Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-24963 (GCVE-0-2022-24963)
Vulnerability from cvelistv5 – Published: 2023-01-31 15:52 – Updated: 2025-03-27 14:33
VLAI?
EPSS
Title
Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions
Summary
Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.
This issue affects Apache Portable Runtime (APR) version 1.7.0.
Severity ?
No CVSS data available.
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/fw9p6sdncwsjkstwc… | vendor-advisory |
| https://security.netapp.com/advisory/ntap-2023090… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Portable Runtime (APR) |
Affected:
1.7.0
|
Credits
Ronald Crane (Zippenhop LLC)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.595Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230908-0008/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-24963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T14:33:34.281533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:33:39.826Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Portable Runtime (APR)",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ronald Crane (Zippenhop LLC)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\u003cbr\u003eThis issue affects Apache Portable Runtime (APR) version 1.7.0."
}
],
"value": "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\nThis issue affects Apache Portable Runtime (APR) version 1.7.0."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-08T16:06:38.212Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230908-0008/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-24963",
"datePublished": "2023-01-31T15:52:09.716Z",
"dateReserved": "2022-02-11T12:49:56.769Z",
"dateUpdated": "2025-03-27T14:33:39.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-24963",
"date": "2026-05-20",
"epss": "0.00138",
"percentile": "0.33309"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:portable_runtime:1.7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"56961B22-99C1-470F-9EDC-B02633745025\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\\nThis issue affects Apache Portable Runtime (APR) version 1.7.0.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de desbordamiento de enteros o envoltura en las funciones apr_encode de Apache Portable Runtime (APR) permite a un atacante escribir m\\u00e1s all\\u00e1 de los l\\u00edmites de un b\\u00fafer. Este problema afecta a Apache Portable Runtime (APR) versi\\u00f3n 1.7.0.\"}]",
"id": "CVE-2022-24963",
"lastModified": "2024-11-21T06:51:28.317",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2023-01-31T16:15:08.830",
"references": "[{\"url\": \"https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230908-0008/\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230908-0008/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-190\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-24963\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2023-01-31T16:15:08.830\",\"lastModified\":\"2025-03-27T15:15:36.323\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\\nThis issue affects Apache Portable Runtime (APR) version 1.7.0.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de desbordamiento de enteros o envoltura en las funciones apr_encode de Apache Portable Runtime (APR) permite a un atacante escribir m\u00e1s all\u00e1 de los l\u00edmites de un b\u00fafer. Este problema afecta a Apache Portable Runtime (APR) versi\u00f3n 1.7.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-190\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:portable_runtime:1.7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"56961B22-99C1-470F-9EDC-B02633745025\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20230908-0008/\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20230908-0008/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"unaffected\", \"product\": \"Apache Portable Runtime (APR)\", \"vendor\": \"Apache Software Foundation\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.7.0\"}]}], \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Ronald Crane (Zippenhop LLC)\"}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\u003cbr\u003eThis issue affects Apache Portable Runtime (APR) version 1.7.0.\"}], \"value\": \"Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\\nThis issue affects Apache Portable Runtime (APR) version 1.7.0.\"}], \"metrics\": [{\"other\": {\"content\": {\"text\": \"moderate\"}, \"type\": \"Textual description of severity\"}}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-190\", \"description\": \"CWE-190 Integer Overflow or Wraparound\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2023-09-08T16:06:38.212Z\"}, \"references\": [{\"tags\": [\"vendor-advisory\"], \"url\": \"https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230908-0008/\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"title\": \"Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions\", \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T04:29:01.595Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"vendor-advisory\", \"x_transferred\"], \"url\": \"https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230908-0008/\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-24963\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-27T14:33:34.281533Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-27T14:33:27.079Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2022-24963\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"apache\", \"dateReserved\": \"2022-02-11T12:49:56.769Z\", \"datePublished\": \"2023-01-31T15:52:09.716Z\", \"dateUpdated\": \"2025-03-27T14:33:39.826Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
alsa-2023:7711
Vulnerability from osv_almalinux
Published
2023-12-11 00:00
Modified
2023-12-11 13:16
Summary
Moderate: apr security update
Details
The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines.
Security Fix(es):
- apr: integer overflow/wraparound in apr_encode (CVE-2022-24963)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "apr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.0-12.el9_3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "apr-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.0-12.el9_3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines.\n\nSecurity Fix(es):\n\n* apr: integer overflow/wraparound in apr_encode (CVE-2022-24963)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"id": "ALSA-2023:7711",
"modified": "2023-12-11T13:16:59Z",
"published": "2023-12-11T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2023:7711"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-24963"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2169465"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2023-7711.html"
}
],
"related": [
"CVE-2022-24963"
],
"summary": "Moderate: apr security update"
}
BDU:2024-00850
Vulnerability from fstec - Published: 31.01.2023
VLAI Severity ?
Title
Уязвимость функции apr_encode библиотеки Apache Portable Runtime (APR), позволяющая нарушителю выполнить произвольный код
Description
Уязвимость функции apr_encode библиотеки Apache Portable Runtime (APR) связана с целочисленным переполнением при обработке длины полей. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код
Severity ?
