27\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4703\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}", vulnrichment: { containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html\", \"name\": \"[debian-lts-announce] 20200611 [SECURITY] [DLA 2245-1] mysql-connector-java security update\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\", \"x_transferred\"]}, {\"url\": \"https://www.debian.org/security/2020/dsa-4703\", \"name\": \"DSA-4703\", \"tags\": [\"vendor-advisory\", \"x_refsource_DEBIAN\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/\", \"name\": \"FEDORA-2020-747ec39700\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/\", \"name\": \"FEDORA-2020-35995bb2d3\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\", \"x_transferred\"]}, {\"url\": \"https://security.gentoo.org/glsa/202105-27\", \"name\": \"GLSA-202105-27\", \"tags\": [\"vendor-advisory\", \"x_refsource_GENTOO\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T07:24:00.692Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2020-2933\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-27T18:00:47.319725Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-27T18:01:42.849Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_0\": {\"scope\": \"UNCHANGED\", \"version\": \"3.0\", \"baseScore\": 2.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Oracle Corporation\", \"product\": \"MySQL Connectors\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.1.48 and prior\"}]}], \"references\": [{\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html\", \"name\": \"[debian-lts-announce] 20200611 [SECURITY] [DLA 2245-1] mysql-connector-java security update\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\"]}, {\"url\": \"https://www.debian.org/security/2020/dsa-4703\", \"name\": \"DSA-4703\", \"tags\": [\"vendor-advisory\", \"x_refsource_DEBIAN\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/\", \"name\": \"FEDORA-2020-747ec39700\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/\", \"name\": \"FEDORA-2020-35995bb2d3\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\"]}, {\"url\": \"https://security.gentoo.org/glsa/202105-27\", \"name\": \"GLSA-202105-27\", \"tags\": [\"vendor-advisory\", \"x_refsource_GENTOO\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors.\"}]}], \"providerMetadata\": {\"orgId\": \"43595867-4340-4103-b7a2-9a5208d29a85\", \"shortName\": \"oracle\", \"dateUpdated\": \"2021-05-26T11:08:20\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"version\": \"3.0\", \"baseScore\": \"2.2\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L\"}}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"5.1.48 and prior\", \"version_affected\": \"=\"}]}, \"product_name\": \"MySQL Connectors\"}]}, \"vendor_name\": \"Oracle Corporation\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"name\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"refsource\": \"MISC\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html\", \"name\": \"[debian-lts-announce] 20200611 [SECURITY] [DLA 2245-1] mysql-connector-java security update\", \"refsource\": \"MLIST\"}, {\"url\": \"https://www.debian.org/security/2020/dsa-4703\", \"name\": \"DSA-4703\", \"refsource\": \"DEBIAN\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/\", \"name\": \"FEDORA-2020-747ec39700\", \"refsource\": \"FEDORA\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/\", \"name\": \"FEDORA-2020-35995bb2d3\", \"refsource\": \"FEDORA\"}, {\"url\": \"https://security.gentoo.org/glsa/202105-27\", \"name\": \"GLSA-202105-27\", \"refsource\": \"GENTOO\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors.\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2020-2933\", \"STATE\": \"PUBLIC\", \"ASSIGNER\": \"secalert_us@oracle.com\"}}}}", cveMetadata: "{\"cveId\": \"CVE-2020-2933\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-27T18:48:58.711Z\", \"dateReserved\": \"2019-12-10T00:00:00\", \"assignerOrgId\": \"43595867-4340-4103-b7a2-9a5208d29a85\", \"datePublished\": \"2020-04-15T13:29:53\", \"assignerShortName\": \"oracle\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
ghsa-cj4p-6gr4-7rwr
Vulnerability from github
Published
2022-05-24 17:15
Modified
2022-07-01 00:01
Severity ?
Details
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).
{ affected: [], aliases: [ "CVE-2020-2933", ], database_specific: { cwe_ids: [], github_reviewed: false, github_reviewed_at: null, nvd_published_at: "2020-04-15T14:15:00Z", severity: "LOW", }, details: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).", id: "GHSA-cj4p-6gr4-7rwr", modified: "2022-07-01T00:01:05Z", published: "2022-05-24T17:15:11Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", }, { type: "WEB", url: "https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html", }, { type: "WEB", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D", }, { type: "WEB", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA", }, { type: "WEB", url: "https://security.gentoo.org/glsa/202105-27", }, { type: "WEB", url: "https://www.debian.org/security/2020/dsa-4703", }, { type: "WEB", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", type: "CVSS_V3", }, ], }
RHSA-2020:4960
Vulnerability from csaf_redhat
Published
2020-11-05 18:47
Modified
2025-03-15 21:13
Summary
Red Hat Security Advisory: Red Hat Decision Manager 7.9.0 security update
Notes
Topic
An update is now available for Red Hat Decision Manager.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business.
This release of Red Hat Decision Manager 7.9.0 serves as an update to Red Hat Decision Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
* batik: SSRF via "xlink:href" (CVE-2019-17566)
* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)
* ant: insecure temporary file vulnerability (CVE-2020-1945)
* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)
* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)
* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)
* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)
* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)
* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat Decision Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.9.0 serves as an update to Red Hat Decision Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)\n\n* batik: SSRF via \"xlink:href\" (CVE-2019-17566)\n\n* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)\n\n* ant: insecure temporary file vulnerability (CVE-2020-1945)\n\n* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)\n\n* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)\n\n* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)\n\n* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)\n\n* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2020:4960", url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=rhdm&version=7.9.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=rhdm&version=7.9.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_decision_manager/7.9/", url: "https://access.redhat.com/documentation/en-us/red_hat_decision_manager/7.9/", }, { category: "external", summary: "1666499", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { category: "external", summary: "1694235", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", }, { category: "external", summary: "1805501", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", }, { category: "external", summary: "1807707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1807707", }, { category: "external", summary: "1824301", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1824301", }, { category: "external", summary: "1825714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1825714", }, { category: "external", summary: "1837444", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1837444", }, { category: "external", summary: "1848617", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1848617", }, { category: "external", summary: "1851014", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851014", }, { category: "external", summary: "1851019", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851019", }, { category: "external", summary: "1851022", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851022", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_4960.json", }, ], title: "Red Hat Security Advisory: Red Hat Decision Manager 7.9.0 security update", tracking: { current_release_date: "2025-03-15T21:13:14+00:00", generator: { date: "2025-03-15T21:13:14+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2020:4960", initial_release_date: "2020-11-05T18:47:03+00:00", revision_history: [ { date: "2020-11-05T18:47:03+00:00", number: "1", summary: "Initial version", }, { date: "2020-11-05T18:47:03+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T21:13:14+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHDM 7.9.0", product: { name: "RHDM 7.9.0", product_id: "RHDM 7.9.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_brms_platform:7.9", }, }, }, ], category: "product_family", name: "Red Hat Decision Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Guillaume Smet", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2019-14900", cwe: { id: "CWE-89", name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, discovery_date: "2019-01-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1666499", }, ], notes: [ { category: "description", text: "A flaw was found in Hibernate ORM. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "hibernate: SQL injection issue in Hibernate ORM", title: "Vulnerability summary", }, { category: "other", text: "OpenDaylight:\nIn RHOSP10, RHOSP13 and RHOSP14 editions of Red Hat OpenStack platform, the hibernate-jfa library shipped with OpenDaylight is contains a flaw in the processing of SQL queries. The hibernate-jha implemenation is not used in a vulnerable way in OpenDaylight, preventing the potential for SQL injection.\n\nRed Hat Satellite 6.2, 6.3 and 6.4 contains affected versions of hibernate-core in its candlepin component. However, that component does not use hibernate-core in a vulnerable way.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-14900", }, { category: "external", summary: "RHBZ#1666499", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-14900", url: "https://www.cve.org/CVERecord?id=CVE-2019-14900", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-14900", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-14900", }, ], release_date: "2020-05-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "workaround", details: "There is no currently known mitigation for this flaw.", product_ids: [ "RHDM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate: SQL injection issue in Hibernate ORM", }, { cve: "CVE-2019-17566", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2020-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1848617", }, ], notes: [ { category: "description", text: "A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack (SSRF) via \"xlink:href\" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system integrity.", title: "Vulnerability description", }, { category: "summary", text: "batik: SSRF via \"xlink:href\"", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17566", }, { category: "external", summary: "RHBZ#1848617", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1848617", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17566", url: "https://www.cve.org/CVERecord?id=CVE-2019-17566", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17566", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17566", }, ], release_date: "2020-06-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: SSRF via \"xlink:href\"", }, { cve: "CVE-2020-1748", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2020-02-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1807707", }, ], notes: [ { category: "description", text: "A flaw was found in Wildfly, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.", title: "Vulnerability description", }, { category: "summary", text: "Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1748", }, { category: "external", summary: "RHBZ#1807707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1807707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1748", url: "https://www.cve.org/CVERecord?id=CVE-2020-1748", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1748", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1748", }, ], release_date: "2020-08-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain", }, { cve: "CVE-2020-1945", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2020-05-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1837444", }, ], notes: [ { category: "description", text: "Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.", title: "Vulnerability description", }, { category: "summary", text: "ant: insecure temporary file vulnerability", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of ant package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1945", }, { category: "external", summary: "RHBZ#1837444", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1837444", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1945", url: "https://www.cve.org/CVERecord?id=CVE-2020-1945", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1945", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1945", }, ], release_date: "2020-05-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "workaround", details: "For versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7, set the java.io.tmpdir system property to a private directory-- only readable and writable by the current user-- before running Ant.\n\nFor versions 1.9.15 and 1.10.8, use the Ant property ant.tmpfile instead. Ant 1.10.8 protects the temporary files if the underlying filesystem allows it, but using a private temporary directory is still recommended.", product_ids: [ "RHDM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ant: insecure temporary file vulnerability", }, { cve: "CVE-2020-1954", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2020-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1824301", }, ], notes: [ { category: "description", text: "Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.", title: "Vulnerability description", }, { category: "summary", text: "cxf: JMX integration is vulnerable to a MITM attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1954", }, { category: "external", summary: "RHBZ#1824301", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1824301", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1954", url: "https://www.cve.org/CVERecord?id=CVE-2020-1954", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1954", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1954", }, ], release_date: "2020-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "cxf: JMX integration is vulnerable to a MITM attack", }, { cve: "CVE-2020-2875", discovery_date: "2020-06-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851019", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands in MySQL Connectors and other products.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2875", }, { category: "external", summary: "RHBZ#1851019", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851019", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2875", url: "https://www.cve.org/CVERecord?id=CVE-2020-2875", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2875", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2875", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", }, { cve: "CVE-2020-2933", discovery_date: "2020-06-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851022", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection, causing a denial of service of the MySQL Connectors.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2933", }, { category: "external", summary: "RHBZ#1851022", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851022", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2933", url: "https://www.cve.org/CVERecord?id=CVE-2020-2933", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 2.2, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS", }, { cve: "CVE-2020-2934", discovery_date: "2020-06-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851014", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2934", }, { category: "external", summary: "RHBZ#1851014", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851014", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2934", url: "https://www.cve.org/CVERecord?id=CVE-2020-2934", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2934", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2934", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", }, { acknowledgments: [ { names: [ "Adith Sudhakar", ], }, ], cve: "CVE-2020-10683", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2019-03-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1694235", }, ], notes: [ { category: "description", text: "dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.", title: "Vulnerability description", }, { category: "summary", text: "dom4j: XML External Entity vulnerability in default SAX parser", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform ships a vulnerable version of dom4j library. However it's used to parse configuration files, which are local disk resources. We've rated this issue with a moderate impact for OpenShift Container Platform.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10683", }, { category: "external", summary: "RHBZ#1694235", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10683", url: "https://www.cve.org/CVERecord?id=CVE-2020-10683", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10683", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10683", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.0", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dom4j: XML External Entity vulnerability in default SAX parser", }, { acknowledgments: [ { names: [ "Alvaro Muñoz", ], organization: "GitHub Security Labs", }, ], cve: "CVE-2020-10693", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2020-02-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1805501", }, ], notes: [ { category: "description", text: "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Improper input validation in the interpolation of constraint error messages", title: "Vulnerability summary", }, { category: "other", text: "hibernate-validator is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However, because ODL is technical preview in this version and the flaw is moderate, Red Hat will not be releasing a fix for the OpenStack package at this time.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10693", }, { category: "external", summary: "RHBZ#1805501", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10693", url: "https://www.cve.org/CVERecord?id=CVE-2020-10693", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10693", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10693", }, ], release_date: "2020-05-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "workaround", details: "You can pass user input as an expression variable by unwrapping the context to HibernateConstraintValidatorContext. Please refer to the https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/ and https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code.", product_ids: [ "RHDM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Improper input validation in the interpolation of constraint error messages", }, { acknowledgments: [ { names: [ "Mark Banierink", ], organization: "Nedap", }, ], cve: "CVE-2020-10714", cwe: { id: "CWE-384", name: "Session Fixation", }, discovery_date: "2020-03-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1825714", }, ], notes: [ { category: "description", text: "A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "wildfly-elytron: session fixation when using FORM authentication", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10714", }, { category: "external", summary: "RHBZ#1825714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1825714", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10714", url: "https://www.cve.org/CVERecord?id=CVE-2020-10714", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10714", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10714", }, ], release_date: "2020-04-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "workaround", details: "This attack is dependent on the attacker being able to create a session and the victim accessing the session before the session expires, we do have a 15 minute session timeout by default but the attacker could also keep this alive by say sending in a request every five minutes.\n\nThe server by default supports session tracking by URL and Cookie, if the web.xml is updated to support COOKIE only the exploit is not possible by sharing the link.\n~~~\n <session-config>\n <tracking-mode>URL</tracking-mode>\n </session-config>\n~~~\nTO\n~~~\n <session-config>\n <tracking-mode>COOKIE</tracking-mode>\n </session-config>\n~~~", product_ids: [ "RHDM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "wildfly-elytron: session fixation when using FORM authentication", }, ], }
rhsa-2020_4961
Vulnerability from csaf_redhat
Published
2020-11-05 18:48
Modified
2024-12-15 19:02
Summary
Red Hat Security Advisory: Red Hat Process Automation Manager 7.9.0 security update
Notes
Topic
An update is now available for Red Hat Process Automation Manager.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This release of Red Hat Process Automation Manager 7.9.0 serves as an update to Red Hat Process Automation Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
* batik: SSRF via "xlink:href" (CVE-2019-17566)
* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)
* ant: insecure temporary file vulnerability (CVE-2020-1945)
* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)
* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)
* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)
* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)
* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)
* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.9.0 serves as an update to Red Hat Process Automation Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)\n\n* batik: SSRF via \"xlink:href\" (CVE-2019-17566)\n\n* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)\n\n* ant: insecure temporary file vulnerability (CVE-2020-1945)\n\n* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)\n\n* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)\n\n* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)\n\n* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)\n\n* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2020:4961", url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=rhpam&version=7.9.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=rhpam&version=7.9.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/7.9/", url: "https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/7.9/", }, { category: "external", summary: "1666499", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { category: "external", summary: "1694235", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", }, { category: "external", summary: "1805501", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", }, { category: "external", summary: "1807707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1807707", }, { category: "external", summary: "1824301", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1824301", }, { category: "external", summary: "1825714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1825714", }, { category: "external", summary: "1837444", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1837444", }, { category: "external", summary: "1848617", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1848617", }, { category: "external", summary: "1851014", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851014", }, { category: "external", summary: "1851019", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851019", }, { category: "external", summary: "1851022", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851022", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_4961.json", }, ], title: "Red Hat Security Advisory: Red Hat Process Automation Manager 7.9.0 security update", tracking: { current_release_date: "2024-12-15T19:02:10+00:00", generator: { date: "2024-12-15T19:02:10+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2020:4961", initial_release_date: "2020-11-05T18:48:33+00:00", revision_history: [ { date: "2020-11-05T18:48:33+00:00", number: "1", summary: "Initial version", }, { date: "2020-11-05T18:48:33+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-15T19:02:10+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHPAM 7.9.0", product: { name: "RHPAM 7.9.0", product_id: "RHPAM 7.9.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.9", }, }, }, ], category: "product_family", name: "Red Hat Process Automation Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Guillaume Smet", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2019-14900", cwe: { id: "CWE-89", name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, discovery_date: "2019-01-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1666499", }, ], notes: [ { category: "description", text: "A flaw was found in Hibernate ORM. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "hibernate: SQL injection issue in Hibernate ORM", title: "Vulnerability summary", }, { category: "other", text: "OpenDaylight:\nIn RHOSP10, RHOSP13 and RHOSP14 editions of Red Hat OpenStack platform, the hibernate-jfa library shipped with OpenDaylight is contains a flaw in the processing of SQL queries. The hibernate-jha implemenation is not used in a vulnerable way in OpenDaylight, preventing the potential for SQL injection.\n\nRed Hat Satellite 6.2, 6.3 and 6.4 contains affected versions of hibernate-core in its candlepin component. However, that component does not use hibernate-core in a vulnerable way.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-14900", }, { category: "external", summary: "RHBZ#1666499", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-14900", url: "https://www.cve.org/CVERecord?id=CVE-2019-14900", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-14900", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-14900", }, ], release_date: "2020-05-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "workaround", details: "There is no currently known mitigation for this flaw.", product_ids: [ "RHPAM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate: SQL injection issue in Hibernate ORM", }, { cve: "CVE-2019-17566", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2020-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1848617", }, ], notes: [ { category: "description", text: "A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack (SSRF) via \"xlink:href\" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system integrity.", title: "Vulnerability description", }, { category: "summary", text: "batik: SSRF via \"xlink:href\"", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17566", }, { category: "external", summary: "RHBZ#1848617", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1848617", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17566", url: "https://www.cve.org/CVERecord?id=CVE-2019-17566", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17566", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17566", }, ], release_date: "2020-06-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: SSRF via \"xlink:href\"", }, { cve: "CVE-2020-1748", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2020-02-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1807707", }, ], notes: [ { category: "description", text: "A flaw was found in Wildfly, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.", title: "Vulnerability description", }, { category: "summary", text: "Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1748", }, { category: "external", summary: "RHBZ#1807707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1807707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1748", url: "https://www.cve.org/CVERecord?id=CVE-2020-1748", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1748", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1748", }, ], release_date: "2020-08-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain", }, { cve: "CVE-2020-1945", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2020-05-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1837444", }, ], notes: [ { category: "description", text: "Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.", title: "Vulnerability description", }, { category: "summary", text: "ant: insecure temporary file vulnerability", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of ant package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1945", }, { category: "external", summary: "RHBZ#1837444", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1837444", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1945", url: "https://www.cve.org/CVERecord?id=CVE-2020-1945", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1945", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1945", }, ], release_date: "2020-05-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "workaround", details: "For versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7, set the java.io.tmpdir system property to a private directory-- only readable and writable by the current user-- before running Ant.\n\nFor versions 1.9.15 and 1.10.8, use the Ant property ant.tmpfile instead. Ant 1.10.8 protects the temporary files if the underlying filesystem allows it, but using a private temporary directory is still recommended.", product_ids: [ "RHPAM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ant: insecure temporary file vulnerability", }, { cve: "CVE-2020-1954", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2020-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1824301", }, ], notes: [ { category: "description", text: "Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.", title: "Vulnerability description", }, { category: "summary", text: "cxf: JMX integration is vulnerable to a MITM attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1954", }, { category: "external", summary: "RHBZ#1824301", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1824301", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1954", url: "https://www.cve.org/CVERecord?id=CVE-2020-1954", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1954", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1954", }, ], release_date: "2020-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "cxf: JMX integration is vulnerable to a MITM attack", }, { cve: "CVE-2020-2875", discovery_date: "2020-06-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851019", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands in MySQL Connectors and other products.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2875", }, { category: "external", summary: "RHBZ#1851019", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851019", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2875", url: "https://www.cve.org/CVERecord?id=CVE-2020-2875", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2875", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2875", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", }, { cve: "CVE-2020-2933", discovery_date: "2020-06-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851022", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection, causing a denial of service of the MySQL Connectors.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2933", }, { category: "external", summary: "RHBZ#1851022", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851022", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2933", url: "https://www.cve.org/CVERecord?id=CVE-2020-2933", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 2.2, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS", }, { cve: "CVE-2020-2934", discovery_date: "2020-06-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851014", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2934", }, { category: "external", summary: "RHBZ#1851014", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851014", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2934", url: "https://www.cve.org/CVERecord?id=CVE-2020-2934", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2934", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2934", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", }, { acknowledgments: [ { names: [ "Adith Sudhakar", ], }, ], cve: "CVE-2020-10683", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2019-03-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1694235", }, ], notes: [ { category: "description", text: "dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.", title: "Vulnerability description", }, { category: "summary", text: "dom4j: XML External Entity vulnerability in default SAX parser", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform ships a vulnerable version of dom4j library. However it's used to parse configuration files, which are local disk resources. We've rated this issue with a moderate impact for OpenShift Container Platform.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10683", }, { category: "external", summary: "RHBZ#1694235", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10683", url: "https://www.cve.org/CVERecord?id=CVE-2020-10683", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10683", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10683", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.0", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dom4j: XML External Entity vulnerability in default SAX parser", }, { acknowledgments: [ { names: [ "Alvaro Muñoz", ], organization: "GitHub Security Labs", }, ], cve: "CVE-2020-10693", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2020-02-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1805501", }, ], notes: [ { category: "description", text: "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Improper input validation in the interpolation of constraint error messages", title: "Vulnerability summary", }, { category: "other", text: "hibernate-validator is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However, because ODL is technical preview in this version and the flaw is moderate, Red Hat will not be releasing a fix for the OpenStack package at this time.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10693", }, { category: "external", summary: "RHBZ#1805501", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10693", url: "https://www.cve.org/CVERecord?id=CVE-2020-10693", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10693", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10693", }, ], release_date: "2020-05-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "workaround", details: "You can pass user input as an expression variable by unwrapping the context to HibernateConstraintValidatorContext. Please refer to the https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/ and https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code.", product_ids: [ "RHPAM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Improper input validation in the interpolation of constraint error messages", }, { acknowledgments: [ { names: [ "Mark Banierink", ], organization: "Nedap", }, ], cve: "CVE-2020-10714", cwe: { id: "CWE-384", name: "Session Fixation", }, discovery_date: "2020-03-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1825714", }, ], notes: [ { category: "description", text: "A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "wildfly-elytron: session fixation when using FORM authentication", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10714", }, { category: "external", summary: "RHBZ#1825714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1825714", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10714", url: "https://www.cve.org/CVERecord?id=CVE-2020-10714", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10714", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10714", }, ], release_date: "2020-04-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "workaround", details: "This attack is dependent on the attacker being able to create a session and the victim accessing the session before the session expires, we do have a 15 minute session timeout by default but the attacker could also keep this alive by say sending in a request every five minutes.\n\nThe server by default supports session tracking by URL and Cookie, if the web.xml is updated to support COOKIE only the exploit is not possible by sharing the link.\n~~~\n <session-config>\n <tracking-mode>URL</tracking-mode>\n </session-config>\n~~~\nTO\n~~~\n <session-config>\n <tracking-mode>COOKIE</tracking-mode>\n </session-config>\n~~~", product_ids: [ "RHPAM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "wildfly-elytron: session fixation when using FORM authentication", }, ], }
rhsa-2020:4961
Vulnerability from csaf_redhat
Published
2020-11-05 18:48
Modified
2025-03-15 21:13
Summary
Red Hat Security Advisory: Red Hat Process Automation Manager 7.9.0 security update
Notes
Topic
An update is now available for Red Hat Process Automation Manager.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This release of Red Hat Process Automation Manager 7.9.0 serves as an update to Red Hat Process Automation Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
* batik: SSRF via "xlink:href" (CVE-2019-17566)
* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)
* ant: insecure temporary file vulnerability (CVE-2020-1945)
* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)
* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)
* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)
* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)
* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)
* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.9.0 serves as an update to Red Hat Process Automation Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)\n\n* batik: SSRF via \"xlink:href\" (CVE-2019-17566)\n\n* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)\n\n* ant: insecure temporary file vulnerability (CVE-2020-1945)\n\n* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)\n\n* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)\n\n* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)\n\n* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)\n\n* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2020:4961", url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=rhpam&version=7.9.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=rhpam&version=7.9.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/7.9/", url: "https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/7.9/", }, { category: "external", summary: "1666499", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { category: "external", summary: "1694235", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", }, { category: "external", summary: "1805501", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", }, { category: "external", summary: "1807707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1807707", }, { category: "external", summary: "1824301", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1824301", }, { category: "external", summary: "1825714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1825714", }, { category: "external", summary: "1837444", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1837444", }, { category: "external", summary: "1848617", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1848617", }, { category: "external", summary: "1851014", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851014", }, { category: "external", summary: "1851019", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851019", }, { category: "external", summary: "1851022", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851022", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_4961.json", }, ], title: "Red Hat Security Advisory: Red Hat Process Automation Manager 7.9.0 security update", tracking: { current_release_date: "2025-03-15T21:13:06+00:00", generator: { date: "2025-03-15T21:13:06+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2020:4961", initial_release_date: "2020-11-05T18:48:33+00:00", revision_history: [ { date: "2020-11-05T18:48:33+00:00", number: "1", summary: "Initial version", }, { date: "2020-11-05T18:48:33+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T21:13:06+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHPAM 7.9.0", product: { name: "RHPAM 7.9.0", product_id: "RHPAM 7.9.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.9", }, }, }, ], category: "product_family", name: "Red Hat Process Automation Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Guillaume Smet", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2019-14900", cwe: { id: "CWE-89", name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, discovery_date: "2019-01-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1666499", }, ], notes: [ { category: "description", text: "A flaw was found in Hibernate ORM. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "hibernate: SQL injection issue in Hibernate ORM", title: "Vulnerability summary", }, { category: "other", text: "OpenDaylight:\nIn RHOSP10, RHOSP13 and RHOSP14 editions of Red Hat OpenStack platform, the hibernate-jfa library shipped with OpenDaylight is contains a flaw in the processing of SQL queries. The hibernate-jha implemenation is not used in a vulnerable way in OpenDaylight, preventing the potential for SQL injection.\n\nRed Hat Satellite 6.2, 6.3 and 6.4 contains affected versions of hibernate-core in its candlepin component. However, that component does not use hibernate-core in a vulnerable way.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-14900", }, { category: "external", summary: "RHBZ#1666499", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-14900", url: "https://www.cve.org/CVERecord?id=CVE-2019-14900", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-14900", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-14900", }, ], release_date: "2020-05-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "workaround", details: "There is no currently known mitigation for this flaw.", product_ids: [ "RHPAM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate: SQL injection issue in Hibernate ORM", }, { cve: "CVE-2019-17566", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2020-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1848617", }, ], notes: [ { category: "description", text: "A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack (SSRF) via \"xlink:href\" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system integrity.", title: "Vulnerability description", }, { category: "summary", text: "batik: SSRF via \"xlink:href\"", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17566", }, { category: "external", summary: "RHBZ#1848617", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1848617", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17566", url: "https://www.cve.org/CVERecord?id=CVE-2019-17566", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17566", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17566", }, ], release_date: "2020-06-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: SSRF via \"xlink:href\"", }, { cve: "CVE-2020-1748", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2020-02-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1807707", }, ], notes: [ { category: "description", text: "A flaw was found in Wildfly, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.", title: "Vulnerability description", }, { category: "summary", text: "Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1748", }, { category: "external", summary: "RHBZ#1807707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1807707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1748", url: "https://www.cve.org/CVERecord?id=CVE-2020-1748", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1748", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1748", }, ], release_date: "2020-08-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain", }, { cve: "CVE-2020-1945", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2020-05-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1837444", }, ], notes: [ { category: "description", text: "Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.", title: "Vulnerability description", }, { category: "summary", text: "ant: insecure temporary file vulnerability", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of ant package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1945", }, { category: "external", summary: "RHBZ#1837444", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1837444", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1945", url: "https://www.cve.org/CVERecord?id=CVE-2020-1945", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1945", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1945", }, ], release_date: "2020-05-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "workaround", details: "For versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7, set the java.io.tmpdir system property to a private directory-- only readable and writable by the current user-- before running Ant.\n\nFor versions 1.9.15 and 1.10.8, use the Ant property ant.tmpfile instead. Ant 1.10.8 protects the temporary files if the underlying filesystem allows it, but using a private temporary directory is still recommended.", product_ids: [ "RHPAM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ant: insecure temporary file vulnerability", }, { cve: "CVE-2020-1954", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2020-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1824301", }, ], notes: [ { category: "description", text: "Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.", title: "Vulnerability description", }, { category: "summary", text: "cxf: JMX integration is vulnerable to a MITM attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1954", }, { category: "external", summary: "RHBZ#1824301", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1824301", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1954", url: "https://www.cve.org/CVERecord?id=CVE-2020-1954", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1954", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1954", }, ], release_date: "2020-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "cxf: JMX integration is vulnerable to a MITM attack", }, { cve: "CVE-2020-2875", discovery_date: "2020-06-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851019", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands in MySQL Connectors and other products.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2875", }, { category: "external", summary: "RHBZ#1851019", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851019", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2875", url: "https://www.cve.org/CVERecord?id=CVE-2020-2875", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2875", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2875", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", }, { cve: "CVE-2020-2933", discovery_date: "2020-06-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851022", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection, causing a denial of service of the MySQL Connectors.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2933", }, { category: "external", summary: "RHBZ#1851022", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851022", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2933", url: "https://www.cve.org/CVERecord?id=CVE-2020-2933", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 2.2, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS", }, { cve: "CVE-2020-2934", discovery_date: "2020-06-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851014", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2934", }, { category: "external", summary: "RHBZ#1851014", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851014", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2934", url: "https://www.cve.org/CVERecord?id=CVE-2020-2934", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2934", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2934", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", }, { acknowledgments: [ { names: [ "Adith Sudhakar", ], }, ], cve: "CVE-2020-10683", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2019-03-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1694235", }, ], notes: [ { category: "description", text: "dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.", title: "Vulnerability description", }, { category: "summary", text: "dom4j: XML External Entity vulnerability in default SAX parser", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform ships a vulnerable version of dom4j library. However it's used to parse configuration files, which are local disk resources. We've rated this issue with a moderate impact for OpenShift Container Platform.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10683", }, { category: "external", summary: "RHBZ#1694235", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10683", url: "https://www.cve.org/CVERecord?id=CVE-2020-10683", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10683", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10683", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.0", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dom4j: XML External Entity vulnerability in default SAX parser", }, { acknowledgments: [ { names: [ "Alvaro Muñoz", ], organization: "GitHub Security Labs", }, ], cve: "CVE-2020-10693", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2020-02-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1805501", }, ], notes: [ { category: "description", text: "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Improper input validation in the interpolation of constraint error messages", title: "Vulnerability summary", }, { category: "other", text: "hibernate-validator is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However, because ODL is technical preview in this version and the flaw is moderate, Red Hat will not be releasing a fix for the OpenStack package at this time.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10693", }, { category: "external", summary: "RHBZ#1805501", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10693", url: "https://www.cve.org/CVERecord?id=CVE-2020-10693", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10693", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10693", }, ], release_date: "2020-05-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "workaround", details: "You can pass user input as an expression variable by unwrapping the context to HibernateConstraintValidatorContext. Please refer to the https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/ and https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code.", product_ids: [ "RHPAM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Improper input validation in the interpolation of constraint error messages", }, { acknowledgments: [ { names: [ "Mark Banierink", ], organization: "Nedap", }, ], cve: "CVE-2020-10714", cwe: { id: "CWE-384", name: "Session Fixation", }, discovery_date: "2020-03-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1825714", }, ], notes: [ { category: "description", text: "A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "wildfly-elytron: session fixation when using FORM authentication", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10714", }, { category: "external", summary: "RHBZ#1825714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1825714", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10714", url: "https://www.cve.org/CVERecord?id=CVE-2020-10714", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10714", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10714", }, ], release_date: "2020-04-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "workaround", details: "This attack is dependent on the attacker being able to create a session and the victim accessing the session before the session expires, we do have a 15 minute session timeout by default but the attacker could also keep this alive by say sending in a request every five minutes.\n\nThe server by default supports session tracking by URL and Cookie, if the web.xml is updated to support COOKIE only the exploit is not possible by sharing the link.\n~~~\n <session-config>\n <tracking-mode>URL</tracking-mode>\n </session-config>\n~~~\nTO\n~~~\n <session-config>\n <tracking-mode>COOKIE</tracking-mode>\n </session-config>\n~~~", product_ids: [ "RHPAM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "wildfly-elytron: session fixation when using FORM authentication", }, ], }
rhsa-2020:4960
Vulnerability from csaf_redhat
Published
2020-11-05 18:47
Modified
2025-03-15 21:13
Summary
Red Hat Security Advisory: Red Hat Decision Manager 7.9.0 security update
Notes
Topic
An update is now available for Red Hat Decision Manager.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business.
This release of Red Hat Decision Manager 7.9.0 serves as an update to Red Hat Decision Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
* batik: SSRF via "xlink:href" (CVE-2019-17566)
* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)
* ant: insecure temporary file vulnerability (CVE-2020-1945)
* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)
* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)
* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)
* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)
* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)
* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat Decision Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.9.0 serves as an update to Red Hat Decision Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)\n\n* batik: SSRF via \"xlink:href\" (CVE-2019-17566)\n\n* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)\n\n* ant: insecure temporary file vulnerability (CVE-2020-1945)\n\n* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)\n\n* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)\n\n* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)\n\n* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)\n\n* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2020:4960", url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=rhdm&version=7.9.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=rhdm&version=7.9.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_decision_manager/7.9/", url: "https://access.redhat.com/documentation/en-us/red_hat_decision_manager/7.9/", }, { category: "external", summary: "1666499", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { category: "external", summary: "1694235", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", }, { category: "external", summary: "1805501", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", }, { category: "external", summary: "1807707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1807707", }, { category: "external", summary: "1824301", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1824301", }, { category: "external", summary: "1825714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1825714", }, { category: "external", summary: "1837444", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1837444", }, { category: "external", summary: "1848617", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1848617", }, { category: "external", summary: "1851014", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851014", }, { category: "external", summary: "1851019", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851019", }, { category: "external", summary: "1851022", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851022", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_4960.json", }, ], title: "Red Hat Security Advisory: Red Hat Decision Manager 7.9.0 security update", tracking: { current_release_date: "2025-03-15T21:13:14+00:00", generator: { date: "2025-03-15T21:13:14+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2020:4960", initial_release_date: "2020-11-05T18:47:03+00:00", revision_history: [ { date: "2020-11-05T18:47:03+00:00", number: "1", summary: "Initial version", }, { date: "2020-11-05T18:47:03+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T21:13:14+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHDM 7.9.0", product: { name: "RHDM 7.9.0", product_id: "RHDM 7.9.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_brms_platform:7.9", }, }, }, ], category: "product_family", name: "Red Hat Decision Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Guillaume Smet", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2019-14900", cwe: { id: "CWE-89", name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, discovery_date: "2019-01-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1666499", }, ], notes: [ { category: "description", text: "A flaw was found in Hibernate ORM. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "hibernate: SQL injection issue in Hibernate ORM", title: "Vulnerability summary", }, { category: "other", text: "OpenDaylight:\nIn RHOSP10, RHOSP13 and RHOSP14 editions of Red Hat OpenStack platform, the hibernate-jfa library shipped with OpenDaylight is contains a flaw in the processing of SQL queries. The hibernate-jha implemenation is not used in a vulnerable way in OpenDaylight, preventing the potential for SQL injection.\n\nRed Hat Satellite 6.2, 6.3 and 6.4 contains affected versions of hibernate-core in its candlepin component. However, that component does not use hibernate-core in a vulnerable way.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-14900", }, { category: "external", summary: "RHBZ#1666499", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-14900", url: "https://www.cve.org/CVERecord?id=CVE-2019-14900", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-14900", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-14900", }, ], release_date: "2020-05-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "workaround", details: "There is no currently known mitigation for this flaw.", product_ids: [ "RHDM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate: SQL injection issue in Hibernate ORM", }, { cve: "CVE-2019-17566", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2020-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1848617", }, ], notes: [ { category: "description", text: "A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack (SSRF) via \"xlink:href\" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system integrity.", title: "Vulnerability description", }, { category: "summary", text: "batik: SSRF via \"xlink:href\"", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17566", }, { category: "external", summary: "RHBZ#1848617", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1848617", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17566", url: "https://www.cve.org/CVERecord?id=CVE-2019-17566", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17566", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17566", }, ], release_date: "2020-06-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: SSRF via \"xlink:href\"", }, { cve: "CVE-2020-1748", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2020-02-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1807707", }, ], notes: [ { category: "description", text: "A flaw was found in Wildfly, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.", title: "Vulnerability description", }, { category: "summary", text: "Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1748", }, { category: "external", summary: "RHBZ#1807707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1807707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1748", url: "https://www.cve.org/CVERecord?id=CVE-2020-1748", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1748", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1748", }, ], release_date: "2020-08-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain", }, { cve: "CVE-2020-1945", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2020-05-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1837444", }, ], notes: [ { category: "description", text: "Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.", title: "Vulnerability description", }, { category: "summary", text: "ant: insecure temporary file vulnerability", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of ant package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1945", }, { category: "external", summary: "RHBZ#1837444", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1837444", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1945", url: "https://www.cve.org/CVERecord?id=CVE-2020-1945", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1945", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1945", }, ], release_date: "2020-05-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "workaround", details: "For versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7, set the java.io.tmpdir system property to a private directory-- only readable and writable by the current user-- before running Ant.\n\nFor versions 1.9.15 and 1.10.8, use the Ant property ant.tmpfile instead. Ant 1.10.8 protects the temporary files if the underlying filesystem allows it, but using a private temporary directory is still recommended.", product_ids: [ "RHDM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ant: insecure temporary file vulnerability", }, { cve: "CVE-2020-1954", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2020-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1824301", }, ], notes: [ { category: "description", text: "Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.", title: "Vulnerability description", }, { category: "summary", text: "cxf: JMX integration is vulnerable to a MITM attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1954", }, { category: "external", summary: "RHBZ#1824301", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1824301", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1954", url: "https://www.cve.org/CVERecord?id=CVE-2020-1954", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1954", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1954", }, ], release_date: "2020-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "cxf: JMX integration is vulnerable to a MITM attack", }, { cve: "CVE-2020-2875", discovery_date: "2020-06-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851019", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands in MySQL Connectors and other products.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2875", }, { category: "external", summary: "RHBZ#1851019", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851019", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2875", url: "https://www.cve.org/CVERecord?id=CVE-2020-2875", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2875", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2875", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", }, { cve: "CVE-2020-2933", discovery_date: "2020-06-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851022", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection, causing a denial of service of the MySQL Connectors.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2933", }, { category: "external", summary: "RHBZ#1851022", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851022", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2933", url: "https://www.cve.org/CVERecord?id=CVE-2020-2933", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 2.2, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS", }, { cve: "CVE-2020-2934", discovery_date: "2020-06-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851014", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2934", }, { category: "external", summary: "RHBZ#1851014", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851014", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2934", url: "https://www.cve.org/CVERecord?id=CVE-2020-2934", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2934", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2934", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", }, { acknowledgments: [ { names: [ "Adith Sudhakar", ], }, ], cve: "CVE-2020-10683", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2019-03-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1694235", }, ], notes: [ { category: "description", text: "dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.", title: "Vulnerability description", }, { category: "summary", text: "dom4j: XML External Entity vulnerability in default SAX parser", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform ships a vulnerable version of dom4j library. However it's used to parse configuration files, which are local disk resources. We've rated this issue with a moderate impact for OpenShift Container Platform.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10683", }, { category: "external", summary: "RHBZ#1694235", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10683", url: "https://www.cve.org/CVERecord?id=CVE-2020-10683", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10683", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10683", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.0", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dom4j: XML External Entity vulnerability in default SAX parser", }, { acknowledgments: [ { names: [ "Alvaro Muñoz", ], organization: "GitHub Security Labs", }, ], cve: "CVE-2020-10693", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2020-02-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1805501", }, ], notes: [ { category: "description", text: "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Improper input validation in the interpolation of constraint error messages", title: "Vulnerability summary", }, { category: "other", text: "hibernate-validator is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However, because ODL is technical preview in this version and the flaw is moderate, Red Hat will not be releasing a fix for the OpenStack package at this time.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10693", }, { category: "external", summary: "RHBZ#1805501", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10693", url: "https://www.cve.org/CVERecord?id=CVE-2020-10693", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10693", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10693", }, ], release_date: "2020-05-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "workaround", details: "You can pass user input as an expression variable by unwrapping the context to HibernateConstraintValidatorContext. Please refer to the https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/ and https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code.", product_ids: [ "RHDM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Improper input validation in the interpolation of constraint error messages", }, { acknowledgments: [ { names: [ "Mark Banierink", ], organization: "Nedap", }, ], cve: "CVE-2020-10714", cwe: { id: "CWE-384", name: "Session Fixation", }, discovery_date: "2020-03-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1825714", }, ], notes: [ { category: "description", text: "A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "wildfly-elytron: session fixation when using FORM authentication", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10714", }, { category: "external", summary: "RHBZ#1825714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1825714", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10714", url: "https://www.cve.org/CVERecord?id=CVE-2020-10714", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10714", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10714", }, ], release_date: "2020-04-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "workaround", details: "This attack is dependent on the attacker being able to create a session and the victim accessing the session before the session expires, we do have a 15 minute session timeout by default but the attacker could also keep this alive by say sending in a request every five minutes.\n\nThe server by default supports session tracking by URL and Cookie, if the web.xml is updated to support COOKIE only the exploit is not possible by sharing the link.\n~~~\n <session-config>\n <tracking-mode>URL</tracking-mode>\n </session-config>\n~~~\nTO\n~~~\n <session-config>\n <tracking-mode>COOKIE</tracking-mode>\n </session-config>\n~~~", product_ids: [ "RHDM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "wildfly-elytron: session fixation when using FORM authentication", }, ], }
rhsa-2020_4960
Vulnerability from csaf_redhat
Published
2020-11-05 18:47
Modified
2024-12-15 19:02
Summary
Red Hat Security Advisory: Red Hat Decision Manager 7.9.0 security update
Notes
Topic
An update is now available for Red Hat Decision Manager.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business.