Vendor
Сообщество свободного программного обеспечения, Novell Inc., Canonical Ltd., Red Hat Inc., NetApp Inc., АО «ИВК», Apache Software Foundation, Project Harbor, ООО «НЦПР»
Software Name
Debian GNU/Linux, openSUSE Tumbleweed, Ubuntu, Red Hat Enterprise Linux, ONTAP, АЛЬТ СП 10, Red Hat JBoss Core Services, NetApp SolidFire & HCI Storage Node, NetApp SolidFire & HCI Management Node, NetApp HCI Compute Node BIOS, SUSE Liberty Linux, Portable Runtime (APR), Jboss Web Server, Red Hat JBoss Web Server, harbor, МСВСфера
Software Version
10 (Debian GNU/Linux), - (openSUSE Tumbleweed), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 22.04 LTS (Ubuntu), 9 (Red Hat Enterprise Linux), 22.10 (Ubuntu), 9 (ONTAP), - (АЛЬТ СП 10), 1 (Red Hat JBoss Core Services), RHEL 8 (Red Hat JBoss Core Services), RHEL 7 (Red Hat JBoss Core Services), - (NetApp SolidFire & HCI Storage Node), - (NetApp SolidFire & HCI Management Node), - (NetApp HCI Compute Node BIOS), 9 (SUSE Liberty Linux), 1.7.0 (Portable Runtime (APR)), 5.7.4 (Jboss Web Server), 5.7 on RHEL7 (Red Hat JBoss Web Server), 5.7 on RHEL 8 (Red Hat JBoss Web Server), 5.7 on RHEL 9 (Red Hat JBoss Web Server), 2.7.0 (harbor), 9.5 (МСВСфера)
Possible Mitigations
Использование рекомендаций:
Для программных продуктов Apache Software Foundation:
https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9
Для Ubuntu:
https://ubuntu.com/security/notices/USN-5885-1
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2022-24963.html
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/CVE-2022-24963
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2022-24963
Для программных продуктов NetApp Inc.:
https://security.netapp.com/advisory/ntap-20230908-0008/
Компенсирующие меры для Harbor :
- отключение/удаление неиспользуемых учетных записей пользователей;
- минимизация пользовательских привилегий;
- использование антивирусных средств защиты;
- контроль действий пользователей.
Для ОС Альт 8 СП (релиз 10): установка обновления из публичного репозитория программного средства
Для МСВСфера: https://errata.msvsphere-os.ru/definition/9/INFCSA-2023:7711?lang=ru
Reference
https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9
https://ubuntu.com/security/notices/USN-5885-1
https://www.suse.com/security/cve/CVE-2022-24963.html
https://access.redhat.com/security/cve/CVE-2022-24963
https://security-tracker.debian.org/tracker/CVE-2022-24963
https://security.netapp.com/advisory/ntap-20230908-0008/
https://altsp.su/obnovleniya-bezopasnosti/
https://errata.msvsphere-os.ru/definition/9/INFCSA-2023:7711?lang=ru
CWE
CWE-190
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Novell Inc., Canonical Ltd., Red Hat Inc., NetApp Inc., \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, Apache Software Foundation, Project Harbor, \u041e\u041e\u041e \u00ab\u041d\u0426\u041f\u0420\u00bb",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "10 (Debian GNU/Linux), - (openSUSE Tumbleweed), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 22.04 LTS (Ubuntu), 9 (Red Hat Enterprise Linux), 22.10 (Ubuntu), 9 (ONTAP), - (\u0410\u041b\u042c\u0422 \u0421\u041f 10), 1 (Red Hat JBoss Core Services), RHEL 8 (Red Hat JBoss Core Services), RHEL 7 (Red Hat JBoss Core Services), - (NetApp SolidFire \u0026 HCI Storage Node), - (NetApp SolidFire \u0026 HCI Management Node), - (NetApp HCI Compute Node BIOS), 9 (SUSE Liberty Linux), 1.7.0 (Portable Runtime (APR)), 5.7.4 (Jboss Web Server), 5.7 on RHEL7 (Red Hat JBoss Web Server), 5.7 on RHEL 8 (Red Hat JBoss Web Server), 5.7 on RHEL 9 (Red Hat JBoss Web Server), 2.7.0 (harbor), 9.5 (\u041c\u0421\u0412\u0421\u0444\u0435\u0440\u0430)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Apache Software Foundation:\nhttps://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9\n\n\u0414\u043b\u044f Ubuntu:\nhttps://ubuntu.com/security/notices/USN-5885-1\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2022-24963.html\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/CVE-2022-24963\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2022-24963\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 NetApp Inc.:\nhttps://security.netapp.com/advisory/ntap-20230908-0008/\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b \u0434\u043b\u044f Harbor :\n- \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435/\u0443\u0434\u0430\u043b\u0435\u043d\u0438\u0435 \u043d\u0435\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0445 \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0437\u0430\u043f\u0438\u0441\u0435\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439;\n- \u043c\u0438\u043d\u0438\u043c\u0438\u0437\u0430\u0446\u0438\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0445 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0430\u043d\u0442\u0438\u0432\u0438\u0440\u0443\u0441\u043d\u044b\u0445 \u0441\u0440\u0435\u0434\u0441\u0442\u0432 \u0437\u0430\u0449\u0438\u0442\u044b;\n- \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439.\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0440\u0435\u043b\u0438\u0437 10): \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430\n\n\u0414\u043b\u044f \u041c\u0421\u0412\u0421\u0444\u0435\u0440\u0430: https://errata.msvsphere-os.ru/definition/9/INFCSA-2023:7711?lang=ru",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "31.01.2023",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "19.11.2025",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "31.01.2024",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-00850",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-24963",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, openSUSE Tumbleweed, Ubuntu, Red Hat Enterprise Linux, ONTAP, \u0410\u041b\u042c\u0422 \u0421\u041f 10, Red Hat JBoss Core Services, NetApp SolidFire \u0026 HCI Storage Node, NetApp SolidFire \u0026 HCI Management Node, NetApp HCI Compute Node BIOS, SUSE Liberty Linux, Portable Runtime (APR), Jboss Web Server, Red