This release of Red Hat Decision Manager 7.9.0 serves as an update to Red Hat Decision Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
* batik: SSRF via "xlink:href" (CVE-2019-17566)
* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)
* ant: insecure temporary file vulnerability (CVE-2020-1945)
* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)
* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)
* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)
* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)
* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)
* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat Decision Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.9.0 serves as an update to Red Hat Decision Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)\n\n* batik: SSRF via \"xlink:href\" (CVE-2019-17566)\n\n* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)\n\n* ant: insecure temporary file vulnerability (CVE-2020-1945)\n\n* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)\n\n* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)\n\n* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)\n\n* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)\n\n* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2020:4960", url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=rhdm&version=7.9.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=rhdm&version=7.9.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_decision_manager/7.9/", url: "https://access.redhat.com/documentation/en-us/red_hat_decision_manager/7.9/", }, { category: "external", summary: "1666499", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { category: "external", summary: "1694235", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", }, { category: "external", summary: "1805501", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", }, { category: "external", summary: "1807707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1807707", }, { category: "external", summary: "1824301", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1824301", }, { category: "external", summary: "1825714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1825714", }, { category: "external", summary: "1837444", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1837444", }, { category: "external", summary: "1848617", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1848617", }, { category: "external", summary: "1851014", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851014", }, { category: "external", summary: "1851019", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851019", }, { category: "external", summary: "1851022", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851022", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_4960.json", }, ], title: "Red Hat Security Advisory: Red Hat Decision Manager 7.9.0 security update", tracking: { current_release_date: "2024-12-15T19:02:19+00:00", generator: { date: "2024-12-15T19:02:19+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2020:4960", initial_release_date: "2020-11-05T18:47:03+00:00", revision_history: [ { date: "2020-11-05T18:47:03+00:00", number: "1", summary: "Initial version", }, { date: "2020-11-05T18:47:03+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-15T19:02:19+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHDM 7.9.0", product: { name: "RHDM 7.9.0", product_id: "RHDM 7.9.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_brms_platform:7.9", }, }, }, ], category: "product_family", name: "Red Hat Decision Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Guillaume Smet", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2019-14900", cwe: { id: "CWE-89", name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, discovery_date: "2019-01-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1666499", }, ], notes: [ { category: "description", text: "A flaw was found in Hibernate ORM. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "hibernate: SQL injection issue in Hibernate ORM", title: "Vulnerability summary", }, { category: "other", text: "OpenDaylight:\nIn RHOSP10, RHOSP13 and RHOSP14 editions of Red Hat OpenStack platform, the hibernate-jfa library shipped with OpenDaylight is contains a flaw in the processing of SQL queries. The hibernate-jha implemenation is not used in a vulnerable way in OpenDaylight, preventing the potential for SQL injection.\n\nRed Hat Satellite 6.2, 6.3 and 6.4 contains affected versions of hibernate-core in its candlepin component. However, that component does not use hibernate-core in a vulnerable way.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-14900", }, { category: "external", summary: "RHBZ#1666499", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-14900", url: "https://www.cve.org/CVERecord?id=CVE-2019-14900", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-14900", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-14900", }, ], release_date: "2020-05-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "workaround", details: "There is no currently known mitigation for this flaw.", product_ids: [ "RHDM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate: SQL injection issue in Hibernate ORM", }, { cve: "CVE-2019-17566", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2020-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1848617", }, ], notes: [ { category: "description", text: "A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack (SSRF) via \"xlink:href\" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system integrity.", title: "Vulnerability description", }, { category: "summary", text: "batik: SSRF via \"xlink:href\"", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17566", }, { category: "external", summary: "RHBZ#1848617", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1848617", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17566", url: "https://www.cve.org/CVERecord?id=CVE-2019-17566", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17566", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17566", }, ], release_date: "2020-06-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: SSRF via \"xlink:href\"", }, { cve: "CVE-2020-1748", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2020-02-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1807707", }, ], notes: [ { category: "description", text: "A flaw was found in Wildfly, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.", title: "Vulnerability description", }, { category: "summary", text: "Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1748", }, { category: "external", summary: "RHBZ#1807707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1807707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1748", url: "https://www.cve.org/CVERecord?id=CVE-2020-1748", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1748", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1748", }, ], release_date: "2020-08-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain", }, { cve: "CVE-2020-1945", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2020-05-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1837444", }, ], notes: [ { category: "description", text: "Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.", title: "Vulnerability description", }, { category: "summary", text: "ant: insecure temporary file vulnerability", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of ant package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1945", }, { category: "external", summary: "RHBZ#1837444", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1837444", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1945", url: "https://www.cve.org/CVERecord?id=CVE-2020-1945", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1945", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1945", }, ], release_date: "2020-05-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "workaround", details: "For versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7, set the java.io.tmpdir system property to a private directory-- only readable and writable by the current user-- before running Ant.\n\nFor versions 1.9.15 and 1.10.8, use the Ant property ant.tmpfile instead. Ant 1.10.8 protects the temporary files if the underlying filesystem allows it, but using a private temporary directory is still recommended.", product_ids: [ "RHDM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ant: insecure temporary file vulnerability", }, { cve: "CVE-2020-1954", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2020-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1824301", }, ], notes: [ { category: "description", text: "Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.", title: "Vulnerability description", }, { category: "summary", text: "cxf: JMX integration is vulnerable to a MITM attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1954", }, { category: "external", summary: "RHBZ#1824301", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1824301", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1954", url: "https://www.cve.org/CVERecord?id=CVE-2020-1954", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1954", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1954", }, ], release_date: "2020-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "cxf: JMX integration is vulnerable to a MITM attack", }, { cve: "CVE-2020-2875", discovery_date: "2020-06-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851019", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands in MySQL Connectors and other products.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2875", }, { category: "external", summary: "RHBZ#1851019", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851019", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2875", url: "https://www.cve.org/CVERecord?id=CVE-2020-2875", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2875", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2875", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", }, { cve: "CVE-2020-2933", discovery_date: "2020-06-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851022", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection, causing a denial of service of the MySQL Connectors.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2933", }, { category: "external", summary: "RHBZ#1851022", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851022", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2933", url: "https://www.cve.org/CVERecord?id=CVE-2020-2933", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 2.2, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS", }, { cve: "CVE-2020-2934", discovery_date: "2020-06-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851014", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2934", }, { category: "external", summary: "RHBZ#1851014", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851014", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2934", url: "https://www.cve.org/CVERecord?id=CVE-2020-2934", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2934", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2934", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", }, { acknowledgments: [ { names: [ "Adith Sudhakar", ], }, ], cve: "CVE-2020-10683", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2019-03-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1694235", }, ], notes: [ { category: "description", text: "dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.", title: "Vulnerability description", }, { category: "summary", text: "dom4j: XML External Entity vulnerability in default SAX parser", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform ships a vulnerable version of dom4j library. However it's used to parse configuration files, which are local disk resources. We've rated this issue with a moderate impact for OpenShift Container Platform.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10683", }, { category: "external", summary: "RHBZ#1694235", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10683", url: "https://www.cve.org/CVERecord?id=CVE-2020-10683", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10683", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10683", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.0", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dom4j: XML External Entity vulnerability in default SAX parser", }, { acknowledgments: [ { names: [ "Alvaro Muñoz", ], organization: "GitHub Security Labs", }, ], cve: "CVE-2020-10693", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2020-02-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1805501", }, ], notes: [ { category: "description", text: "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Improper input validation in the interpolation of constraint error messages", title: "Vulnerability summary", }, { category: "other", text: "hibernate-validator is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However, because ODL is technical preview in this version and the flaw is moderate, Red Hat will not be releasing a fix for the OpenStack package at this time.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10693", }, { category: "external", summary: "RHBZ#1805501", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10693", url: "https://www.cve.org/CVERecord?id=CVE-2020-10693", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10693", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10693", }, ], release_date: "2020-05-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "workaround", details: "You can pass user input as an expression variable by unwrapping the context to HibernateConstraintValidatorContext. Please refer to the https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/ and https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code.", product_ids: [ "RHDM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Improper input validation in the interpolation of constraint error messages", }, { acknowledgments: [ { names: [ "Mark Banierink", ], organization: "Nedap", }, ], cve: "CVE-2020-10714", cwe: { id: "CWE-384", name: "Session Fixation", }, discovery_date: "2020-03-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1825714", }, ], notes: [ { category: "description", text: "A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "wildfly-elytron: session fixation when using FORM authentication", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHDM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10714", }, { category: "external", summary: "RHBZ#1825714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1825714", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10714", url: "https://www.cve.org/CVERecord?id=CVE-2020-10714", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10714", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10714", }, ], release_date: "2020-04-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:47:03+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHDM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "workaround", details: "This attack is dependent on the attacker being able to create a session and the victim accessing the session before the session expires, we do have a 15 minute session timeout by default but the attacker could also keep this alive by say sending in a request every five minutes.\n\nThe server by default supports session tracking by URL and Cookie, if the web.xml is updated to support COOKIE only the exploit is not possible by sharing the link.\n~~~\n <session-config>\n <tracking-mode>URL</tracking-mode>\n </session-config>\n~~~\nTO\n~~~\n <session-config>\n <tracking-mode>COOKIE</tracking-mode>\n </session-config>\n~~~", product_ids: [ "RHDM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHDM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "wildfly-elytron: session fixation when using FORM authentication", }, ], }
RHSA-2020:4961
Vulnerability from csaf_redhat
Published
2020-11-05 18:48
Modified
2025-03-15 21:13
Summary
Red Hat Security Advisory: Red Hat Process Automation Manager 7.9.0 security update
Notes
Topic
An update is now available for Red Hat Process Automation Manager.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This release of Red Hat Process Automation Manager 7.9.0 serves as an update to Red Hat Process Automation Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
* batik: SSRF via "xlink:href" (CVE-2019-17566)
* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)
* ant: insecure temporary file vulnerability (CVE-2020-1945)
* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)
* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)
* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)
* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)
* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)
* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.9.0 serves as an update to Red Hat Process Automation Manager 7.8.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)\n\n* batik: SSRF via \"xlink:href\" (CVE-2019-17566)\n\n* Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)\n\n* ant: insecure temporary file vulnerability (CVE-2020-1945)\n\n* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)\n\n* hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)\n\n* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)\n\n* cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2875)\n\n* mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS (CVE-2020-2933)\n\n* mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete (CVE-2020-2934)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2020:4961", url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=rhpam&version=7.9.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=rhpam&version=7.9.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/7.9/", url: "https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/7.9/", }, { category: "external", summary: "1666499", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { category: "external", summary: "1694235", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", }, { category: "external", summary: "1805501", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", }, { category: "external", summary: "1807707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1807707", }, { category: "external", summary: "1824301", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1824301", }, { category: "external", summary: "1825714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1825714", }, { category: "external", summary: "1837444", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1837444", }, { category: "external", summary: "1848617", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1848617", }, { category: "external", summary: "1851014", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851014", }, { category: "external", summary: "1851019", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851019", }, { category: "external", summary: "1851022", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851022", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_4961.json", }, ], title: "Red Hat Security Advisory: Red Hat Process Automation Manager 7.9.0 security update", tracking: { current_release_date: "2025-03-15T21:13:06+00:00", generator: { date: "2025-03-15T21:13:06+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2020:4961", initial_release_date: "2020-11-05T18:48:33+00:00", revision_history: [ { date: "2020-11-05T18:48:33+00:00", number: "1", summary: "Initial version", }, { date: "2020-11-05T18:48:33+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T21:13:06+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHPAM 7.9.0", product: { name: "RHPAM 7.9.0", product_id: "RHPAM 7.9.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.9", }, }, }, ], category: "product_family", name: "Red Hat Process Automation Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Guillaume Smet", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2019-14900", cwe: { id: "CWE-89", name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, discovery_date: "2019-01-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1666499", }, ], notes: [ { category: "description", text: "A flaw was found in Hibernate ORM. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "hibernate: SQL injection issue in Hibernate ORM", title: "Vulnerability summary", }, { category: "other", text: "OpenDaylight:\nIn RHOSP10, RHOSP13 and RHOSP14 editions of Red Hat OpenStack platform, the hibernate-jfa library shipped with OpenDaylight is contains a flaw in the processing of SQL queries. The hibernate-jha implemenation is not used in a vulnerable way in OpenDaylight, preventing the potential for SQL injection.\n\nRed Hat Satellite 6.2, 6.3 and 6.4 contains affected versions of hibernate-core in its candlepin component. However, that component does not use hibernate-core in a vulnerable way.