Hat JBoss Web Server, harbor, \u041c\u0421\u0412\u0421\u0444\u0435\u0440\u0430",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Novell Inc. openSUSE Tumbleweed - , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , Canonical Ltd. Ubuntu 22.04 LTS , Red Hat Inc. Red Hat Enterprise Linux 9 , Canonical Ltd. Ubuntu 22.10 , NetApp Inc. ONTAP 9 , \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u041b\u042c\u0422 \u0421\u041f 10 - , Novell Inc. SUSE Liberty Linux 9 , \u041e\u041e\u041e \u00ab\u041d\u0426\u041f\u0420\u00bb \u041c\u0421\u0412\u0421\u0444\u0435\u0440\u0430 9.5 ",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 apr_encode \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 Apache Portable Runtime (APR), \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0426\u0435\u043b\u043e\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u043e\u0435 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0438\u043b\u0438 \u0446\u0438\u043a\u043b\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0441\u0434\u0432\u0438\u0433 (CWE-190)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 apr_encode \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 Apache Portable Runtime (APR) \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0446\u0435\u043b\u043e\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u044b\u043c \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435\u043c \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u0434\u043b\u0438\u043d\u044b \u043f\u043e\u043b\u0435\u0439. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9\nhttps://ubuntu.com/security/notices/USN-5885-1\nhttps://www.suse.com/security/cve/CVE-2022-24963.html\nhttps://access.redhat.com/security/cve/CVE-2022-24963\nhttps://security-tracker.debian.org/tracker/CVE-2022-24963\nhttps://security.netapp.com/advisory/ntap-20230908-0008/\nhttps://altsp.su/obnovleniya-bezopasnosti/\nhttps://errata.msvsphere-os.ru/definition/9/INFCSA-2023:7711?lang=ru",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0439 \u043a\u043e\u0434 \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u044b\u0445 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u041c\u0438\u043a\u0440\u043e\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0439 \u043a\u043e\u0434, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-190",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}
bit-apr-2022-24963
Vulnerability from bitnami_vulndb
Published
2024-03-06 10:50
Modified
2025-05-20 10:02
Summary
Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions
Details
Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "apr",
"purl": "pkg:bitnami/apr"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.1"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2022-24963"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:apache:portable_runtime:1.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:portable_runtime:*:*:*:*:*:*:*:*"
],
"severity": "Critical"
},
"details": "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\nThis issue affects Apache Portable Runtime (APR) version 1.7.0.",
"id": "BIT-apr-2022-24963",
"modified": "2025-05-20T10:02:07.006Z",
"published": "2024-03-06T10:50:46.060Z",
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230908-0008/"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24963"
}
],
"schema_version": "1.5.0",
"summary": "Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions"
}
CNVD-2023-57672
Vulnerability from cnvd - Published: 2023-07-21
VLAI Severity ?
Title
Apache Portable Runtime越界写漏洞
Description
Apache Portable Runtime是美国阿帕奇(Apache)基金会的一个为上层应用程序提供可跨越多个操作系统平台使用的底层支持接口库。
Apache Portable Runtime存在越界写漏洞,攻击者可利用该漏洞实现整数溢出或环绕错误导致向缓冲区边界之外写入数据。
Severity
高
Patch Name
Apache Portable Runtime越界写漏洞的补丁
Patch Description
Apache Portable Runtime是美国阿帕奇(Apache)基金会的一个为上层应用程序提供可跨越多个操作系统平台使用的底层支持接口库。
Apache Portable Runtime存在越界写漏洞,攻击者可利用该漏洞实现整数溢出或环绕错误导致向缓冲区边界之外写入数据。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9
Reference
https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9
Impacted products
| Name | Apache Portable Runtime 1.7.0 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2022-24963",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-24963"
}
},
"description": "Apache Portable Runtime\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u4e3a\u4e0a\u5c42\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u53ef\u8de8\u8d8a\u591a\u4e2a\u64cd\u4f5c\u7cfb\u7edf\u5e73\u53f0\u4f7f\u7528\u7684\u5e95\u5c42\u652f\u6301\u63a5\u53e3\u5e93\u3002\n\nApache Portable Runtime\u5b58\u5728\u8d8a\u754c\u5199\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u73b0\u6574\u6570\u6ea2\u51fa\u6216\u73af\u7ed5\u9519\u8bef\u5bfc\u81f4\u5411\u7f13\u51b2\u533a\u8fb9\u754c\u4e4b\u5916\u5199\u5165\u6570\u636e\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2023-57672",
"openTime": "2023-07-21",
"patchDescription": "Apache Portable Runtime\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u4e3a\u4e0a\u5c42\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u53ef\u8de8\u8d8a\u591a\u4e2a\u64cd\u4f5c\u7cfb\u7edf\u5e73\u53f0\u4f7f\u7528\u7684\u5e95\u5c42\u652f\u6301\u63a5\u53e3\u5e93\u3002\r\n\r\nApache Portable Runtime\u5b58\u5728\u8d8a\u754c\u5199\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u73b0\u6574\u6570\u6ea2\u51fa\u6216\u73af\u7ed5\u9519\u8bef\u5bfc\u81f4\u5411\u7f13\u51b2\u533a\u8fb9\u754c\u4e4b\u5916\u5199\u5165\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Apache Portable Runtime\u8d8a\u754c\u5199\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Apache Portable Runtime 1.7.0"
},
"referenceLink": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9",
"serverity": "\u9ad8",
"submitTime": "2023-02-06",
"title": "Apache Portable Runtime\u8d8a\u754c\u5199\u6f0f\u6d1e"
}
FKIE_CVE-2022-24963
Vulnerability from fkie_nvd - Published: 2023-01-31 16:15 - Updated: 2025-03-27 15:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.