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-14900", }, { category: "external", summary: "RHBZ#1666499", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-14900", url: "https://www.cve.org/CVERecord?id=CVE-2019-14900", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-14900", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-14900", }, ], release_date: "2020-05-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "workaround", details: "There is no currently known mitigation for this flaw.", product_ids: [ "RHPAM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate: SQL injection issue in Hibernate ORM", }, { cve: "CVE-2019-17566", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2020-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1848617", }, ], notes: [ { category: "description", text: "A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack (SSRF) via \"xlink:href\" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system integrity.", title: "Vulnerability description", }, { category: "summary", text: "batik: SSRF via \"xlink:href\"", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17566", }, { category: "external", summary: "RHBZ#1848617", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1848617", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17566", url: "https://www.cve.org/CVERecord?id=CVE-2019-17566", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17566", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17566", }, ], release_date: "2020-06-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: SSRF via \"xlink:href\"", }, { cve: "CVE-2020-1748", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2020-02-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1807707", }, ], notes: [ { category: "description", text: "A flaw was found in Wildfly, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.", title: "Vulnerability description", }, { category: "summary", text: "Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1748", }, { category: "external", summary: "RHBZ#1807707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1807707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1748", url: "https://www.cve.org/CVERecord?id=CVE-2020-1748", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1748", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1748", }, ], release_date: "2020-08-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain", }, { cve: "CVE-2020-1945", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2020-05-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1837444", }, ], notes: [ { category: "description", text: "Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.", title: "Vulnerability description", }, { category: "summary", text: "ant: insecure temporary file vulnerability", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of ant package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1945", }, { category: "external", summary: "RHBZ#1837444", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1837444", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1945", url: "https://www.cve.org/CVERecord?id=CVE-2020-1945", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1945", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1945", }, ], release_date: "2020-05-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "workaround", details: "For versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7, set the java.io.tmpdir system property to a private directory-- only readable and writable by the current user-- before running Ant.\n\nFor versions 1.9.15 and 1.10.8, use the Ant property ant.tmpfile instead. Ant 1.10.8 protects the temporary files if the underlying filesystem allows it, but using a private temporary directory is still recommended.", product_ids: [ "RHPAM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ant: insecure temporary file vulnerability", }, { cve: "CVE-2020-1954", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2020-04-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1824301", }, ], notes: [ { category: "description", text: "Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.", title: "Vulnerability description", }, { category: "summary", text: "cxf: JMX integration is vulnerable to a MITM attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-1954", }, { category: "external", summary: "RHBZ#1824301", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1824301", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-1954", url: "https://www.cve.org/CVERecord?id=CVE-2020-1954", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-1954", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-1954", }, ], release_date: "2020-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "cxf: JMX integration is vulnerable to a MITM attack", }, { cve: "CVE-2020-2875", discovery_date: "2020-06-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851019", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands in MySQL Connectors and other products.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2875", }, { category: "external", summary: "RHBZ#1851019", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851019", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2875", url: "https://www.cve.org/CVERecord?id=CVE-2020-2875", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2875", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2875", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", }, { cve: "CVE-2020-2933", discovery_date: "2020-06-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851022", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection, causing a denial of service of the MySQL Connectors.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2933", }, { category: "external", summary: "RHBZ#1851022", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851022", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2933", url: "https://www.cve.org/CVERecord?id=CVE-2020-2933", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 2.2, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized partial DoS", }, { cve: "CVE-2020-2934", discovery_date: "2020-06-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1851014", }, ], notes: [ { category: "description", text: "A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands.", title: "Vulnerability description", }, { category: "summary", text: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections. It can be installed this way:\n\n # yum-config-manager --enable rhel-server-rhscl-7-rpms\n\n # yum install rh-mariadb103-mariadb-java-client", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-2934", }, { category: "external", summary: "RHBZ#1851014", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1851014", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-2934", url: "https://www.cve.org/CVERecord?id=CVE-2020-2934", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-2934", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-2934", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete", }, { acknowledgments: [ { names: [ "Adith Sudhakar", ], }, ], cve: "CVE-2020-10683", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2019-03-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1694235", }, ], notes: [ { category: "description", text: "dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.", title: "Vulnerability description", }, { category: "summary", text: "dom4j: XML External Entity vulnerability in default SAX parser", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform ships a vulnerable version of dom4j library. However it's used to parse configuration files, which are local disk resources. We've rated this issue with a moderate impact for OpenShift Container Platform.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10683", }, { category: "external", summary: "RHBZ#1694235", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1694235", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10683", url: "https://www.cve.org/CVERecord?id=CVE-2020-10683", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10683", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10683", }, ], release_date: "2020-04-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.0", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dom4j: XML External Entity vulnerability in default SAX parser", }, { acknowledgments: [ { names: [ "Alvaro Muñoz", ], organization: "GitHub Security Labs", }, ], cve: "CVE-2020-10693", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2020-02-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1805501", }, ], notes: [ { category: "description", text: "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Improper input validation in the interpolation of constraint error messages", title: "Vulnerability summary", }, { category: "other", text: "hibernate-validator is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However, because ODL is technical preview in this version and the flaw is moderate, Red Hat will not be releasing a fix for the OpenStack package at this time.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10693", }, { category: "external", summary: "RHBZ#1805501", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1805501", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10693", url: "https://www.cve.org/CVERecord?id=CVE-2020-10693", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10693", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10693", }, ], release_date: "2020-05-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "workaround", details: "You can pass user input as an expression variable by unwrapping the context to HibernateConstraintValidatorContext. Please refer to the https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/ and https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code.", product_ids: [ "RHPAM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Improper input validation in the interpolation of constraint error messages", }, { acknowledgments: [ { names: [ "Mark Banierink", ], organization: "Nedap", }, ], cve: "CVE-2020-10714", cwe: { id: "CWE-384", name: "Session Fixation", }, discovery_date: "2020-03-24T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1825714", }, ], notes: [ { category: "description", text: "A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "wildfly-elytron: session fixation when using FORM authentication", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHPAM 7.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10714", }, { category: "external", summary: "RHBZ#1825714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1825714", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10714", url: "https://www.cve.org/CVERecord?id=CVE-2020-10714", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10714", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10714", }, ], release_date: "2020-04-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2020-11-05T18:48:33+00:00", details: "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHPAM 7.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "workaround", details: "This attack is dependent on the attacker being able to create a session and the victim accessing the session before the session expires, we do have a 15 minute session timeout by default but the attacker could also keep this alive by say sending in a request every five minutes.\n\nThe server by default supports session tracking by URL and Cookie, if the web.xml is updated to support COOKIE only the exploit is not possible by sharing the link.\n~~~\n <session-config>\n <tracking-mode>URL</tracking-mode>\n </session-config>\n~~~\nTO\n~~~\n <session-config>\n <tracking-mode>COOKIE</tracking-mode>\n </session-config>\n~~~", product_ids: [ "RHPAM 7.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHPAM 7.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "wildfly-elytron: session fixation when using FORM authentication", }, ], }
opensuse-su-2021:1126-1
Vulnerability from csaf_opensuse
Published
2021-08-10 04:07
Modified
2021-08-10 04:07
Summary
Security update for mysql-connector-java
Notes
Title of the patch
Security update for mysql-connector-java
Description of the patch
This update for mysql-connector-java fixes the following issues:
- CVE-2020-2875: Unauthenticated attacker with network access via multiple protocols can compromise MySQL Connectors. (bsc#1173600)
- CVE-2020-2934: Fixed a vulnerability which could cause a partial denial of service of MySQL Connectors. (bsc#1173600)
- CVE-2020-2933: Fixed a vulnerability which could allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. (bsc#1173600)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patchnames
openSUSE-2021-1126
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for mysql-connector-java", title: "Title of the patch", }, { category: "description", text: "This update for mysql-connector-java fixes the following issues:\n\n- CVE-2020-2875: Unauthenticated attacker with network access via multiple protocols can compromise MySQL Connectors. (bsc#1173600)\n- CVE-2020-2934: Fixed a vulnerability which could cause a partial denial of service of MySQL Connectors. (bsc#1173600)\n- CVE-2020-2933: Fixed a vulnerability which could allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. (bsc#1173600)\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update project.", title: "Description of the patch", }, { category: "details", text: "openSUSE-2021-1126", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_1126-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2021:1126-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WS25DT4QDBVK3PBC74G4JTBWADK62LTQ/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2021:1126-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WS25DT4QDBVK3PBC74G4JTBWADK62LTQ/", }, { category: "self", summary: "SUSE Bug 1173600", url: "https://bugzilla.suse.com/1173600", }, { category: "self", summary: "SUSE CVE CVE-2020-2875 page", url: "https://www.suse.com/security/cve/CVE-2020-2875/", }, { category: "self", summary: "SUSE CVE CVE-2020-2933 page", url: "https://www.suse.com/security/cve/CVE-2020-2933/", }, { category: "self", summary: "SUSE CVE CVE-2020-2934 page", url: "https://www.suse.com/security/cve/CVE-2020-2934/", }, ], title: "Security update for mysql-connector-java", tracking: { current_release_date: "2021-08-10T04:07:07Z", generator: { date: "2021-08-10T04:07:07Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2021:1126-1", initial_release_date: "2021-08-10T04:07:07Z", revision_history: [ { date: "2021-08-10T04:07:07Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "mysql-connector-java-5.1.47-lp152.2.3.1.noarch", product: { name: "mysql-connector-java-5.1.47-lp152.2.3.1.noarch", product_id: "mysql-connector-java-5.1.47-lp152.2.3.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "openSUSE Leap 15.2", product: { name: "openSUSE Leap 15.2", product_id: "openSUSE Leap 15.2", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.2", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "mysql-connector-java-5.1.47-lp152.2.3.1.noarch as component of openSUSE Leap 15.2", product_id: "openSUSE Leap 15.2:mysql-connector-java-5.1.47-lp152.2.3.1.noarch", }, product_reference: "mysql-connector-java-5.1.47-lp152.2.3.1.noarch", relates_to_product_reference: "openSUSE Leap 15.2", }, ], }, vulnerabilities: [ { cve: "CVE-2020-2875", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-2875", }, ], notes: [ { category: "general", text: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:mysql-connector-java-5.1.47-lp152.2.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-2875", url: "https://www.suse.com/security/cve/CVE-2020-2875", }, { category: "external", summary: "SUSE Bug 1173599 for CVE-2020-2875", url: "https://bugzilla.suse.com/1173599", }, { category: "external", summary: "SUSE Bug 1173600 for CVE-2020-2875", url: "https://bugzilla.suse.com/1173600", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:mysql-connector-java-5.1.47-lp152.2.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 4.7, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Leap 15.2:mysql-connector-java-5.1.47-lp152.2.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-08-10T04:07:07Z", details: "moderate", }, ], title: "CVE-2020-2875", }, { cve: "CVE-2020-2933", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-2933", }, ], notes: [ { category: "general", text: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:mysql-connector-java-5.1.47-lp152.2.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-2933", url: "https://www.suse.com/security/cve/CVE-2020-2933", }, { category: "external", summary: "SUSE Bug 1173599 for CVE-2020-2933", url: "https://bugzilla.suse.com/1173599", }, { category: "external", summary: "SUSE Bug 1173600 for CVE-2020-2933", url: "https://bugzilla.suse.com/1173600", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:mysql-connector-java-5.1.47-lp152.2.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 2.2, baseSeverity: "LOW", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "openSUSE Leap 15.2:mysql-connector-java-5.1.47-lp152.2.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-08-10T04:07:07Z", details: "moderate", }, ], title: "CVE-2020-2933", }, { cve: "CVE-2020-2934", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-2934", }, ], notes: [ { category: "general", text: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.2:mysql-connector-java-5.1.47-lp152.2.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-2934", url: "https://www.suse.com/security/cve/CVE-2020-2934", }, { category: "external", summary: "SUSE Bug 1173599 for CVE-2020-2934", url: "https://bugzilla.suse.com/1173599", }, { category: "external", summary: "SUSE Bug 1173600 for CVE-2020-2934", url: "https://bugzilla.suse.com/1173600", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.2:mysql-connector-java-5.1.47-lp152.2.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "openSUSE Leap 15.2:mysql-connector-java-5.1.47-lp152.2.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-08-10T04:07:07Z", details: "moderate", }, ], title: "CVE-2020-2934", }, ], }
opensuse-su-2021:2622-1
Vulnerability from csaf_opensuse
Published
2021-08-05 08:56
Modified
2021-08-05 08:56
Summary
Security update for mysql-connector-java
Notes
Title of the patch
Security update for mysql-connector-java
Description of the patch
This update for mysql-connector-java fixes the following issues:
- CVE-2020-2875: Unauthenticated attacker with network access via multiple protocols can compromise MySQL Connectors. (bsc#1173600)
- CVE-2020-2934: Fixed a vulnerability which could cause a partial denial of service of MySQL Connectors. (bsc#1173600)
- CVE-2020-2933: Fixed a vulnerability which could allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. (bsc#1173600)
Patchnames
openSUSE-SLE-15.3-2021-2622
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for mysql-connector-java", title: "Title of the patch", }, { category: "description", text: "This update for mysql-connector-java fixes the following issues:\n\n- CVE-2020-2875: Unauthenticated attacker with network access via multiple protocols can compromise MySQL Connectors. (bsc#1173600)\n- CVE-2020-2934: Fixed a vulnerability which could cause a partial denial of service of MySQL Connectors. (bsc#1173600)\n- CVE-2020-2933: Fixed a vulnerability which could allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. (bsc#1173600)\n", title: "Description of the patch", }, { category: "details", text: "openSUSE-SLE-15.3-2021-2622", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_2622-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2021:2622-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KHHGZ3MEHVZT3NYQIEG5WTISHLXRLW3D/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2021:2622-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KHHGZ3MEHVZT3NYQIEG5WTISHLXRLW3D/", }, { category: "self", summary: "SUSE Bug 1173600", url: "https://bugzilla.suse.com/1173600", }, { category: "self", summary: "SUSE CVE CVE-2020-2875 page", url: "https://www.suse.com/security/cve/CVE-2020-2875/", }, { category: "self", summary: "SUSE CVE CVE-2020-2933 page", url: "https://www.suse.com/security/cve/CVE-2020-2933/", }, { category: "self", summary: "SUSE CVE CVE-2020-2934 page", url: "https://www.suse.com/security/cve/CVE-2020-2934/", }, ], title: "Security update for mysql-connector-java", tracking: { current_release_date: "2021-08-05T08:56:53Z", generator: { date: "2021-08-05T08:56:53Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2021:2622-1", initial_release_date: "2021-08-05T08:56:53Z", revision_history: [ { date: "2021-08-05T08:56:53Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "mysql-connector-java-5.1.47-3.3.1.noarch", product: { name: "mysql-connector-java-5.1.47-3.3.1.noarch", product_id: "mysql-connector-java-5.1.47-3.3.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "openSUSE Leap 15.3", product: { name: "openSUSE Leap 15.3", product_id: "openSUSE Leap 15.3", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.3", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "mysql-connector-java-5.1.47-3.3.1.noarch as component of openSUSE Leap 15.3", product_id: "openSUSE Leap 15.3:mysql-connector-java-5.1.47-3.3.1.noarch", }, product_reference: "mysql-connector-java-5.1.47-3.3.1.noarch", relates_to_product_reference: "openSUSE Leap 15.3", }, ], }, vulnerabilities: [ { cve: "CVE-2020-2875", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-2875", }, ], notes: [ { category: "general", text: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.3:mysql-connector-java-5.1.47-3.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-2875", url: "https://www.suse.com/security/cve/CVE-2020-2875", }, { category: "external", summary: "SUSE Bug 1173599 for CVE-2020-2875", url: "https://bugzilla.suse.com/1173599", }, { category: "external", summary: "SUSE Bug 1173600 for CVE-2020-2875", url: "https://bugzilla.suse.com/1173600", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.3:mysql-connector-java-5.1.47-3.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 4.7, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Leap 15.3:mysql-connector-java-5.1.47-3.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-08-05T08:56:53Z", details: "moderate", }, ], title: "CVE-2020-2875", }, { cve: "CVE-2020-2933", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-2933", }, ], notes: [ { category: "general", text: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.3:mysql-connector-java-5.1.47-3.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-2933", url: "https://www.suse.com/security/cve/CVE-2020-2933", }, { category: "external", summary: "SUSE Bug 1173599 for CVE-2020-2933", url: "https://bugzilla.suse.com/1173599", }, { category: "external", summary: "SUSE Bug 1173600 for CVE-2020-2933", url: "https://bugzilla.suse.com/1173600", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.3:mysql-connector-java-5.1.47-3.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 2.2, baseSeverity: "LOW", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "openSUSE Leap 15.3:mysql-connector-java-5.1.47-3.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-08-05T08:56:53Z", details: "moderate", }, ], title: "CVE-2020-2933", }, { cve: "CVE-2020-2934", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-2934", }, ], notes: [ { category: "general", text: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Leap 15.3:mysql-connector-java-5.1.47-3.3.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-2934", url: "https://www.suse.com/security/cve/CVE-2020-2934", }, { category: "external", summary: "SUSE Bug 1173599 for CVE-2020-2934", url: "https://bugzilla.suse.com/1173599", }, { category: "external", summary: "SUSE Bug 1173600 for CVE-2020-2934", url: "https://bugzilla.suse.com/1173600", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Leap 15.3:mysql-connector-java-5.1.47-3.3.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "openSUSE Leap 15.3:mysql-connector-java-5.1.47-3.3.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-08-05T08:56:53Z", details: "moderate", }, ], title: "CVE-2020-2934", }, ], }
gsd-2020-2933
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).