This issue affects Apache Portable Runtime (APR) version 1.7.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | portable_runtime | 1.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:portable_runtime:1.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56961B22-99C1-470F-9EDC-B02633745025",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\nThis issue affects Apache Portable Runtime (APR) version 1.7.0."
},
{
"lang": "es",
"value": "Vulnerabilidad de desbordamiento de enteros o envoltura en las funciones apr_encode de Apache Portable Runtime (APR) permite a un atacante escribir m\u00e1s all\u00e1 de los l\u00edmites de un b\u00fafer. Este problema afecta a Apache Portable Runtime (APR) versi\u00f3n 1.7.0."
}
],
"id": "CVE-2022-24963",
"lastModified": "2025-03-27T15:15:36.323",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-01-31T16:15:08.830",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9"
},
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20230908-0008/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20230908-0008/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-190"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
GHSA-6RR3-MPXQ-HV4X
Vulnerability from github – Published: 2023-01-31 18:30 – Updated: 2025-03-27 15:30
VLAI?
Details
Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.
Severity ?
9.8 (Critical)
{
"affected": [],
"aliases": [
"CVE-2022-24963"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-31T16:15:00Z",
"severity": "CRITICAL"
},
"details": "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.",
"id": "GHSA-6rr3-mpxq-hv4x",
"modified": "2025-03-27T15:30:36Z",
"published": "2023-01-31T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24963"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230908-0008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GSD-2022-24963
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.
This issue affects Apache Portable Runtime (APR) version 1.7.0.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-24963",
"id": "GSD-2022-24963",
"references": [
"https://advisories.mageia.org/CVE-2022-24963.html",
"https://www.suse.com/security/cve/CVE-2022-24963.html",
"https://www.debian.org/security/2023/dsa-5370"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-24963"
],
"details": "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\nThis issue affects Apache Portable Runtime (APR) version 1.7.0.",
"id": "GSD-2022-24963",
"modified": "2023-12-13T01:19:43.206116Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-24963",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Portable Runtime (APR)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "1.7.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credits": [
{
"lang": "en",
"value": "Ronald Crane (Zippenhop LLC)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\nThis issue affects Apache Portable Runtime (APR) version 1.7.0."
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-190",
"lang": "eng",
"value": "CWE-190 Integer Overflow or Wraparound"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230908-0008/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20230908-0008/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:portable_runtime:1.7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-24963"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\nThis issue affects Apache Portable Runtime (APR) version 1.7.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-190"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9",
"refsource": "MISC",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230908-0008/",
"refsource": "MISC",
"tags": [],
"url": "https://security.netapp.com/advisory/ntap-20230908-0008/"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-09-08T17:15Z",
"publishedDate": "2023-01-31T16:15Z"
}
}
}
MSRC_CVE-2022-24963
Vulnerability from csaf_microsoft - Published: 2023-01-04 00:00 - Updated: 2026-02-18 14:58Summary
Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 18847-17084 | — |
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17084-1 | — |
Vendor Fix
fix
|
Known not affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17084-2 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2023/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2023/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2022-24963 Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2022-24963.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions",
"tracking": {
"current_release_date": "2026-02-18T14:58:11.000Z",
"generator": {
"date": "2026-02-21T03:00:19.893Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2022-24963",
"initial_release_date": "2023-01-04T00:00:00.000Z",
"revision_history": [
{
"date": "2025-09-03T23:35:51.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2026-02-18T14:58:11.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Information published."
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 apr 1.7.2-1",
"product": {
"name": "\u003cazl3 apr 1.7.2-1",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "azl3 apr 1.7.2-1",
"product": {
"name": "azl3 apr 1.7.2-1",
"product_id": "18847"
}
}
],
"category": "product_name",
"name": "apr"
},
{
"category": "product_name",
"name": "azl3 apr 1.7.5-1",
"product": {
"name": "azl3 apr 1.7.5-1",
"product_id": "2"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 apr 1.7.2-1 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 apr 1.7.2-1 as a component of Azure Linux 3.0",
"product_id": "18847-17084"
},
"product_reference": "18847",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 apr 1.7.5-1 as a component of Azure Linux 3.0",
"product_id": "17084-2"
},
"product_reference": "2",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-24963",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"17084-2"
]
}
],
"notes": [
{
"category": "general",
"text": "apache",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"18847-17084"
],
"known_affected": [
"17084-1"
],
"known_not_affected": [
"17084-2"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2022-24963 Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2022-24963.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-03T23:35:51.000Z",
"details": "1.7.2-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"17084-1"
]
}
],
"title": "Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions"
}
]
}
OPENSUSE-SU-2024:12655-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
apr-devel-1.7.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: apr-devel-1.7.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the apr-devel-1.7.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12655
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.1 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:apr-devel-1.7.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apr-devel-1.7.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apr-devel-1.7.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:apr-devel-1.7.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "apr-devel-1.7.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the apr-devel-1.7.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12655",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12655-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-24963 page",
"url": "https://www.suse.com/security/cve/CVE-2022-24963/"
}
],
"title": "apr-devel-1.7.2-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12655-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apr-devel-1.7.2-1.1.aarch64",
"product": {
"name": "apr-devel-1.7.2-1.1.aarch64",
"product_id": "apr-devel-1.7.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "libapr1-0-1.7.2-1.1.aarch64",
"product": {
"name": "libapr1-0-1.7.2-1.1.aarch64",
"product_id": "libapr1-0-1.7.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "apr-devel-1.7.2-1.1.ppc64le",
"product": {
"name": "apr-devel-1.7.2-1.1.ppc64le",
"product_id": "apr-devel-1.7.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "libapr1-0-1.7.2-1.1.ppc64le",
"product": {
"name": "libapr1-0-1.7.2-1.1.ppc64le",
"product_id": "libapr1-0-1.7.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "apr-devel-1.7.2-1.1.s390x",
"product": {
"name": "apr-devel-1.7.2-1.1.s390x",
"product_id": "apr-devel-1.7.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "libapr1-0-1.7.2-1.1.s390x",
"product": {
"name": "libapr1-0-1.7.2-1.1.s390x",
"product_id": "libapr1-0-1.7.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "apr-devel-1.7.2-1.1.x86_64",
"product": {
"name": "apr-devel-1.7.2-1.1.x86_64",
"product_id": "apr-devel-1.7.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "libapr1-0-1.7.2-1.1.x86_64",
"product": {
"name": "libapr1-0-1.7.2-1.1.x86_64",
"product_id": "libapr1-0-1.7.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apr-devel-1.7.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apr-devel-1.7.2-1.1.aarch64"
},
"product_reference": "apr-devel-1.7.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apr-devel-1.7.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apr-devel-1.7.2-1.1.ppc64le"
},
"product_reference": "apr-devel-1.7.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apr-devel-1.7.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apr-devel-1.7.2-1.1.s390x"
},
"product_reference": "apr-devel-1.7.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apr-devel-1.7.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apr-devel-1.7.2-1.1.x86_64"
},
"product_reference": "apr-devel-1.7.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libapr1-0-1.7.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.aarch64"
},
"product_reference": "libapr1-0-1.7.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libapr1-0-1.7.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.ppc64le"
},
"product_reference": "libapr1-0-1.7.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libapr1-0-1.7.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.s390x"
},
"product_reference": "libapr1-0-1.7.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libapr1-0-1.7.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.x86_64"
},
"product_reference": "libapr1-0-1.7.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-24963",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-24963"
}
],
"notes": [
{
"category": "general",
"text": "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\nThis issue affects Apache Portable Runtime (APR) version 1.7.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apr-devel-1.7.2-1.1.aarch64",
"openSUSE Tumbleweed:apr-devel-1.7.2-1.1.ppc64le",
"openSUSE Tumbleweed:apr-devel-1.7.2-1.1.s390x",
"openSUSE Tumbleweed:apr-devel-1.7.2-1.1.x86_64",
"openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.aarch64",
"openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.ppc64le",
"openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.s390x",
"openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-24963",
"url": "https://www.suse.com/security/cve/CVE-2022-24963"
},
{
"category": "external",
"summary": "SUSE Bug 1207870 for CVE-2022-24963",
"url": "https://bugzilla.suse.com/1207870"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apr-devel-1.7.2-1.1.aarch64",
"openSUSE Tumbleweed:apr-devel-1.7.2-1.1.ppc64le",
"openSUSE Tumbleweed:apr-devel-1.7.2-1.1.s390x",
"openSUSE Tumbleweed:apr-devel-1.7.2-1.1.x86_64",
"openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.aarch64",
"openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.ppc64le",
"openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.s390x",
"openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apr-devel-1.7.2-1.1.aarch64",
"openSUSE Tumbleweed:apr-devel-1.7.2-1.1.ppc64le",
"openSUSE Tumbleweed:apr-devel-1.7.2-1.1.s390x",
"openSUSE Tumbleweed:apr-devel-1.7.2-1.1.x86_64",
"openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.aarch64",
"openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.ppc64le",
"openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.s390x",
"openSUSE Tumbleweed:libapr1-0-1.7.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-24963"
}
]
}
RHSA-2023:4628
Vulnerability from csaf_redhat - Published: 2023-08-15 17:37 - Updated: 2026-04-01 18:56Summary
Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 security update
Severity
Moderate
Notes
Topic: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 is now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience.
This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* apr-util: integer overflow/wraparound in apr_encode (CVE-2022-24963)
* apr-util: Windows out-of-bounds write in apr_socket_sendv function (CVE-2022-28331)
* httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-36760)
* httpd: mod_proxy: HTTP response splitting (CVE-2022-37436)
* mod_security: incorrect parsing of HTTP multipart requests leads to web application firewall bypass (CVE-2022-48279)
* modsecurity: lacking the complete content in FILES_TMP_CONTENT leads to web application firewall bypass (CVE-2023-24021)
* httpd: mod_proxy_uwsgi HTTP response splitting (CVE-2023-27522)
* curl: use after free in SSH sha256 fingerprint check (CVE-2023-28319)
* curl: IDN wildcard match may lead to Improper Cerificate Validation (CVE-2023-28321)
* libxml2: NULL dereference in xmlSchemaFixupComplexType (CVE-2023-28484)
* libxml2: Hashing of empty dict strings isn't deterministic (CVE-2023-29469)
* curl: more POST-after-PUT confusion (CVE-2023-28322)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Apache Portable Runtime (APR). This issue may allow a malicious attacker to write beyond the bounds of a buffer.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only JBCS
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Apache Portable Runtime, affecting versions <= 1.7.0. This issue may allow a malicious user to write beyond the end of a stack buffer and cause an integer overflow. This affects Windows environments.