Aliases
Aliases
{ GSD: { alias: "CVE-2020-2933", description: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).", id: "GSD-2020-2933", references: [ "https://www.suse.com/security/cve/CVE-2020-2933.html", "https://www.debian.org/security/2020/dsa-4703", "https://access.redhat.com/errata/RHSA-2020:4961", "https://access.redhat.com/errata/RHSA-2020:4960", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2020-2933", ], details: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).", id: "GSD-2020-2933", modified: "2023-12-13T01:21:50.694131Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2020-2933", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "MySQL Connectors", version: { version_data: [ { version_affected: "=", version_value: "5.1.48 and prior", }, ], }, }, ], }, vendor_name: "Oracle Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).", }, ], }, impact: { cvss: { baseScore: "2.2", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors.", }, ], }, ], }, references: { reference_data: [ { name: "https://www.oracle.com/security-alerts/cpuapr2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { name: "[debian-lts-announce] 20200611 [SECURITY] [DLA 2245-1] mysql-connector-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html", }, { name: "DSA-4703", refsource: "DEBIAN", url: "https://www.debian.org/security/2020/dsa-4703", }, { name: "FEDORA-2020-747ec39700", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/", }, { name: "FEDORA-2020-35995bb2d3", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/", }, { name: "GLSA-202105-27", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/202105-27", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: "(,5.1.48]", affected_versions: "All versions up to 5.1.48", cvss_v2: "AV:N/AC:M/Au:S/C:N/I:N/A:P", cvss_v3: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", cwe_ids: [ "CWE-1035", "CWE-937", ], date: "2021-05-26", description: "Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DoS) of MySQL Connectors.", fixed_versions: [ "5.1.49", ], identifier: "CVE-2020-2933", identifiers: [ "CVE-2020-2933", ], not_impacted: "All versions after 5.1.48", package_slug: "maven/mysql/mysql-connector-java", pubdate: "2020-04-15", solution: "Upgrade to version 5.1.49 or above.", title: "Uncontrolled Resource Consumption", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2020-2933", "https://www.oracle.com/security-alerts/cpuapr2020.html", ], uuid: "b2c71870-4c81-4c06-8b51-af2a6bbb1b2f", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:oracle:mysql_connector\\/j:*:*:*:*:*:*:*:*", cpe_name: [], versionEndIncluding: "5.1.48", vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2020-2933", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], }, ], }, references: { reference_data: [ { name: "https://www.oracle.com/security-alerts/cpuapr2020.html", refsource: "MISC", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { name: "[debian-lts-announce] 20200611 [SECURITY] [DLA 2245-1] mysql-connector-java security update", refsource: "MLIST", tags: [ "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html", }, { name: "DSA-4703", refsource: "DEBIAN", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2020/dsa-4703", }, { name: "FEDORA-2020-747ec39700", refsource: "FEDORA", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/", }, { name: "FEDORA-2020-35995bb2d3", refsource: "FEDORA", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/", }, { name: "GLSA-202105-27", refsource: "GENTOO", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202105-27", }, ], }, }, impact: { baseMetricV2: { acInsufInfo: false, cvssV2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:S/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "LOW", userInteractionRequired: false, }, baseMetricV3: { cvssV3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 2.2, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 0.7, impactScore: 1.4, }, }, lastModifiedDate: "2022-06-30T19:53Z", publishedDate: "2020-04-15T14:15Z", }, }, }
wid-sec-w-2023-1049
Vulnerability from csaf_certbund
Published
2020-04-14 22:00
Modified
2023-04-20 22:00
Summary
Oracle MySQL: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
MySQL ist ein Open Source Datenbankserver von Oracle.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle MySQL ausnutzen, um die Verfügbarkeit, Vertraulichkeit und Integrität zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- MacOS X
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "MySQL ist ein Open Source Datenbankserver von Oracle.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle MySQL ausnutzen, um die Verfügbarkeit, Vertraulichkeit und Integrität zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- MacOS X\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1049 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2023-1049.json", }, { category: "self", summary: "WID-SEC-2023-1049 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1049", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS2-2023-2017 vom 2023-04-21", url: "https://alas.aws.amazon.com/AL2/ALAS-2023-2017.html", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2020 vom 2020-04-14", url: "https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:1810 vom 2020-04-28", url: "https://access.redhat.com/errata/RHSA-2020:1810", }, { category: "external", summary: "Ubuntu Security Notice USN-4350-1 vom 2020-05-04", url: "https://usn.ubuntu.com/4350-1/", }, { category: "external", summary: "Debian Security Advisory DLA 2245 vom 2020-06-12", url: "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202006/msg00015.html", }, { category: "external", summary: "Debian Security Advisory DSA-4703 vom 2020-06-11", url: "https://www.debian.org/security/2020/dsa-4703", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2020:1710-1 vom 2020-06-23", url: "http://lists.suse.com/pipermail/sle-security-updates/2020-June/007007.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2020:1711-1 vom 2020-06-23", url: "http://lists.suse.com/pipermail/sle-security-updates/2020-June/007010.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:3194 vom 2020-07-28", url: "https://access.redhat.com/errata/RHSA-2020:3194", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:3518 vom 2020-08-19", url: "https://access.redhat.com/errata/RHSA-2020:3518", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:3732 vom 2020-09-14", url: "https://access.redhat.com/errata/RHSA-2020:3732", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:3755 vom 2020-09-15", url: "https://access.redhat.com/errata/RHSA-2020:3755", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:3757 vom 2020-09-15", url: "https://access.redhat.com/errata/RHSA-2020:3757", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:4026 vom 2020-09-29", url: "https://access.redhat.com/errata/RHSA-2020:4026", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:4174 vom 2020-10-05", url: "https://access.redhat.com/errata/RHSA-2020:4174", }, { category: "external", summary: "AVAYA Security Advisory ASA-2020-112 vom 2020-10-25", url: "https://downloads.avaya.com/css/P8/documents/101071742", }, { category: "external", summary: "Ubuntu Security Notice USN-4603-1 vom 2020-10-27", url: "https://ubuntu.com/security/notices/USN-4603-1", }, { category: "external", summary: "Ubuntu Security Notice USN-4603-1 vom 2020-10-27", url: "https://usn.ubuntu.com/4603-1/", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:4442 vom 2020-11-04", url: "https://access.redhat.com/errata/RHSA-2020:4442", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:4961 vom 2020-11-05", url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:4960 vom 2020-11-05", url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:5246 vom 2020-11-30", url: "https://access.redhat.com/errata/RHSA-2020:5246", }, { category: "external", summary: "AVAYA Security Advisory ASA-2020-162 vom 2020-12-08", url: "https://downloads.avaya.com/css/P8/documents/101072831", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2020-5503 vom 2020-12-18", url: "https://linux.oracle.com/errata/ELSA-2020-5503-1.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2020-5500 vom 2020-12-18", url: "https://linux.oracle.com/errata/ELSA-2020-5500.html", }, { category: "external", summary: "Gentoo Linux Security Advisory GLSA-202105-27 vom 2021-05-26", url: "https://security.gentoo.org/glsa/202105-27", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2021:0037 vom 2021-01-18", url: "https://access.redhat.com/errata/RHSA-2021:0038", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:5635 vom 2021-02-24", url: "https://access.redhat.com/errata/RHSA-2020:5635", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2021:2320-1 vom 2021-07-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2021-July/009137.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2021:14771-1 vom 2021-07-29", url: "https://lists.suse.com/pipermail/sle-security-updates/2021-July/009231.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2021:2877-1 vom 2021-08-30", url: "https://lists.suse.com/pipermail/sle-security-updates/2021-August/009371.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2021:4396 vom 2021-11-09", url: "https://access.redhat.com/errata/RHSA-2021:4396", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2022:0318 vom 2022-01-27", url: "https://access.redhat.com/errata/RHSA-2022:0318", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2022:0434 vom 2022-02-04", url: "https://access.redhat.com/errata/RHSA-2022:0434", }, ], source_lang: "en-US", title: "Oracle MySQL: Mehrere Schwachstellen", tracking: { current_release_date: "2023-04-20T22:00:00.000+00:00", generator: { date: "2024-08-15T17:49:40.078+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1049", initial_release_date: "2020-04-14T22:00:00.000+00:00", revision_history: [ { date: "2020-04-14T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2020-04-28T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-05-03T22:00:00.000+00:00", number: "3", summary: "Referenz(en) aufgenommen: FEDORA-2020-261C9DDD7C, FEDORA-2020-136DC82437, FEDORA-2020-20AC7C92A1", }, { date: "2020-05-04T22:00:00.000+00:00", number: "4", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2020-06-11T22:00:00.000+00:00", number: "5", summary: "Neue Updates von Debian aufgenommen", }, { date: "2020-06-23T22:00:00.000+00:00", number: "6", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2020-07-28T22:00:00.000+00:00", number: "7", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-08-19T22:00:00.000+00:00", number: "8", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-09-14T22:00:00.000+00:00", number: "9", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-09-15T22:00:00.000+00:00", number: "10", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-09-29T22:00:00.000+00:00", number: "11", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-10-05T22:00:00.000+00:00", number: "12", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-10-25T23:00:00.000+00:00", number: "13", summary: "Neue Updates von AVAYA aufgenommen", }, { date: "2020-10-27T23:00:00.000+00:00", number: "14", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2020-11-03T23:00:00.000+00:00", number: "15", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-11-05T23:00:00.000+00:00", number: "16", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-11-30T23:00:00.000+00:00", number: "17", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-12-09T23:00:00.000+00:00", number: "18", summary: "Neue Updates von AVAYA aufgenommen", }, { date: "2020-12-17T23:00:00.000+00:00", number: "19", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2021-01-18T23:00:00.000+00:00", number: "20", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2021-02-24T23:00:00.000+00:00", number: "21", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2021-05-25T22:00:00.000+00:00", number: "22", summary: "Neue Updates von Gentoo aufgenommen", }, { date: "2021-07-14T22:00:00.000+00:00", number: "23", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2021-07-29T22:00:00.000+00:00", number: "24", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2021-08-30T22:00:00.000+00:00", number: "25", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2021-11-09T23:00:00.000+00:00", number: "26", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-01-27T23:00:00.000+00:00", number: "27", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-02-03T23:00:00.000+00:00", number: "28", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-04-20T22:00:00.000+00:00", number: "29", summary: "Neue Updates von Amazon aufgenommen", }, ], status: "final", version: "29", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Amazon Linux 2", product: { name: "Amazon Linux 2", product_id: "398363", product_identification_helper: { cpe: "cpe:/o:amazon:linux_2:-", }, }, }, ], category: "vendor", name: "Amazon", }, { branches: [ { category: "product_name", name: "Avaya Aura Application Enablement Services", product: { name: "Avaya Aura Application Enablement Services", product_id: "T015516", product_identification_helper: { cpe: "cpe:/a:avaya:aura_application_enablement_services:-", }, }, }, { category: "product_name", name: "Avaya Aura Communication Manager", product: { name: "Avaya Aura Communication Manager", product_id: "T015126", product_identification_helper: { cpe: "cpe:/a:avaya:communication_manager:-", }, }, }, { category: "product_name", name: "Avaya Aura Experience Portal", product: { name: "Avaya Aura Experience Portal", product_id: "T015519", product_identification_helper: { cpe: "cpe:/a:avaya:aura_experience_portal:-", }, }, }, { category: "product_name", name: "Avaya Aura Session Manager", product: { name: "Avaya Aura Session Manager", product_id: "T015127", product_identification_helper: { cpe: "cpe:/a:avaya:session_manager:-", }, }, }, { category: "product_name", name: "Avaya Aura System Manager", product: { name: "Avaya Aura System Manager", product_id: "T015518", product_identification_helper: { cpe: "cpe:/a:avaya:aura_system_manager:-", }, }, }, { category: "product_name", name: "Avaya Web License Manager", product: { name: "Avaya Web License Manager", product_id: "T016243", product_identification_helper: { cpe: "cpe:/a:avaya:web_license_manager:-", }, }, }, ], category: "vendor", name: "Avaya", }, { branches: [ { category: "product_name", name: "Debian Linux", product: { name: "Debian Linux", product_id: "2951", product_identification_helper: { cpe: "cpe:/o:debian:debian_linux:-", }, }, }, ], category: "vendor", name: "Debian", }, { branches: [ { category: "product_name", name: "Gentoo Linux", product: { name: "Gentoo Linux", product_id: "T012167", product_identification_helper: { cpe: "cpe:/o:gentoo:linux:-", }, }, }, ], category: "vendor", name: "Gentoo", }, { branches: [ { category: "product_name", name: "Oracle Linux", product: { name: "Oracle Linux", product_id: "T004914", product_identification_helper: { cpe: "cpe:/o:oracle:linux:-", }, }, }, { category: "product_name", name: "Oracle MySQL", product: { name: "Oracle MySQL", product_id: "T000197", product_identification_helper: { cpe: "cpe:/a:oracle:mysql:-", }, }, }, ], category: "vendor", name: "Oracle", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, ], category: "vendor", name: "SUSE", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2019-14889", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-14889", }, { cve: "CVE-2019-1547", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-1547", }, { cve: "CVE-2019-1549", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-1549", }, { cve: "CVE-2019-1552", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-1552", }, { cve: "CVE-2019-15601", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-15601", }, { cve: "CVE-2019-1563", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-1563", }, { cve: "CVE-2019-17563", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-17563", }, { cve: "CVE-2019-19242", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19242", }, { cve: "CVE-2019-19244", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19244", }, { cve: "CVE-2019-19317", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19317", }, { cve: "CVE-2019-19603", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19603", }, { cve: "CVE-2019-19645", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19645", }, { cve: "CVE-2019-19646", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19646", }, { cve: "CVE-2019-19880", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19880", }, { cve: "CVE-2019-19923", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19923", }, { cve: "CVE-2019-19924", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19924", }, { cve: "CVE-2019-19925", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19925", }, { cve: "CVE-2019-19926", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19926", }, { cve: "CVE-2019-19959", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19959", }, { cve: "CVE-2019-20218", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-20218", }, { cve: "CVE-2019-5481", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-5481", }, { cve: "CVE-2019-5482", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-5482", }, { cve: "CVE-2020-2752", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2752", }, { cve: "CVE-2020-2759", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2759", }, { cve: "CVE-2020-2760", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2760", }, { cve: "CVE-2020-2761", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2761", }, { cve: "CVE-2020-2762", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2762", }, { cve: "CVE-2020-2763", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2763", }, { cve: "CVE-2020-2765", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2765", }, { cve: "CVE-2020-2768", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2768", }, { cve: "CVE-2020-2770", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2770", }, { cve: "CVE-2020-2774", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2774", }, { cve: "CVE-2020-2779", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2779", }, { cve: "CVE-2020-2780", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2780", }, { cve: "CVE-2020-2790", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2790", }, { cve: "CVE-2020-2804", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2804", }, { cve: "CVE-2020-2806", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2806", }, { cve: "CVE-2020-2812", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2812", }, { cve: "CVE-2020-2814", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2814", }, { cve: "CVE-2020-2853", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2853", }, { cve: "CVE-2020-2875", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2875", }, { cve: "CVE-2020-2892", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2892", }, { cve: "CVE-2020-2893", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2893", }, { cve: "CVE-2020-2895", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2895", }, { cve: "CVE-2020-2896", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2896", }, { cve: "CVE-2020-2897", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2897", }, { cve: "CVE-2020-2898", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2898", }, { cve: "CVE-2020-2901", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2901", }, { cve: "CVE-2020-2903", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2903", }, { cve: "CVE-2020-2904", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2904", }, { cve: "CVE-2020-2921", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2921", }, { cve: "CVE-2020-2922", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2922", }, { cve: "CVE-2020-2923", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2923", }, { cve: "CVE-2020-2924", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2924", }, { cve: "CVE-2020-2925", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2925", }, { cve: "CVE-2020-2926", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2926", }, { cve: "CVE-2020-2928", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2928", }, { cve: "CVE-2020-2930", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2930", }, { cve: "CVE-2020-2933", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2933", }, { cve: "CVE-2020-2934", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2934", }, ], }
WID-SEC-W-2023-1049
Vulnerability from csaf_certbund
Published
2020-04-14 22:00
Modified
2023-04-20 22:00
Summary
Oracle MySQL: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
MySQL ist ein Open Source Datenbankserver von Oracle.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle MySQL ausnutzen, um die Verfügbarkeit, Vertraulichkeit und Integrität zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- MacOS X
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "MySQL ist ein Open Source Datenbankserver von Oracle.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle MySQL ausnutzen, um die Verfügbarkeit, Vertraulichkeit und Integrität zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- MacOS X\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1049 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2023-1049.json", }, { category: "self", summary: "WID-SEC-2023-1049 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1049", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS2-2023-2017 vom 2023-04-21", url: "https://alas.aws.amazon.com/AL2/ALAS-2023-2017.html", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2020 vom 2020-04-14", url: "https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:1810 vom 2020-04-28", url: "https://access.redhat.com/errata/RHSA-2020:1810", }, { category: "external", summary: "Ubuntu Security Notice USN-4350-1 vom 2020-05-04", url: "https://usn.ubuntu.com/4350-1/", }, { category: "external", summary: "Debian Security Advisory DLA 2245 vom 2020-06-12", url: "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202006/msg00015.html", }, { category: "external", summary: "Debian Security Advisory DSA-4703 vom 2020-06-11", url: "https://www.debian.org/security/2020/dsa-4703", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2020:1710-1 vom 2020-06-23", url: "http://lists.suse.com/pipermail/sle-security-updates/2020-June/007007.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2020:1711-1 vom 2020-06-23", url: "http://lists.suse.com/pipermail/sle-security-updates/2020-June/007010.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:3194 vom 2020-07-28", url: "https://access.redhat.com/errata/RHSA-2020:3194", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:3518 vom 2020-08-19", url: "https://access.redhat.com/errata/RHSA-2020:3518", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:3732 vom 2020-09-14", url: "https://access.redhat.com/errata/RHSA-2020:3732", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:3755 vom 2020-09-15", url: "https://access.redhat.com/errata/RHSA-2020:3755", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:3757 vom 2020-09-15", url: "https://access.redhat.com/errata/RHSA-2020:3757", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:4026 vom 2020-09-29", url: "https://access.redhat.com/errata/RHSA-2020:4026", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:4174 vom 2020-10-05", url: "https://access.redhat.com/errata/RHSA-2020:4174", }, { category: "external", summary: "AVAYA Security Advisory ASA-2020-112 vom 2020-10-25", url: "https://downloads.avaya.com/css/P8/documents/101071742", }, { category: "external", summary: "Ubuntu Security Notice USN-4603-1 vom 2020-10-27", url: "https://ubuntu.com/security/notices/USN-4603-1", }, { category: "external", summary: "Ubuntu Security Notice USN-4603-1 vom 2020-10-27", url: "https://usn.ubuntu.com/4603-1/", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:4442 vom 2020-11-04", url: "https://access.redhat.com/errata/RHSA-2020:4442", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:4961 vom 2020-11-05", url: "https://access.redhat.com/errata/RHSA-2020:4961", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:4960 vom 2020-11-05", url: "https://access.redhat.com/errata/RHSA-2020:4960", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:5246 vom 2020-11-30", url: "https://access.redhat.com/errata/RHSA-2020:5246", }, { category: "external", summary: "AVAYA Security Advisory ASA-2020-162 vom 2020-12-08", url: "https://downloads.avaya.com/css/P8/documents/101072831", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2020-5503 vom 2020-12-18", url: "https://linux.oracle.com/errata/ELSA-2020-5503-1.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2020-5500 vom 2020-12-18", url: "https://linux.oracle.com/errata/ELSA-2020-5500.html", }, { category: "external", summary: "Gentoo Linux Security Advisory GLSA-202105-27 vom 2021-05-26", url: "https://security.gentoo.org/glsa/202105-27", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2021:0037 vom 2021-01-18", url: "https://access.redhat.com/errata/RHSA-2021:0038", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:5635 vom 2021-02-24", url: "https://access.redhat.com/errata/RHSA-2020:5635", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2021:2320-1 vom 2021-07-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2021-July/009137.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2021:14771-1 vom 2021-07-29", url: "https://lists.suse.com/pipermail/sle-security-updates/2021-July/009231.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2021:2877-1 vom 2021-08-30", url: "https://lists.suse.com/pipermail/sle-security-updates/2021-August/009371.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2021:4396 vom 2021-11-09", url: "https://access.redhat.com/errata/RHSA-2021:4396", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2022:0318 vom 2022-01-27", url: "https://access.redhat.com/errata/RHSA-2022:0318", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2022:0434 vom 2022-02-04", url: "https://access.redhat.com/errata/RHSA-2022:0434", }, ], source_lang: "en-US", title: "Oracle MySQL: Mehrere Schwachstellen", tracking: { current_release_date: "2023-04-20T22:00:00.000+00:00", generator: { date: "2024-08-15T17:49:40.078+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1049", initial_release_date: "2020-04-14T22:00:00.000+00:00", revision_history: [ { date: "2020-04-14T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2020-04-28T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-05-03T22:00:00.000+00:00", number: "3", summary: "Referenz(en) aufgenommen: FEDORA-2020-261C9DDD7C, FEDORA-2020-136DC82437, FEDORA-2020-20AC7C92A1", }, { date: "2020-05-04T22:00:00.000+00:00", number: "4", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2020-06-11T22:00:00.000+00:00", number: "5", summary: "Neue Updates von Debian aufgenommen", }, { date: "2020-06-23T22:00:00.000+00:00", number: "6", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2020-07-28T22:00:00.000+00:00", number: "7", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-08-19T22:00:00.000+00:00", number: "8", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-09-14T22:00:00.000+00:00", number: "9", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-09-15T22:00:00.000+00:00", number: "10", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-09-29T22:00:00.000+00:00", number: "11", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-10-05T22:00:00.000+00:00", number: "12", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-10-25T23:00:00.000+00:00", number: "13", summary: "Neue Updates von AVAYA aufgenommen", }, { date: "2020-10-27T23:00:00.000+00:00", number: "14", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2020-11-03T23:00:00.000+00:00", number: "15", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-11-05T23:00:00.000+00:00", number: "16", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-11-30T23:00:00.000+00:00", number: "17", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-12-09T23:00:00.000+00:00", number: "18", summary: "Neue Updates von AVAYA aufgenommen", }, { date: "2020-12-17T23:00:00.000+00:00", number: "19", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2021-01-18T23:00:00.000+00:00", number: "20", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2021-02-24T23:00:00.000+00:00", number: "21", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2021-05-25T22:00:00.000+00:00", number: "22", summary: "Neue Updates von Gentoo aufgenommen", }, { date: "2021-07-14T22:00:00.000+00:00", number: "23", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2021-07-29T22:00:00.000+00:00", number: "24", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2021-08-30T22:00:00.000+00:00", number: "25", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2021-11-09T23:00:00.000+00:00", number: "26", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-01-27T23:00:00.000+00:00", number: "27", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2022-02-03T23:00:00.000+00:00", number: "28", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-04-20T22:00:00.000+00:00", number: "29", summary: "Neue Updates von Amazon aufgenommen", }, ], status: "final", version: "29", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Amazon Linux 2", product: { name: "Amazon Linux 2", product_id: "398363", product_identification_helper: { cpe: "cpe:/o:amazon:linux_2:-", }, }, }, ], category: "vendor", name: "Amazon", }, { branches: [ { category: "product_name", name: "Avaya Aura Application Enablement Services", product: { name: "Avaya Aura Application Enablement Services", product_id: "T015516", product_identification_helper: { cpe: "cpe:/a:avaya:aura_application_enablement_services:-", }, }, }, { category: "product_name", name: "Avaya Aura Communication Manager", product: { name: "Avaya Aura Communication Manager", product_id: "T015126", product_identification_helper: { cpe: "cpe:/a:avaya:communication_manager:-", }, }, }, { category: "product_name", name: "Avaya Aura Experience Portal", product: { name: "Avaya Aura Experience Portal", product_id: "T015519", product_identification_helper: { cpe: "cpe:/a:avaya:aura_experience_portal:-", }, }, }, { category: "product_name", name: "Avaya Aura Session Manager", product: { name: "Avaya Aura Session Manager", product_id: "T015127", product_identification_helper: { cpe: "cpe:/a:avaya:session_manager:-", }, }, }, { category: "product_name", name: "Avaya Aura System Manager", product: { name: "Avaya Aura System Manager", product_id: "T015518", product_identification_helper: { cpe: "cpe:/a:avaya:aura_system_manager:-", }, }, }, { category: "product_name", name: "Avaya Web License Manager", product: { name: "Avaya Web License Manager", product_id: "T016243", product_identification_helper: { cpe: "cpe:/a:avaya:web_license_manager:-", }, }, }, ], category: "vendor", name: "Avaya", }, { branches: [ { category: "product_name", name: "Debian Linux", product: { name: "Debian Linux", product_id: "2951", product_identification_helper: { cpe: "cpe:/o:debian:debian_linux:-", }, }, }, ], category: "vendor", name: "Debian", }, { branches: [ { category: "product_name", name: "Gentoo Linux", product: { name: "Gentoo Linux", product_id: "T012167", product_identification_helper: { cpe: "cpe:/o:gentoo:linux:-", }, }, }, ], category: "vendor", name: "Gentoo", }, { branches: [ { category: "product_name", name: "Oracle Linux", product: { name: "Oracle Linux", product_id: "T004914", product_identification_helper: { cpe: "cpe:/o:oracle:linux:-", }, }, }, { category: "product_name", name: "Oracle MySQL", product: { name: "Oracle MySQL", product_id: "T000197", product_identification_helper: { cpe: "cpe:/a:oracle:mysql:-", }, }, }, ], category: "vendor", name: "Oracle", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, ], category: "vendor", name: "SUSE", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2019-14889", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-14889", }, { cve: "CVE-2019-1547", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-1547", }, { cve: "CVE-2019-1549", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-1549", }, { cve: "CVE-2019-1552", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-1552", }, { cve: "CVE-2019-15601", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-15601", }, { cve: "CVE-2019-1563", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-1563", }, { cve: "CVE-2019-17563", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-17563", }, { cve: "CVE-2019-19242", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19242", }, { cve: "CVE-2019-19244", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19244", }, { cve: "CVE-2019-19317", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19317", }, { cve: "CVE-2019-19603", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19603", }, { cve: "CVE-2019-19645", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19645", }, { cve: "CVE-2019-19646", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19646", }, { cve: "CVE-2019-19880", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19880", }, { cve: "CVE-2019-19923", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19923", }, { cve: "CVE-2019-19924", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19924", }, { cve: "CVE-2019-19925", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19925", }, { cve: "CVE-2019-19926", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19926", }, { cve: "CVE-2019-19959", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-19959", }, { cve: "CVE-2019-20218", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-20218", }, { cve: "CVE-2019-5481", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-5481", }, { cve: "CVE-2019-5482", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2019-5482", }, { cve: "CVE-2020-2752", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2752", }, { cve: "CVE-2020-2759", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2759", }, { cve: "CVE-2020-2760", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2760", }, { cve: "CVE-2020-2761", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2761", }, { cve: "CVE-2020-2762", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2762", }, { cve: "CVE-2020-2763", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2763", }, { cve: "CVE-2020-2765", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2765", }, { cve: "CVE-2020-2768", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2768", }, { cve: "CVE-2020-2770", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2770", }, { cve: "CVE-2020-2774", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2774", }, { cve: "CVE-2020-2779", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2779", }, { cve: "CVE-2020-2780", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2780", }, { cve: "CVE-2020-2790", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2790", }, { cve: "CVE-2020-2804", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2804", }, { cve: "CVE-2020-2806", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2806", }, { cve: "CVE-2020-2812", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2812", }, { cve: "CVE-2020-2814", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2814", }, { cve: "CVE-2020-2853", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2853", }, { cve: "CVE-2020-2875", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2875", }, { cve: "CVE-2020-2892", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2892", }, { cve: "CVE-2020-2893", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2893", }, { cve: "CVE-2020-2895", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2895", }, { cve: "CVE-2020-2896", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2896", }, { cve: "CVE-2020-2897", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2897", }, { cve: "CVE-2020-2898", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2898", }, { cve: "CVE-2020-2901", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2901", }, { cve: "CVE-2020-2903", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2903", }, { cve: "CVE-2020-2904", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2904", }, { cve: "CVE-2020-2921", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2921", }, { cve: "CVE-2020-2922", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2922", }, { cve: "CVE-2020-2923", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2923", }, { cve: "CVE-2020-2924", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2924", }, { cve: "CVE-2020-2925", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2925", }, { cve: "CVE-2020-2926", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2926", }, { cve: "CVE-2020-2928", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2928", }, { cve: "CVE-2020-2930", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2930", }, { cve: "CVE-2020-2933", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2933", }, { cve: "CVE-2020-2934", notes: [ { category: "description", text: "In Oracle MySQL existieren mehrere Schwachstellen in den Produkten MySQL Server, MySQL Workbench, MySQL Enterprise Monitor, MySQL Cluster, MySQL Client und MySQL Connectors. Durch Ausnutzung dieser Schwachstellen kann ein entfernter Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion und keine Authentisierung notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T015519", "T015518", "67646", "T015516", "T015127", "T015126", "T012167", "T004914", "T016243", "2951", "T002207", "T000126", "398363", "T000197", ], }, release_date: "2020-04-14T22:00:00.000+00:00", title: "CVE-2020-2934", }, ], }
suse-su-2021:2877-1
Vulnerability from csaf_suse
Published
2021-08-30 13:56
Modified
2021-08-30 13:56
Summary
Security update for mysql-connector-java
Notes
Title of the patch
Security update for mysql-connector-java
Description of the patch
This update for mysql-connector-java fixes the following issues:
- CVE-2020-2875: Unauthenticated attacker with network access via multiple protocols can compromise MySQL Connectors. (bsc#1173600)
- CVE-2020-2934: Fixed a vulnerability which could cause a partial denial of service of MySQL Connectors. (bsc#1173600)
- CVE-2020-2933: Fixed a vulnerability which could allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. (bsc#1173600)
Patchnames
HPE-Helion-OpenStack-8-2021-2877,SUSE-2021-2877,SUSE-OpenStack-Cloud-8-2021-2877,SUSE-OpenStack-Cloud-9-2021-2877,SUSE-OpenStack-Cloud-Crowbar-8-2021-2877,SUSE-OpenStack-Cloud-Crowbar-9-2021-2877,SUSE-SLE-SDK-12-SP5-2021-2877
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for mysql-connector-java", title: "Title of the patch", }, { category: "description", text: "This update for mysql-connector-java fixes the following issues:\n\n- CVE-2020-2875: Unauthenticated attacker with network access via multiple protocols can compromise MySQL Connectors. (bsc#1173600)\n- CVE-2020-2934: Fixed a vulnerability which could cause a partial denial of service of MySQL Connectors. (bsc#1173600)\n- CVE-2020-2933: Fixed a vulnerability which could allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. (bsc#1173600)\n", title: "Description of the patch", }, { category: "details", text: "HPE-Helion-OpenStack-8-2021-2877,SUSE-2021-2877,SUSE-OpenStack-Cloud-8-2021-2877,SUSE-OpenStack-Cloud-9-2021-2877,SUSE-OpenStack-Cloud-Crowbar-8-2021-2877,SUSE-OpenStack-Cloud-Crowbar-9-2021-2877,SUSE-SLE-SDK-12-SP5-2021-2877", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_2877-1.json", }, { category: "self", summary: "URL for SUSE-SU-2021:2877-1", url: "https://www.suse.com/support/update/announcement/2021/suse-su-20212877-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2021:2877-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2021-August/009371.html", }, { category: "self", summary: "SUSE Bug 1173600", url: "https://bugzilla.suse.com/1173600", }, { category: "self", summary: "SUSE CVE CVE-2020-2875 page", url: "https://www.suse.com/security/cve/CVE-2020-2875/", }, { category: "self", summary: "SUSE CVE CVE-2020-2933 page", url: "https://www.suse.com/security/cve/CVE-2020-2933/", }, { category: "self", summary: "SUSE CVE CVE-2020-2934 page", url: "https://www.suse.com/security/cve/CVE-2020-2934/", }, ], title: "Security update for mysql-connector-java", tracking: { current_release_date: "2021-08-30T13:56:16Z", generator: { date: "2021-08-30T13:56:16Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2021:2877-1", initial_release_date: "2021-08-30T13:56:16Z", revision_history: [ { date: "2021-08-30T13:56:16Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "mysql-connector-java-5.1.42-5.7.1.noarch", product: { name: "mysql-connector-java-5.1.42-5.7.1.noarch", product_id: "mysql-connector-java-5.1.42-5.7.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "HPE Helion OpenStack 8", product: { name: "HPE Helion OpenStack 8", product_id: "HPE Helion OpenStack 8", product_identification_helper: { cpe: "cpe:/o:suse:hpe-helion-openstack:8", }, }, }, { category: "product_name", name: "SUSE OpenStack Cloud 8", product: { name: "SUSE OpenStack Cloud 8", product_id: "SUSE OpenStack Cloud 8", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud:8", }, }, }, { category: "product_name", name: "SUSE OpenStack Cloud 9", product: { name: "SUSE OpenStack Cloud 9", product_id: "SUSE OpenStack Cloud 9", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud:9", }, }, }, { category: "product_name", name: "SUSE OpenStack Cloud Crowbar 8", product: { name: "SUSE OpenStack Cloud Crowbar 8", product_id: "SUSE OpenStack Cloud Crowbar 8", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud-crowbar:8", }, }, }, { category: "product_name", name: "SUSE OpenStack Cloud Crowbar 9", product: { name: "SUSE OpenStack Cloud Crowbar 9", product_id: "SUSE OpenStack Cloud Crowbar 9", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud-crowbar:9", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Software Development Kit 12 SP5", product: { name: "SUSE Linux Enterprise Software Development Kit 12 SP5", product_id: "SUSE Linux Enterprise Software Development Kit 12 SP5", product_identification_helper: { cpe: "cpe:/o:suse:sle-sdk:12:sp5", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "mysql-connector-java-5.1.42-5.7.1.noarch as component of HPE Helion OpenStack 8", product_id: "HPE Helion OpenStack 8:mysql-connector-java-5.1.42-5.7.1.noarch", }, product_reference: "mysql-connector-java-5.1.42-5.7.1.noarch", relates_to_product_reference: "HPE Helion OpenStack 8", }, { category: "default_component_of", full_product_name: { name: "mysql-connector-java-5.1.42-5.7.1.noarch as component of SUSE OpenStack Cloud 8", product_id: "SUSE OpenStack Cloud 8:mysql-connector-java-5.1.42-5.7.1.noarch", }, product_reference: "mysql-connector-java-5.1.42-5.7.1.noarch", relates_to_product_reference: "SUSE OpenStack Cloud 8", }, { category: "default_component_of", full_product_name: { name: "mysql-connector-java-5.1.42-5.7.1.noarch as component of SUSE OpenStack Cloud 9", product_id: "SUSE OpenStack Cloud 9:mysql-connector-java-5.1.42-5.7.1.noarch", }, product_reference: "mysql-connector-java-5.1.42-5.7.1.noarch", relates_to_product_reference: "SUSE OpenStack Cloud 9", }, { category: "default_component_of", full_product_name: { name: "mysql-connector-java-5.1.42-5.7.1.noarch as component of SUSE OpenStack Cloud Crowbar 8", product_id: "SUSE OpenStack Cloud Crowbar 8:mysql-connector-java-5.1.42-5.7.1.noarch", }, product_reference: "mysql-connector-java-5.1.42-5.7.1.noarch", relates_to_product_reference: "SUSE OpenStack Cloud Crowbar 8", }, { category: "default_component_of", full_product_name: { name: "mysql-connector-java-5.1.42-5.7.1.noarch as component of SUSE OpenStack Cloud Crowbar 9", product_id: "SUSE OpenStack Cloud Crowbar 9:mysql-connector-java-5.1.42-5.7.1.noarch", }, product_reference: "mysql-connector-java-5.1.42-5.7.1.noarch", relates_to_product_reference: "SUSE OpenStack Cloud Crowbar 9", }, { category: "default_component_of", full_product_name: { name: "mysql-connector-java-5.1.42-5.7.1.noarch as component of SUSE Linux Enterprise Software Development Kit 12 SP5", product_id: "SUSE Linux Enterprise Software Development Kit 12 SP5:mysql-connector-java-5.1.42-5.7.1.noarch", }, product_reference: "mysql-connector-java-5.1.42-5.7.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Software Development Kit 12 SP5", }, ], }, vulnerabilities: [ { cve: "CVE-2020-2875", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-2875", }, ], notes: [ { category: "general", text: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).", title: "CVE description", }, ], product_status: { recommended: [ "HPE Helion OpenStack 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 9:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 9:mysql-connector-java-5.1.42-5.7.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-2875", url: "https://www.suse.com/security/cve/CVE-2020-2875", }, { category: "external", summary: "SUSE Bug 1173599 for CVE-2020-2875", url: "https://bugzilla.suse.com/1173599", }, { category: "external", summary: "SUSE Bug 1173600 for CVE-2020-2875", url: "https://bugzilla.suse.com/1173600", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "HPE Helion OpenStack 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 9:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 9:mysql-connector-java-5.1.42-5.7.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 4.7, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "HPE Helion OpenStack 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 9:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 9:mysql-connector-java-5.1.42-5.7.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-08-30T13:56:16Z", details: "moderate", }, ], title: "CVE-2020-2875", }, { cve: "CVE-2020-2933", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-2933", }, ], notes: [ { category: "general", text: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).", title: "CVE description", }, ], product_status: { recommended: [ "HPE Helion OpenStack 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 9:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 9:mysql-connector-java-5.1.42-5.7.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-2933", url: "https://www.suse.com/security/cve/CVE-2020-2933", }, { category: "external", summary: "SUSE Bug 1173599 for CVE-2020-2933", url: "https://bugzilla.suse.com/1173599", }, { category: "external", summary: "SUSE Bug 1173600 for CVE-2020-2933", url: "https://bugzilla.suse.com/1173600", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "HPE Helion OpenStack 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 9:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 9:mysql-connector-java-5.1.42-5.7.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 2.2, baseSeverity: "LOW", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "HPE Helion OpenStack 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 9:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 9:mysql-connector-java-5.1.42-5.7.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-08-30T13:56:16Z", details: "moderate", }, ], title: "CVE-2020-2933", }, { cve: "CVE-2020-2934", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-2934", }, ], notes: [ { category: "general", text: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).", title: "CVE description", }, ], product_status: { recommended: [ "HPE Helion OpenStack 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 9:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 9:mysql-connector-java-5.1.42-5.7.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2020-2934", url: "https://www.suse.com/security/cve/CVE-2020-2934", }, { category: "external", summary: "SUSE Bug 1173599 for CVE-2020-2934", url: "https://bugzilla.suse.com/1173599", }, { category: "external", summary: "SUSE Bug 1173600 for CVE-2020-2934", url: "https://bugzilla.suse.com/1173600", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "HPE Helion OpenStack 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 9:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 9:mysql-connector-java-5.1.42-5.7.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "HPE Helion OpenStack 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE Linux Enterprise Software Development Kit 12 SP5:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud 9:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 8:mysql-connector-java-5.1.42-5.7.1.noarch", "SUSE OpenStack Cloud Crowbar 9:mysql-connector-java-5.1.42-5.7.1.noarch", ], }, ], threats: [ { category: "impact", date: "2021-08-30T13:56:16Z", details: "moderate", }, ], title: "CVE-2020-2934", }, ], }
fkie_cve-2020-2933
Vulnerability from fkie_nvd
Published
2020-04-15 14:15
Modified
2024-11-21 05:26
Severity ?
Summary
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oracle | mysql_connector\/j | * | |
| fedoraproject | fedora | 32 | |
| fedoraproject | fedora | 33 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:mysql_connector\\/j:*:*:*:*:*:*:*:*", matchCriteriaId: "AD15EE6F-5465-4029-8587-C02A521C1C90", versionEndIncluding: "5.1.48", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", matchCriteriaId: "36D96259-24BD-44E2-96D9-78CE1D41F956", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", matchCriteriaId: "E460AA51-FCDA-46B9-AE97-E6676AA5E194", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).", }, { lang: "es", value: "Vulnerabilidad en el producto MySQL Connectors de Oracle MySQL (componente: Conector/J). Las versiones compatibles que están afectadas son la 5.1.48 y anteriores. Una vulnerabilidad difícil de explotar permite a un atacante muy privilegiado con acceso a la red por medio de múltiples protocolos comprometer a MySQL Connectors. Los ataques con éxito de esta vulnerabilidad pueden resultar en una capacidad no autorizada para causar una denegación de servicio parcial (DOS parcial) de MySQL Connectors. CVSS 3.0 Puntuación Base 2.2 (Impactos de la disponibilidad). Vector CVSS: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).", }, ], id: "CVE-2020-2933", lastModified: "2024-11-21T05:26:40.043", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:S/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 2.2, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, exploitabilityScore: 0.7, impactScore: 1.4, source: "secalert_us@oracle.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 2.2, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 0.7, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-04-15T14:15:36.357", references: [ { source: "secalert_us@oracle.com", tags: [ "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html", }, { source: "secalert_us@oracle.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/", }, { source: "secalert_us@oracle.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/", }, { source: "secalert_us@oracle.com", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202105-27", }, { source: "secalert_us@oracle.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2020/dsa-4703", }, { source: "secalert_us@oracle.com", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QDR2WOUETBT76WAO5NNCCXSAM3AGG3D/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDKQVPFT4Z4SFPBH6YNFMJOXKS2YYKHA/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202105-27", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2020/dsa-4703", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, ], sourceIdentifier: "secalert_us@oracle.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.