9.8 (Critical)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only JBCS
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the mod_proxy_ajp module of httpd. The connection is not closed when there is an invalid Transfer-Encoding header, allowing an attacker to smuggle requests to the AJP server, where it forwards requests.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only JBCS
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the mod_proxy module of httpd. A malicious backend can cause the response headers to be truncated because they are not cleaned when an error is found while reading them, resulting in some headers being incorporated into the response body and not being interpreted by a client.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only JBCS
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A vulnerability was found in ModSecurity. This issue occurs when HTTP multipart requests are incorrectly parsed and could bypass the Web Application Firewall. NOTE: This is related to CVE-2022-39956, but can be considered independent changes to the ModSecurity (C language) codebase.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only JBCS
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A vulnerability was found in ModSecurity. This issue occurs when FILES_TMP_CONTENT lacks complete content, which can lead to a Web Application Firewall bypass.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only JBCS
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
An HTTP Response Smuggling vulnerability was found in the Apache HTTP Server via mod_proxy_uwsgi. This security issue occurs when special characters in the origin response header can truncate or split the response forwarded to the client.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only JBCS
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A use-after-free flaw was found in the Curl package. This flaw risks inserting sensitive heap-based data into the error message that users might see or is otherwise leaked and revealed.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only JBCS
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the Curl package. An incorrect International Domain Name (IDN) wildcard match may lead to improper certificate validation.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only JBCS
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A use-after-free flaw was found in the Curl package. This issue may lead to unintended information disclosure by the application.
CWE-440 - Expected Behavior ViolationAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only JBCS
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A NULL pointer dereference vulnerability was found in libxml2. This issue occurs when parsing (invalid) XML schemas.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only JBCS
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in libxml2. This issue occurs when hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results, which may lead to various logic or memory errors, including double free errors.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Text-Only JBCS
Red Hat / Red Hat JBoss Core Services
|
cpe:/a:redhat:jboss_core_services:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
71 references
Acknowledgments
Wei Chong Tan
Daniel Stenberg
Hiroki Kurosawa
Daniel Stenberg
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Core Services Apache HTTP Server 2.4.57 is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* apr-util: integer overflow/wraparound in apr_encode (CVE-2022-24963)\n\n* apr-util: Windows out-of-bounds write in apr_socket_sendv function (CVE-2022-28331)\n\n* httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-36760)\n\n* httpd: mod_proxy: HTTP response splitting (CVE-2022-37436)\n\n* mod_security: incorrect parsing of HTTP multipart requests leads to web application firewall bypass (CVE-2022-48279)\n\n* modsecurity: lacking the complete content in FILES_TMP_CONTENT leads to web application firewall bypass (CVE-2023-24021)\n\n* httpd: mod_proxy_uwsgi HTTP response splitting (CVE-2023-27522)\n\n* curl: use after free in SSH sha256 fingerprint check (CVE-2023-28319)\n\n* curl: IDN wildcard match may lead to Improper Cerificate Validation (CVE-2023-28321)\n\n* libxml2: NULL dereference in xmlSchemaFixupComplexType (CVE-2023-28484)\n\n* libxml2: Hashing of empty dict strings isn\u0027t deterministic (CVE-2023-29469)\n\n* curl: more POST-after-PUT confusion (CVE-2023-28322)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:4628",
"url": "https://access.redhat.com/errata/RHSA-2023:4628"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2161773",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161773"
},
{
"category": "external",
"summary": "2161777",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161777"
},
{
"category": "external",
"summary": "2163615",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163615"
},
{
"category": "external",
"summary": "2163622",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163622"
},
{
"category": "external",
"summary": "2169465",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169465"
},
{
"category": "external",
"summary": "2172556",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2172556"
},
{
"category": "external",
"summary": "2176211",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2176211"
},
{
"category": "external",
"summary": "2185984",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185984"
},
{
"category": "external",
"summary": "2185994",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185994"
},
{
"category": "external",
"summary": "2196778",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196778"
},
{
"category": "external",
"summary": "2196786",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196786"
},
{
"category": "external",
"summary": "2196793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196793"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_4628.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 security update",
"tracking": {
"current_release_date": "2026-04-01T18:56:29+00:00",
"generator": {
"date": "2026-04-01T18:56:29+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.4"
}
},
"id": "RHSA-2023:4628",
"initial_release_date": "2023-08-15T17:37:09+00:00",
"revision_history": [
{
"date": "2023-08-15T17:37:09+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-08-15T17:37:09+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-01T18:56:29+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Text-Only JBCS",
"product": {
"name": "Text-Only JBCS",
"product_id": "Text-Only JBCS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_core_services:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Core Services"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-24963",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2023-02-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2169465"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Portable Runtime (APR). This issue may allow a malicious attacker to write beyond the bounds of a buffer.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apr: integer overflow/wraparound in apr_encode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Versions of \"apr-util\" shipped with Red Hat Enterprise Linux-6, 7, 8, and 9 are not affected. \"apr_encode_*\" API, which contains the affected code was added in apr-utils v1.7.0, whereas, RHEL ships apr-util v1.6.1 and lower.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only JBCS"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24963"
},
{
"category": "external",
"summary": "RHBZ#2169465",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169465"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24963",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24963"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24963",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24963"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9",
"url": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9"
}
],
"release_date": "2023-01-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-08-15T17:37:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Text-Only JBCS"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4628"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"Text-Only JBCS"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apr: integer overflow/wraparound in apr_encode"
},
{
"cve": "CVE-2022-28331",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2023-02-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2172556"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Portable Runtime, affecting versions \u003c= 1.7.0. This issue may allow a malicious user to write beyond the end of a stack buffer and cause an integer overflow. This affects Windows environments.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apr: Windows out-of-bounds write in apr_socket_sendv function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only JBCS"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-28331"
},
{
"category": "external",
"summary": "RHBZ#2172556",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2172556"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-28331",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28331"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-28331",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28331"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/5pfdfn7h0vsdo5xzjn97vghp0x42jj2r",
"url": "https://lists.apache.org/thread/5pfdfn7h0vsdo5xzjn97vghp0x42jj2r"
}
],
"release_date": "2023-01-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-08-15T17:37:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Text-Only JBCS"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4628"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Text-Only JBCS"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apr: Windows out-of-bounds write in apr_socket_sendv function"
},
{
"cve": "CVE-2022-36760",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2023-01-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161777"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the mod_proxy_ajp module of httpd. The connection is not closed when there is an invalid Transfer-Encoding header, allowing an attacker to smuggle requests to the AJP server, where it forwards requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "httpd: mod_proxy_ajp: Possible request smuggling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw only affects configurations with mod_proxy_ajp loaded and with an AJP backend configured. If there is no proxy configured to an AJP backend the server is not affected and no further mitigation is needed. For more information about the mitigation, check the mitigation section below.\n\nThe httpd mod_proxy_ajp module is enabled by default on Red Hat Enterprise Linux 6, 7, 8, 9, and in RHSCL. However, there are no directives forwarding requests using the AJP protocol.\n\nThis flaw has been rated as having a security impact of moderate, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only JBCS"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36760"
},
{
"category": "external",
"summary": "RHBZ#2161777",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161777"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36760",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36760"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36760",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36760"
},
{
"category": "external",
"summary": "https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-36760",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-36760"
}
],
"release_date": "2023-01-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-08-15T17:37:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Text-Only JBCS"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4628"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Text-Only JBCS"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "httpd: mod_proxy_ajp: Possible request smuggling"
},
{
"cve": "CVE-2022-37436",
"cwe": {
"id": "CWE-113",
"name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)"
},
"discovery_date": "2023-01-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161773"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the mod_proxy module of httpd. A malicious backend can cause the response headers to be truncated because they are not cleaned when an error is found while reading them, resulting in some headers being incorporated into the response body and not being interpreted by a client.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "httpd: mod_proxy: HTTP response splitting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is only exploitable via bad headers generated by a malicious backend or a malicious application.\n\nhttpd as shipped in Red Hat Enterprise Linux 7, 8, 9 and in RHSCL is vulnerable to this flaw. httpd as shipped in Red Hat Enterprise Linux 6 is not affected.\n\nThis flaw has been rated as having a security impact of moderate, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only JBCS"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37436"
},
{
"category": "external",
"summary": "RHBZ#2161773",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161773"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37436",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37436"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37436",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37436"
},
{
"category": "external",
"summary": "https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-37436",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-37436"
}
],
"release_date": "2023-01-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-08-15T17:37:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Text-Only JBCS"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4628"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. It\u0027s recommended to update the affected packages as soon as an update is available.",
"product_ids": [
"Text-Only JBCS"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Text-Only JBCS"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "httpd: mod_proxy: HTTP response splitting"
},
{
"cve": "CVE-2022-48279",
"cwe": {
"id": "CWE-1389",
"name": "Incorrect Parsing of Numbers with Different Radices"
},
"discovery_date": "2023-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2163622"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in ModSecurity. This issue occurs when HTTP multipart requests are incorrectly parsed and could bypass the Web Application Firewall. NOTE: This is related to CVE-2022-39956, but can be considered independent changes to the ModSecurity (C language) codebase.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mod_security: incorrect parsing of HTTP multipart requests leads to web application firewall bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat rates this vulnerability as Moderate impact as a result of how mod_security is configured to be used in Red Hat products. When running with default configurations the affected program will have limited privileges and thus the impact of this flaw will be restricted beyond what the Web Application Firewall is also restricting.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only JBCS"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-48279"
},
{
"category": "external",
"summary": "RHBZ#2163622",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163622"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-48279",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48279"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-48279",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48279"
}
],
"release_date": "2023-01-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-08-15T17:37:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Text-Only JBCS"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4628"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Text-Only JBCS"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Text-Only JBCS"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mod_security: incorrect parsing of HTTP multipart requests leads to web application firewall bypass"
},
{
"cve": "CVE-2023-24021",
"cwe": {
"id": "CWE-402",
"name": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
},
"discovery_date": "2023-01-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2163615"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in ModSecurity. This issue occurs when FILES_TMP_CONTENT lacks complete content, which can lead to a Web Application Firewall bypass.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "modsecurity: lacking the complete content in FILES_TMP_CONTENT leads to web application firewall bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat rates this vulnerability as Moderate impact as a result of how mod_security is configured to be used in Red Hat products. When running with default configurations the affected program will have limited privileges and thus the impact of this flaw will be restricted beyond what the Web Application Firewall is also restricting.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only JBCS"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24021"
},
{
"category": "external",
"summary": "RHBZ#2163615",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163615"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24021",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24021"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24021",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24021"
}
],
"release_date": "2023-01-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-08-15T17:37:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Text-Only JBCS"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4628"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Text-Only JBCS"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Text-Only JBCS"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "modsecurity: lacking the complete content in FILES_TMP_CONTENT leads to web application firewall bypass"
},
{
"cve": "CVE-2023-27522",
"cwe": {
"id": "CWE-113",
"name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)"
},
"discovery_date": "2023-03-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2176211"
}
],
"notes": [
{
"category": "description",
"text": "An HTTP Response Smuggling vulnerability was found in the Apache HTTP Server via mod_proxy_uwsgi. This security issue occurs when special characters in the origin response header can truncate or split the response forwarded to the client.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "httpd: mod_proxy_uwsgi HTTP response splitting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi has been categorized as moderate severity for Red Hat Enterprise Linux due to several technical factors. While the potential impact of this vulnerability is significant, its exploitation requires specific conditions, including the presence of mod_proxy_uwsgi and the ability to inject specially crafted headers into requests. Additionally, successful exploitation depends on the specific configuration of the server and the network environment. Furthermore, the vulnerability primarily affects the integrity and reliability of HTTP responses, rather than directly leading to remote code execution or unauthorized access. Therefore, the likelihood of exploitation and the potential impact on affected systems have been evaluated as moderate, warranting attention and remediation but not categorized as important.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only JBCS"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-27522"
},
{
"category": "external",
"summary": "RHBZ#2176211",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2176211"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-27522",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27522"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27522",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27522"
},
{
"category": "external",
"summary": "https://httpd.apache.org/security/vulnerabilities_24.html",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
}
],
"release_date": "2023-03-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-08-15T17:37:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Text-Only JBCS"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4628"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Text-Only JBCS"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Text-Only JBCS"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "httpd: mod_proxy_uwsgi HTTP response splitting"
},
{
"acknowledgments": [
{
"names": [
"Wei Chong Tan",
"Daniel Stenberg"
]
}
],
"cve": "CVE-2023-28319",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2023-05-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2196778"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free flaw was found in the Curl package. This flaw risks inserting sensitive heap-based data into the error message that users might see or is otherwise leaked and revealed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "curl: use after free in SSH sha256 fingerprint check",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability does not affect the Curl package as shipped in Red Hat Enterprise Linux 6, 7, 8 and 9.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only JBCS"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-28319"
},
{
"category": "external",
"summary": "RHBZ#2196778",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196778"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-28319",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28319"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-28319",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28319"
},
{
"category": "external",
"summary": "https://curl.se/docs/CVE-2023-28319.html",
"url": "https://curl.se/docs/CVE-2023-28319.html"
}
],
"release_date": "2023-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-08-15T17:37:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Text-Only JBCS"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4628"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Text-Only JBCS"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "curl: use after free in SSH sha256 fingerprint check"
},
{
"acknowledgments": [
{
"names": [
"Hiroki Kurosawa",
"Daniel Stenberg"
]
}
],
"cve": "CVE-2023-28321",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2023-05-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2196786"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Curl package. An incorrect International Domain Name (IDN) wildcard match may lead to improper certificate validation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "curl: IDN wildcard match may lead to Improper Cerificate Validation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only JBCS"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-28321"
},
{
"category": "external",
"summary": "RHBZ#2196786",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196786"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-28321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28321"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-28321",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28321"
},
{
"category": "external",
"summary": "https://curl.se/docs/CVE-2023-28321.html",
"url": "https://curl.se/docs/CVE-2023-28321.html"
}
],
"release_date": "2023-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-08-15T17:37:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Text-Only JBCS"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4628"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Text-Only JBCS"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "curl: IDN wildcard match may lead to Improper Cerificate Validation"
},
{
"acknowledgments": [
{
"names": [
"Hiroki Kurosawa",
"Daniel Stenberg"
]
}
],
"cve": "CVE-2023-28322",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2023-05-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2196793"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free flaw was found in the Curl package. This issue may lead to unintended information disclosure by the application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "curl: more POST-after-PUT confusion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only JBCS"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-28322"
},
{
"category": "external",
"summary": "RHBZ#2196793",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196793"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-28322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28322"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-28322",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28322"
},
{
"category": "external",
"summary": "https://curl.se/docs/CVE-2023-28322.html",
"url": "https://curl.se/docs/CVE-2023-28322.html"
}
],
"release_date": "2023-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-08-15T17:37:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Text-Only JBCS"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4628"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Text-Only JBCS"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "curl: more POST-after-PUT confusion"
},
{
"cve": "CVE-2023-28484",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2023-04-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2185994"
}
],
"notes": [
{
"category": "description",
"text": "A NULL pointer dereference vulnerability was found in libxml2. This issue occurs when parsing (invalid) XML schemas.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml2: NULL dereference in xmlSchemaFixupComplexType",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only JBCS"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-28484"
},
{
"category": "external",
"summary": "RHBZ#2185994",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185994"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-28484",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28484"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-28484",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28484"
}
],
"release_date": "2023-04-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-08-15T17:37:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Text-Only JBCS"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4628"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Text-Only JBCS"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "libxml2: NULL dereference in xmlSchemaFixupComplexType"
},
{
"cve": "CVE-2023-29469",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2023-04-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2185984"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in libxml2. This issue occurs when hashing empty strings which aren\u0027t null-terminated, xmlDictComputeFastKey could produce inconsistent results, which may lead to various logic or memory errors, including double free errors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libxml2: Hashing of empty dict strings isn\u0027t deterministic",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Text-Only JBCS"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-29469"
},
{
"category": "external",
"summary": "RHBZ#2185984",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185984"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-29469",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29469"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-29469",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29469"
}
],
"release_date": "2023-04-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-08-15T17:37:09+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Text-Only JBCS"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4628"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Text-Only JBCS"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "libxml2: Hashing of empty dict strings isn\u0027t deterministic"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…